Fix: users added by Hestia are members of a common group

Lupul · Lupul · commit 74d30c48e0b6 · 2019-05-17T07:54:20.000+03:00
Upgarde script will update existing users
diff --git a/bin/v-add-user b/bin/v-add-user
@@ -61,6 +61,18 @@ check_result $? "user creation failed" $E_INVALID
 # Adding password
 echo "$user:$password" | /usr/sbin/chpasswd
 
+# Add a general group for normal users created by Hestia
+if [ -z "$(grep ^hestia-users: /etc/group)" ]; then
+    groupadd "hestia-users"
+fi
+
+# Add membership to hestia-users group to non-admin users
+if [ "$user" != "admin" ]; then
+    usermod -a -G "hestia-users" "$user"
+    setfacl -m "u:$user:r-x" "$HOMEDIR/$user"
+fi
+setfacl -m "g:hestia-users:---" "$HOMEDIR/$user"
+
 # Building directory tree
 mkdir $HOMEDIR/$user/conf
 
diff --git a/bin/v-add-web-domain-ftp b/bin/v-add-web-domain-ftp
@@ -85,6 +85,7 @@ fi
     -s $shell \
     -o -u $(id -u $user) \
     -g $(id -u $user) \
+    -G hestia-users \
     -M -d "$ftp_path_a"  > /dev/null 2>&1
 
 # Set ftp user password
diff --git a/install/upgrade/0.10.0-190430.sh b/install/upgrade/0.10.0-190430.sh
@@ -173,6 +173,31 @@ if [ -d "/etc/roundcube" ]; then
     chown root:www-data /etc/roundcube/debian-db*
 fi
 
+# Add a general group for normal users created by Hestia
+if [ -z "$(grep ^hestia-users: /etc/group)" ]; then
+    echo "Add missing hestia-users group"
+    groupadd "hestia-users"
+fi
+
+# Make sure non-admin users belong to correct Hestia group
+for user in `ls /usr/local/hestia/data/users/`; do
+    echo "[ACL] Check user $user"
+    if [ "$user" != "admin" ]; then
+        echo "[ACL] Fix acl for user: $user"
+        usermod -a -G "hestia-users" "$user"
+        setfacl -m "u:$user:r-x" "$HOMEDIR/$user"
+
+        # fix FTP users
+        uid=$(id -u $user)
+        for ftp_user in $(cat /etc/passwd | grep -v "^$user:" | grep "^$user.*:$uid:$uid:" | cut -d ":" -f1); do
+            echo "[ACL] Fix acl for FTP user: $ftp_user"
+            usermod -a -G "hestia-users" "$ftp_user"
+        done
+
+    fi
+    setfacl -m "g:hestia-users:---" "$HOMEDIR/$user"
+done
+
 # Add unassigned hosts configuration to Nginx and Apache
 for ipaddr in $(ls /usr/local/hestia/data/ips/ 2>/dev/null); do
 
