Compare commits

...

2 Commits

Author SHA1 Message Date
CyberMind
4339590eb1
Merge pull request #512 from CyberMind-FR/fix/511-fix-var-log-secubox-traversal-converge-o
Some checks are pending
License Headers / check (push) Waiting to run
fix: /var/log/secubox traversal — converge postinsts to 0755 (#511)
2026-06-10 09:59:14 +02:00
13faf609f7 fix: converge /var/log/secubox postinsts to 0755 traversable (closes #511)
Shared-directory ownership race: secubox-toolbox + secubox-mesh created
/var/log/secubox at 0750 with their own module owner, secubox-admin at
750 root:secubox, while ~10 other packages use the correct 0755
secubox:secubox.  Whichever postinst ran last won — and when toolbox or
mesh won, the aggregator (user secubox) lost traversal and the /waf/ +
/soc/ dashboards went blank (regressed on gk2 2026-06-10).

  - secubox-toolbox/debian/postinst:47  0750 -> 0755 (+ guard comment)
  - secubox-mesh/debian/postinst:23     0750 -> 0755
  - secubox-admin/debian/postinst:11    750  -> 0755

Mode 0755 makes the shared parent world-traversable regardless of which
package's owner wins.  Per-module log files + subdirs inside keep their
own restricted perms.  Same class as the /etc/secubox traversal
constraint + the /usr/share/secubox/www chmod (#507).
2026-06-10 09:53:48 +02:00
3 changed files with 9 additions and 3 deletions

View File

@ -8,7 +8,7 @@ case "$1" in
install -d -o secubox -g secubox -m 750 /run/secubox
install -d -o secubox -g secubox -m 750 /var/lib/secubox
install -d -o secubox -g secubox -m 750 /var/lib/secubox/admin
install -d -o root -g secubox -m 750 /var/log/secubox
install -d -o root -g secubox -m 0755 /var/log/secubox
systemctl daemon-reload
systemctl enable secubox-admin.service
systemctl start secubox-admin.service || true

View File

@ -20,7 +20,7 @@ case "$1" in
# NE PAS le toucher ici — l'écraser bloque la traversée nginx (www-data) et
# casse tous les /api/v1/<module>/* en 502 (cf. #471). Si besoin d'un
# sous-dossier privé, utiliser /run/secubox/mesh/ (et non le parent).
install -d -m 0750 -o secubox-mesh -g secubox-mesh /var/log/secubox
install -d -m 0755 -o secubox-mesh -g secubox-mesh /var/log/secubox
# 4. Verrou régulatoire FR (idempotent ; ne pas planter si iw absent)
if command -v iw >/dev/null 2>&1; then

View File

@ -44,7 +44,13 @@ case "$1" in
# 4. Storage dir (SQLite + future PDF reports)
install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/lib/secubox/toolbox
install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/log/secubox
# /var/log/secubox is a SHARED parent traversed by many service users
# (the aggregator runs as `secubox` and reads waf-threats.log under
# here). It MUST be 0755 — a 0750 owned by secubox-toolbox silently
# breaks WAF + SOC dashboards for the `secubox` user (#511, regressed
# the /waf/ + /soc/ pages on gk2 2026-06-10). Per-module log files +
# subdirs inside keep their own restricted perms.
install -d -m 0755 -o secubox-toolbox -g secubox-toolbox /var/log/secubox
# 4b. GeoLite2 databases (Phase 2a+ : flag emojis + ASN org)
# ASN DB from geoipupdate or Debian package geoip-database