tweak(installer): set additional security constants to the wp-config (if wp installed)

JMSDOnline · JMSDOnline · commit 412f56d84360 · 2024-06-18T14:39:29.000-05:00
changelog: tweaks
diff --git a/README.md b/README.md
@@ -10,8 +10,8 @@
 
 ## Script status
 
-  Version: v3.1.1.894
-  Build: 894
+  Version: v3.1.1.895
+  Build: 895
 
 [![MIT License](https://img.shields.io/badge/license-MIT%20License-blue.svg?style=flat-square)](https://github.com/JMSDOnline/vstacklet/blob/main/LICENSE)
 
diff --git a/bin/www-permissions.sh b/bin/www-permissions.sh
@@ -2,7 +2,7 @@
 ################################################################################
 # <START METADATA>
 # @file_name: www-permissions.sh
-# @version: 3.1.1095
+# @version: 3.1.1096
 # @description: This script will add a new www-data group on your server
 # and set permissions for ${www_root:-/var/www/html/vsapp}.
 # Please ensure you have read the documentation before continuing.
@@ -342,27 +342,27 @@ vstacklet::vsperms::adjust() {
 		vstacklet::shell::text::error "failed to change directory permissions of ${www_root:-/var/www/html/vsapp} to 2755."
 		exit 1
 	}
-	# @script-note: change the permissions of files under web root ${www_root} to 0664
-	vstacklet::shell::text::white "changing file permissions of ${www_root:-/var/www/html/vsapp} to 0664 ... "
-	find "${www_root:-/var/www/html/vsapp}" -type f -exec chmod -R 0664 {} + || {
-		vstacklet::shell::text::error "failed to change file permissions of ${www_root:-/var/www/html/vsapp} to 0664."
+	# @script-note: change the permissions of files under web root ${www_root} to 0444
+	vstacklet::shell::text::white "changing file permissions of ${www_root:-/var/www/html/vsapp} to 0444 ... "
+	find "${www_root:-/var/www/html/vsapp}" -type f -exec chmod -R 0444 {} + || {
+		vstacklet::shell::text::error "failed to change file permissions of ${www_root:-/var/www/html/vsapp} to 0444."
 		exit 1
 	}
 	# @script-note: change file permissions on config files (this is useful for WordPress installations)
-	# Check the directory for wp-config.php and set the permissions to 0644
+	# Check the directory for wp-config.php and set the permissions to 0444
 	if [[ -n $(find "${www_root:-/var/www/html/vsapp}" -type f -name "wp-config.php") ]]; then
-		vstacklet::shell::text::white "changing permissions of wp-config.php to 0644 ... "
-		find "${www_root:-/var/www/html/vsapp}" -type f -name "wp-config.php" -exec chmod 0644 {} + || {
-			vstacklet::shell::text::error "failed to change permissions of wp-config.php to 0644."
+		vstacklet::shell::text::white "changing permissions of wp-config.php to 0444 ... "
+		find "${www_root:-/var/www/html/vsapp}" -type f -name "wp-config.php" -exec chmod 0444 {} + || {
+			vstacklet::shell::text::error "failed to change permissions of wp-config.php to 0444."
 			exit 1
 		}
 	fi
-	# @script-note: check the directories for any .conf files and set the permissions to 0644 (this is useful for Nginx configurations)
+	# @script-note: check the directories for any .conf files and set the permissions to 0444 (this is useful for Nginx configurations)
 	# Check several levels deep for .conf files
 	if [[ -n $(find "${www_root:-/var/www/html/vsapp}" -type f -name "*.conf") ]]; then
-		vstacklet::shell::text::white "changing permissions of ${www_root:-/var/www/html/vsapp}/*.conf to 0644 ... "
-		find "${www_root:-/var/www/html/vsapp}" -type f -name "*.conf" -exec chmod 0644 {} + || {
-			vstacklet::shell::text::error "failed to change permissions of ${www_root:-/var/www/html/vsapp}/*.conf to 0644."
+		vstacklet::shell::text::white "changing permissions of ${www_root:-/var/www/html/vsapp}/*.conf to 0444 ... "
+		find "${www_root:-/var/www/html/vsapp}" -type f -name "*.conf" -exec chmod 0444 {} + || {
+			vstacklet::shell::text::error "failed to change permissions of ${www_root:-/var/www/html/vsapp}/*.conf to 0444."
 			exit 1
 		}
 	fi
diff --git a/docs/bin/www-permissions.sh.md b/docs/bin/www-permissions.sh.md
@@ -1,4 +1,4 @@
-# www-permissions.sh - v3.1.1095
+# www-permissions.sh - v3.1.1096
 
 
 ---
diff --git a/docs/setup/vstacklet-server-stack.sh.md b/docs/setup/vstacklet-server-stack.sh.md
@@ -1,4 +1,4 @@
-# vstacklet-server-stack.sh - v3.1.2237
+# vstacklet-server-stack.sh - v3.1.2238
 
 
 ---
diff --git a/setup/vstacklet-server-stack.sh b/setup/vstacklet-server-stack.sh
@@ -2,7 +2,7 @@
 ##################################################################################
 # <START METADATA>
 # @file_name: vstacklet-server-stack.sh
-# @version: 3.1.2237
+# @version: 3.1.2238
 # @description: Lightweight script to quickly install a LEMP stack with Nginx,
 # Varnish, PHP7.4/8.1/8.3 (PHP-FPM), OPCode Cache, IonCube Loader, MariaDB, Sendmail
 # and more on a fresh Ubuntu 20.04/22.04 or Debian 11/12 server for
@@ -912,7 +912,7 @@ vstacklet::dependencies::array() {
 	# @script-note: install base dependencies
 	declare -ga base_dependencies=("rsync" "dos2unix" "jq" "bc" "automake" "make" "cmake" "checkinstall" "nano" "zip" "unzip" "htop" "vnstat" "vnstati" "vsftpd" "subversion" "iptables" "iptables-persistent" "ssh")
 	# @script-note: install php dependencies
-	declare -ga php_dependencies=("php${php}-fpm" "php${php}-zip" "php${php}-cgi" "php${php}-cli" "php${php}-common" "php${php}-curl" "php${php}-dev" "php${php}-gd" "php${php}-bcmath" "php${php}-gmp" "php${php}-imap" "php${php}-intl" "php${php}-ldap" "php${php}-mbstring" "php${php}-opcache" "php${php}-pspell" "php${php}-readline" "php${php}-soap" "php${php}-xml" "php${php}-imagick" "php${php}-msgpack" "php${php}-igbinary" "libmcrypt-dev" "mcrypt" "libmemcached-dev" "php-memcached")
+	declare -ga php_dependencies=("php${php}-fpm" "php${php}-zip" "php${php}-cgi" "php${php}-cli" "php${php}-common" "php${php}-curl" "php${php}-dev" "php${php}-gd" "php${php}-bcmath" "php${php}-gmp" "php${php}-imap" "php${php}-intl" "php${php}-ldap" "php${php}-mbstring" "php${php}-opcache" "php${php}-pspell" "php${php}-readline" "php${php}-soap" "php${php}-xml" "php${php}-imagick" "php${php}-msgpack" "php${php}-igbinary" "libmcrypt-dev" "mcrypt" "libmemcached-dev" "php-memcached" "php${php}-ssh2")
 	[[ -n ${redis} ]] && php_dependencies+=("php${php}-redis")
 	[[ -n ${mariadb} || -n ${mysql} ]] && php_dependencies+=("php${php}-mysql")
 	# @script-note: install hhvm dependencies
@@ -3083,6 +3083,8 @@ vstacklet::wordpress::install() {
 			# @script-note: import updated salt keys
 			wp_salts=$(curl -s https://api.wordpress.org/secret-key/1.1/salt/)
 			sed -i "/#@-/r /dev/stdin" "${web_root:-/var/www/html/vsapp}/public/wp-config.php" <<<"${wp_salts}"
+			# @script-note: add security constants to wp-config.php (disable file editor and set FS_METHOD to ssh2 for secure file transfers)
+			sed -i "/Add any custom values between this line and the \"stop editing\" line./a \\\n/**\n * The plugins and themes file editor is a very convenient tool because it\n * enables you to make quick changes without the need to use FTP.\n *\n * Unfortunately, it's also a security issue because it not only shows the\n * PHP source code, it also enables attackers to inject malicious code into\n * your site if they manage to gain access to admin.\n * To prevent this, you can disable the file editor.\n *\n * @link https://developer.wordpress.org/advanced-administration/wordpress/wp-config/#disable-the-plugin-and-theme-file-editor\n */\n\ndefine('DISALLOW_FILE_EDIT', true);\ndefine('FS_METHOD', 'ssh2');\n" "${web_root:-/var/www/html/vsapp}/public/wp-config.php"
 			# @script-note: create the database
 			mysql -e "CREATE DATABASE ${wp_db_name};" >>"${vslog}" 2>&1 || vstacklet::error::display 102
 			if [[ "${db_user_present}" != "1" ]]; then

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# www-permissions.sh - v3.1.1095`
	`1`	`+# www-permissions.sh - v3.1.1096`
`2`	`2`
`3`	`3`
`4`	`4`	`---`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# vstacklet-server-stack.sh - v3.1.2237`
	`1`	`+# vstacklet-server-stack.sh - v3.1.2238`
`2`	`2`
`3`	`3`
`4`	`4`	`---`