From 96d55710b3b14c0c89dadaf46f5b01818acadfaf Mon Sep 17 00:00:00 2001
From: Peter Hormanns <peter.hormanns@jalin.de>
Date: Wed, 23 Mar 2016 16:41:10 +0100
Subject: [PATCH] restrict initial user home access rights

---
 .../mods/dom/DomainProcessorFactory.java       |  2 +-
 .../mods/user/UnixUserProcessorFactory.java    | 18 ++++++++++--------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java
index df49dec..4a49aee 100644
--- a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java
+++ b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java
@@ -215,7 +215,7 @@ public class DomainProcessorFactory implements EntityProcessorFactory {
 		Processor mkDomainDirProzessor = 
 			new ShellProcessor( httpdRights + 
 					"chgrp httpd " + homeDir + " && " +
-					"chmod g+rx " + homeDir + " && " +
+					"chmod g+x " + homeDir + " && " +
 					"mkdir --mode=1550 --parents " + domsDir + " && " +
 					"chown httpd:" + pacName + " " + domsDir + " && " +
 					"mkdir --mode=750 --parents " + domainDir + " && " +
diff --git a/hsarback/src/de/hsadmin/mods/user/UnixUserProcessorFactory.java b/hsarback/src/de/hsadmin/mods/user/UnixUserProcessorFactory.java
index 1aee1be..8b4367b 100644
--- a/hsarback/src/de/hsadmin/mods/user/UnixUserProcessorFactory.java
+++ b/hsarback/src/de/hsadmin/mods/user/UnixUserProcessorFactory.java
@@ -27,6 +27,7 @@ public class UnixUserProcessorFactory implements EntityProcessorFactory {
 						+ user.getUserId() + ":" + user.getPac().getName()
 						+ ":" + user.getComment() + ":" + user.getHomedir()
 						+ ":" + user.getShell() + "\n"));
+		appendSetHomeACLProcessor(aCP, user);
 		appendSetQuotaProcessor(aCP, user);
 		appendMakeMaildirProcessor(aCP, user);
 		return aCP;
@@ -71,6 +72,10 @@ public class UnixUserProcessorFactory implements EntityProcessorFactory {
 		return null;
 	}
 
+	private void appendSetHomeACLProcessor(CompoundProcessor aCP, UnixUser user) {
+		aCP.appendProcessor(new ShellProcessor("chmod 700 " + user.getHomedir()));
+	}
+
 	private void appendSetQuotaProcessor(CompoundProcessor aCP, UnixUser user) {
 		Integer quotaSoft = user.getQuotaSoftlimit();
 		if (quotaSoft == null) {
@@ -79,9 +84,8 @@ public class UnixUserProcessorFactory implements EntityProcessorFactory {
 			quotaSoft = quotaSoft * 1024;
 		}
 		if (quotaSoft.intValue() == 0) {
-			aCP.appendProcessor(new ShellProcessor("setquota -u "
-					+ user.getName() + " 0 0 0 0 "
-					+ "`df /home/pacs/ | tail -n1 | cut -d' ' -f1`"));
+			aCP.appendProcessor(new ShellProcessor(
+					"setquota -u " + user.getName() + " 0 0 0 0 " + "`df /home/pacs/ | tail -n1 | cut -d' ' -f1`"));
 			return;
 		}
 		Integer quotaHard = user.getQuotaHardlimit();
@@ -89,11 +93,9 @@ public class UnixUserProcessorFactory implements EntityProcessorFactory {
 			quotaHard = new Integer(0);
 		} else {
 			quotaHard = quotaHard * 1024;
-	  }
-		aCP.appendProcessor(new ShellProcessor("setquota -u "
-				+ user.getName() + " " + quotaSoft + " "
-				+ quotaHard + " 0 0 "
-				+ "`df /home/pacs/ | tail -n1 | cut -d' ' -f1`"));
+		}
+		aCP.appendProcessor(new ShellProcessor("setquota -u " + user.getName() + " " + quotaSoft + " " + quotaHard
+				+ " 0 0 " + "`df /home/pacs/ | tail -n1 | cut -d' ' -f1`"));
 	}
 
 	private void appendMakeMaildirProcessor(CompoundProcessor aCP, UnixUser user) {