Compare commits

..

No commits in common. "4339590eb1e266b081f182fd6df0c8ddbcf86223" and "8263bc7681c53651e49cedbdcbc8b3ec2ebd3d61" have entirely different histories.

3 changed files with 3 additions and 9 deletions

View File

@ -8,7 +8,7 @@ case "$1" in
install -d -o secubox -g secubox -m 750 /run/secubox install -d -o secubox -g secubox -m 750 /run/secubox
install -d -o secubox -g secubox -m 750 /var/lib/secubox install -d -o secubox -g secubox -m 750 /var/lib/secubox
install -d -o secubox -g secubox -m 750 /var/lib/secubox/admin install -d -o secubox -g secubox -m 750 /var/lib/secubox/admin
install -d -o root -g secubox -m 0755 /var/log/secubox install -d -o root -g secubox -m 750 /var/log/secubox
systemctl daemon-reload systemctl daemon-reload
systemctl enable secubox-admin.service systemctl enable secubox-admin.service
systemctl start secubox-admin.service || true systemctl start secubox-admin.service || true

View File

@ -20,7 +20,7 @@ case "$1" in
# NE PAS le toucher ici — l'écraser bloque la traversée nginx (www-data) et # NE PAS le toucher ici — l'écraser bloque la traversée nginx (www-data) et
# casse tous les /api/v1/<module>/* en 502 (cf. #471). Si besoin d'un # casse tous les /api/v1/<module>/* en 502 (cf. #471). Si besoin d'un
# sous-dossier privé, utiliser /run/secubox/mesh/ (et non le parent). # sous-dossier privé, utiliser /run/secubox/mesh/ (et non le parent).
install -d -m 0755 -o secubox-mesh -g secubox-mesh /var/log/secubox install -d -m 0750 -o secubox-mesh -g secubox-mesh /var/log/secubox
# 4. Verrou régulatoire FR (idempotent ; ne pas planter si iw absent) # 4. Verrou régulatoire FR (idempotent ; ne pas planter si iw absent)
if command -v iw >/dev/null 2>&1; then if command -v iw >/dev/null 2>&1; then

View File

@ -44,13 +44,7 @@ case "$1" in
# 4. Storage dir (SQLite + future PDF reports) # 4. Storage dir (SQLite + future PDF reports)
install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/lib/secubox/toolbox install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/lib/secubox/toolbox
# /var/log/secubox is a SHARED parent traversed by many service users install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/log/secubox
# (the aggregator runs as `secubox` and reads waf-threats.log under
# here). It MUST be 0755 — a 0750 owned by secubox-toolbox silently
# breaks WAF + SOC dashboards for the `secubox` user (#511, regressed
# the /waf/ + /soc/ pages on gk2 2026-06-10). Per-module log files +
# subdirs inside keep their own restricted perms.
install -d -m 0755 -o secubox-toolbox -g secubox-toolbox /var/log/secubox
# 4b. GeoLite2 databases (Phase 2a+ : flag emojis + ASN org) # 4b. GeoLite2 databases (Phase 2a+ : flag emojis + ASN org)
# ASN DB from geoipupdate or Debian package geoip-database # ASN DB from geoipupdate or Debian package geoip-database