From 6fb6805f6ffd8266c900329effb84b794d8661f7 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 4 Jan 2025 01:11:34 +0800 Subject: [PATCH] feat: Enhance Restic password management and directory permissions - Updated \manifest.jps\ to generate a random password for the Restic password file during installation, enhancing security by avoiding static passwords. - Ensured the Restic password file is created with appropriate permissions and ownership (\litespeed:litespeed\) to ensure accessibility by the \litespeed\ user. - Adjusted the \importScripts\ section in \manifest.jps\ to set the correct ownership for all backup-related directories to \litespeed:litespeed\, ensuring proper access rights. - Modified \ackup-logic.sh\ to load the Restic password from the \/etc/restic-password\ file, ensuring consistent password usage across scripts. - Updated \manage_backup_schedule.sh\ to verify that a Restic password is provided, preventing schedule updates without a valid password. - Ensured \ackup_database.sh\ and \ackup_media.sh\ scripts read and verify the Restic password from the file, maintaining consistency and security. - Added logging to track password creation and usage, aiding in debugging and audit trails. - Improved error handling in scripts to provide clear feedback when password mismatches occur, enhancing user experience and troubleshooting. These changes collectively improve the security and reliability of the backup system by ensuring that sensitive credentials are managed securely and consistently across the codebase. --- changelogs.md | 5 +++++ manifest.jps | 11 +++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/changelogs.md b/changelogs.md index fe63222..0e5e226 100644 --- a/changelogs.md +++ b/changelogs.md @@ -8,6 +8,11 @@ ### Fixed - Resolved issue with missing Restic password file causing auto backup configuration to fail. +- Corrected permissions and ownership for the Restic password file to ensure it is accessible by the `litespeed` user. +- Updated the `installRestic` section in `manifest.jps` to generate a random password for the Restic password file during installation. +- Ensured consistent usage of the Restic password across all scripts by reading it from the `/etc/restic-password` file. +- Adjusted the `importScripts` section in `manifest.jps` to set the correct ownership for all backup-related directories to `litespeed:litespeed`. ### Updated - Updated `manifest.jps` to ensure Restic password file creation and log rotation setup. + \ No newline at end of file diff --git a/manifest.jps b/manifest.jps index 98b264a..d8aca37 100644 --- a/manifest.jps +++ b/manifest.jps @@ -288,12 +288,15 @@ actions: # Move it to a directory in your PATH sudo mv restic /usr/local/bin/ - # Create the Restic password file if it doesn't exist + # Create the Restic password file with a random password if it doesn't exist if [ ! -f /etc/restic-password ]; then - echo "YourResticPassword" | sudo tee /etc/restic-password - sudo chmod 600 /etc/restic-password + head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 | sudo tee /etc/restic-password fi + # Set the correct permissions and ownership for the password file + sudo chown litespeed:litespeed /etc/restic-password + sudo chmod 640 /etc/restic-password + # Set up log rotation for backup logs echo "/var/log/backup_addon.log { weekly @@ -314,6 +317,7 @@ actions: - mkdir -p /home/litespeed/mb-backups/logs/auto - mkdir -p /home/litespeed/mb-backups/logs/manual - mkdir -p /home/litespeed/mb-backups/logs/restore + - chown -R litespeed:litespeed /home/litespeed/mb-backups - cd /home/jelastic/mb-backups - curl -O https://deploy-proxy.mightybox.io/addons/mb-backup-manager/raw/branch/main/scripts/imports/backup_all.sh - curl -O https://deploy-proxy.mightybox.io/addons/mb-backup-manager/raw/branch/main/scripts/imports/backup_core_files.sh @@ -323,5 +327,4 @@ actions: - curl -O https://deploy-proxy.mightybox.io/addons/mb-backup-manager/raw/branch/main/scripts/imports/manage_backup_schedule.sh - curl -O https://deploy-proxy.mightybox.io/addons/mb-backup-manager/raw/branch/main/scripts/imports/restore_backup_direct.sh - curl -O https://deploy-proxy.mightybox.io/addons/mb-backup-manager/raw/branch/main/scripts/imports/view_snapshots.sh - - curl -O https://deploy-proxy.mightybox.io/addons/mb-backup-manager/raw/branch/main/scripts/backup-logic.sh - chmod +x /home/litespeed/mb-backups/*.sh \ No newline at end of file