forked from radicand/phpki
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecure.sh
executable file
·103 lines (77 loc) · 2.58 KB
/
secure.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#! /bin/bash
owner="`id -nu`"
cat <<EOM
This application is designed to be an easy to use "certificate factory"
requiring minimum human intervention to administer. It is intended for
use within a trusted INTRAnet for the creation and management of x.509
e-mail digital certificates by departmental managers. IT IS NOT INTENDED
FOR USE OVER THE INTERNET.
This application stores private keys within a sub-directory, making them
potentially susceptible to compromise. Extra care has been taken in the
design of this application to protect the security of your certificates,
on the condition that you INSTALL IT AS THE ROOT USER. However, no
software is 100% secure.
EOM
read -p "Enter the location of your PHPki password (i.e. /etc/phpkipasswd): " passwd_file
echo
if [ ! -f "$passwd_file" ]
then
echo "The file you specified does not yet exist."
echo "Let's create it and add your first user."
echo
read -p "Enter a user id: " user_id
echo "Creating the $user_id user account..."
htpasswd -c -m "$passwd_file" "$user_id" || exit
echo "Creating the administrator account..."
echo "See the README file for more information about the"
echo "'pkiadmin' user."
htpasswd -m "$passwd_file" 'pkiadmin' || exit
fi
echo
if [ ! "${owner}_" = "root_" ]
then
cat <<EOM
YOU ARE NOT LOGGED ON AS ROOT!
If you choose to proceed anyway, and you plan to make this application
available over the Internet, you increase the risk of compromising the
security of your certifcates and your server.
This script may not run correctly if you are not the ROOT user.
EOM
fi
echo -n "Enter the user ID your web server runs as [apache]: " ; read x
echo
echo -n "Enter the group ID your web server runs as [apache]: " ; read z
echo
echo "Enter the IP or subnet address [192.168.0.0/16] which will be allowed access"
echo -n "to the user admin module in under ./admin: " ; read y
user=${x:-apache}
group=${z:-apache}
subnet=${y:-'192.168.0.0/16'}
subnet="${subnet} 127.0.0.1"
echo "Working..."
for i in ./include
do
echo "deny from all" >$i/.htaccess
done
cat <<EOS >> ./ca/.htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile "$passwd_file"
require valid-user
SSLRequireSSL
EOS
cat <<EOS > ./admin/.htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile "$passwd_file"
require valid-user
SSLRequireSSL
Order Allow,Deny
Allow from $subnet
EOS
# Start with web server getting read-only access to everything.
# Directories have sticky bits set.
find . -exec chown $owner:$group {} \;
find . ! -type d -exec chmod 640 {} \;
find . -type d -exec chmod 3750 {} \;
echo "Done."