Fix various permission issues

Grant GROUP (sc-download) permission to browse subfolder in Shared Enlist service user into "users" group to access contents
SynoCommunity · Mar 10, 2018 · 185a657 · 185a657
1 parent 8520087
commit 185a657
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 21 deletions.
diff --git a/mk/spksrc.service.installer b/mk/spksrc.service.installer
@@ -19,6 +19,10 @@ else
     TMP_DIR="${SYNOPKG_TEMP_UPGRADE_FOLDER}/var"
 fi
 
+# Service user in "users" group by default to access any content
+# May be switched off according to application security/features
+USER_IN_USERS="yes"
+
 # Source package specific variable and functions
 SVC_SETUP=`dirname $0`"/service-setup"
 if [ -r "${SVC_SETUP}" ]; then
@@ -117,6 +121,22 @@ syno_group_remove ()
     fi
 }
 
+# Add user to existing group
+syno_user_add_to_group ()
+{
+    USER="$1"
+    GROUP="$2"
+    # Check user already in group
+    if ! synogroup --get "$GROUP" | grep "^[0-9]:\[${USER}\]" &> /dev/null; then
+        # Add user, not in group yet
+        echo "Adding '${USER}' to '${GROUP}'" >> ${INST_LOG}
+        MEMBERS="$(synogroup --get $GROUP | grep '^[0-9]' | sed 's/.*\[\([^]]*\)].*/\1/' | tr '\n' ' ')"
+        # The "synogroup --member" command clears all users before adding new ones
+        # so all the users must be listed on the command line
+        synogroup --member "$GROUP" $MEMBERS "${USER}" >> ${INST_LOG}
+    fi
+}
+
 # Sets recursive permissions for ${GROUP} on specified directory
 # Usage: set_syno_permissions "${SHARE_FOLDER}" "${GROUP}"
 set_syno_permissions ()
@@ -132,6 +152,7 @@ set_syno_permissions ()
         if [ ! "`synoacltool -get \"${DIRNAME}\"| grep \"group:${GROUP}:allow:rwxpdDaARWcC-:fd--\"`" ]; then
             # First Unix permissions, but only if it's in Linux mode
             if [ "`synoacltool -get \"${DIRNAME}\"| grep \"Linux mode\"`" ]; then
+                echo "Skip granting '${GROUP}' group permissions on ${DIRNAME} as the directory is Linux mode. Provide location in Shared Folders." >> ${INST_LOG}
                 set_unix_permissions "${DIRNAME}"
                 # If it is linux mode (due to old package) we need to add "administrators"-group,
                 # otherwise the folder is not accessible from File Station anymore!
@@ -153,7 +174,7 @@ set_syno_permissions ()
                 fi
                 # Add the new group permissions
                 echo "Granting '${GROUP}' group basic permissions on ${DIRNAME}" >> ${INST_LOG}
-                synoacltool -add "${DIRNAME}" "group:${GROUP}:allow:--x----------:---n" >> ${INST_LOG} 2>&1
+                synoacltool -add "${DIRNAME}" "group:${GROUP}:allow:r-x---a-R----:---n" >> ${INST_LOG} 2>&1
             fi
             DIRNAME="$(dirname "${DIRNAME}")"
         done
@@ -162,12 +183,12 @@ set_syno_permissions ()
     fi
 }
 
-# Sets recurivse permissions using chown
+# Set recursive permissions using chown
 set_unix_permissions ()
 {
     DIRNAME=$1
     if [ -n "${EFF_USER}" ]; then
-        echo "Granting '${EFF_USER}' unix permissions on ${DIRNAME}" >> ${INST_LOG}
+        echo "Granting '${EFF_USER}' unix ownership on ${DIRNAME}" >> ${INST_LOG}
         if [ $SYNOPKG_DSM_VERSION_MAJOR -lt 6 ]; then
             chown -R ${EFF_USER}:root "${DIRNAME}" >> $INST_LOG 2>&1
         else
@@ -193,6 +214,8 @@ syno_user_add_to_legacy_group () {
         # The "synogroup --member" command clears all users before adding new ones
         # so all the users must be listed on the command line
         synogroup --member "$LEGACY_GROUP" $MEMBERS "${NEW_USER}" >> ${INST_LOG}
+        # Not sure but invoked with hope DSM is updated
+        synogroup --rebuild all
     fi
 }
 
@@ -229,14 +252,23 @@ postinst ()
         servicetool --install-configure-file --package "${FWPORTS_FILE}" >> ${INST_LOG} 2>&1
     fi
 
-    # DSM 5 specific operations
-    if [ $SYNOPKG_DSM_VERSION_MAJOR -lt 6 ] && [ -n "${EFF_USER}" ]; then
-        # Create prefixed synouser
-        if ! cat /etc/passwd | grep "${EFF_USER}:x:" &> /dev/null; then
-            synouser --add "${EFF_USER}" "" "$USER_DESC" 0 "" 0 >> ${INST_LOG} 2>&1
-            BACKUP_PASSWD="/tmp/install_${SYNOPKG_PKGNAME}_passwd"
-            cp /etc/passwd ${BACKUP_PASSWD}
-            sed -i "s#/var/services/homes/${EFF_USER}#/var/packages/${SYNOPKG_PKGNAME}/target/var#" /etc/passwd
+    # Service user management
+    if [ -n "${EFF_USER}" ]; then
+        if [ $SYNOPKG_DSM_VERSION_MAJOR -lt 6 ]; then
+            # DSM 5 specific operations
+            # Create prefixed synouser
+            if ! cat /etc/passwd | grep "${EFF_USER}:x:" &> /dev/null; then
+                synouser --add "${EFF_USER}" "" "$USER_DESC" 0 "" 0 >> ${INST_LOG} 2>&1
+                # Set HOME for consistency with DSM 6, location available even if homes not enabled
+                BACKUP_PASSWD="/tmp/install_${SYNOPKG_PKGNAME}_passwd"
+                cp /etc/passwd ${BACKUP_PASSWD}
+                sed -i "s#/var/services/homes/${EFF_USER}#/var/packages/${SYNOPKG_PKGNAME}/target#" /etc/passwd
+            fi
+        else
+            # DSM 6: register service in "users" group to access any content
+            if [ "$USER_IN_USERS" = "yes" ]; then
+                syno_user_add_to_group "${EFF_USER}" "users"
+            fi
         fi
     fi
 
@@ -248,15 +280,7 @@ postinst ()
             syno_group_create "${EFF_USER}"
         fi
         if synogroup --get "$GROUP" &> /dev/null; then
-            # Check user already in group
-            if ! synogroup --get "$GROUP" | grep "^[0-9]:\[${EFF_USER}\]" &> /dev/null; then
-                # Add user, not in group yet
-                echo "Adding '${EFF_USER}' to '${GROUP}'" >> ${INST_LOG}
-                MEMBERS="$(synogroup --get $GROUP | grep '^[0-9]' | sed 's/.*\[\([^]]*\)].*/\1/' | tr '\n' ' ')"
-                # The "synogroup --member" command clears all users before adding new ones
-                # so all the users must be listed on the command line
-                synogroup --member "$GROUP" $MEMBERS "${EFF_USER}" >> ${INST_LOG}
-            fi
+            syno_user_add_to_group "${EFF_USER}" "${GROUP}"
         fi
         # Not sure but invoked with hope DSM is updated
         synogroup --rebuild all
@@ -295,7 +319,7 @@ postinst ()
         echo "Installation log: ${INST_VAR}/${SYNOPKG_PKGNAME}_install.log" >> ${LOG_FILE}
     fi
     if [ $SYNOPKG_DSM_VERSION_MAJOR -lt 6 ]; then
-        # On DSM 5 set package files permissions
+        # On DSM 5 set package files permissions for consistency with DSM 6
         set_unix_permissions "${SYNOPKG_PKGDEST}"
     else
         # On DSM 6 only var is concerned

diff --git a/spk/mosquitto/src/service-setup.sh b/spk/mosquitto/src/service-setup.sh
@@ -2,6 +2,9 @@ CFG_FILE="${SYNOPKG_PKGDEST}/var/mosquitto.conf"
 PATH="${SYNOPKG_PKGDEST}/bin:${PATH}"
 SERVICE_COMMAND="${SYNOPKG_PKGDEST}/sbin/mosquitto -d -c ${CFG_FILE}"
 
+# Should not access to shared folders content
+USER_IN_USERS=no
+
 service_postinst ()
 {
     # Discard legacy obsolete busybox user account