Harden deployment and fix PEN-01
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
51
dist/install.sh
vendored
51
dist/install.sh
vendored
@@ -6,7 +6,7 @@
|
||||
# This script must be run as root. It:
|
||||
# 1. Creates the mcias system user and group (idempotent).
|
||||
# 2. Copies binaries to /usr/local/bin/.
|
||||
# 3. Creates /etc/mcias/ and /var/lib/mcias/ with correct permissions.
|
||||
# 3. Creates /srv/mcias/ with correct permissions.
|
||||
# 4. Installs the systemd service unit.
|
||||
# 5. Prints post-install instructions.
|
||||
#
|
||||
@@ -25,8 +25,7 @@ set -eu
|
||||
# Configuration
|
||||
# ---------------------------------------------------------------------------
|
||||
BIN_DIR="/usr/local/bin"
|
||||
CONF_DIR="/etc/mcias"
|
||||
DATA_DIR="/var/lib/mcias"
|
||||
SRV_DIR="/srv/mcias"
|
||||
MAN_DIR="/usr/share/man/man1"
|
||||
SYSTEMD_DIR="/etc/systemd/system"
|
||||
SERVICE_USER="mcias"
|
||||
@@ -114,23 +113,19 @@ for bin in mciassrv mciasctl mciasdb mciasgrpcctl; do
|
||||
install -m 0755 -o root -g root "$src" "$BIN_DIR/$bin"
|
||||
done
|
||||
|
||||
# Step 3: Create configuration directory.
|
||||
info "Creating $CONF_DIR"
|
||||
install -d -m 0750 -o root -g "$SERVICE_GROUP" "$CONF_DIR"
|
||||
# Step 3: Create service directory.
|
||||
info "Creating $SRV_DIR"
|
||||
install -d -m 0750 -o "$SERVICE_USER" -g "$SERVICE_GROUP" "$SRV_DIR"
|
||||
|
||||
# Install example config files; never overwrite existing configs.
|
||||
for f in mcias.conf.example mcias.env.example; do
|
||||
src="$SCRIPT_DIR/$f"
|
||||
dst="$CONF_DIR/$f"
|
||||
dst="$SRV_DIR/$f"
|
||||
if [ -f "$src" ]; then
|
||||
install -m 0640 -o root -g "$SERVICE_GROUP" "$src" "$dst" 2>/dev/null || true
|
||||
install -m 0640 -o "$SERVICE_USER" -g "$SERVICE_GROUP" "$src" "$dst" 2>/dev/null || true
|
||||
fi
|
||||
done
|
||||
|
||||
# Step 4: Create data directory.
|
||||
info "Creating $DATA_DIR"
|
||||
install -d -m 0750 -o "$SERVICE_USER" -g "$SERVICE_GROUP" "$DATA_DIR"
|
||||
|
||||
# Step 5: Install systemd service unit.
|
||||
if [ -d "$SYSTEMD_DIR" ]; then
|
||||
info "Installing systemd service unit to $SYSTEMD_DIR"
|
||||
@@ -175,26 +170,26 @@ Next steps:
|
||||
|
||||
# Self-signed (development / personal use):
|
||||
openssl req -x509 -newkey ed25519 -days 3650 \\
|
||||
-keyout /etc/mcias/server.key \\
|
||||
-out /etc/mcias/server.crt \\
|
||||
-keyout /srv/mcias/server.key \\
|
||||
-out /srv/mcias/server.crt \\
|
||||
-subj "/CN=auth.example.com" \\
|
||||
-nodes
|
||||
chmod 0640 /etc/mcias/server.key
|
||||
chown root:mcias /etc/mcias/server.key
|
||||
chmod 0640 /srv/mcias/server.key
|
||||
chown mcias:mcias /srv/mcias/server.key /srv/mcias/server.crt
|
||||
|
||||
2. Copy and edit the configuration file:
|
||||
|
||||
cp /etc/mcias/mcias.conf.example /etc/mcias/mcias.conf
|
||||
\$EDITOR /etc/mcias/mcias.conf
|
||||
chmod 0640 /etc/mcias/mcias.conf
|
||||
chown root:mcias /etc/mcias/mcias.conf
|
||||
cp /srv/mcias/mcias.conf.example /srv/mcias/mcias.toml
|
||||
\$EDITOR /srv/mcias/mcias.toml
|
||||
chmod 0640 /srv/mcias/mcias.toml
|
||||
chown mcias:mcias /srv/mcias/mcias.toml
|
||||
|
||||
3. Set the master key passphrase:
|
||||
|
||||
cp /etc/mcias/mcias.env.example /etc/mcias/env
|
||||
\$EDITOR /etc/mcias/env # replace the placeholder passphrase
|
||||
chmod 0640 /etc/mcias/env
|
||||
chown root:mcias /etc/mcias/env
|
||||
cp /srv/mcias/mcias.env.example /srv/mcias/env
|
||||
\$EDITOR /srv/mcias/env # replace the placeholder passphrase
|
||||
chmod 0640 /srv/mcias/env
|
||||
chown mcias:mcias /srv/mcias/env
|
||||
|
||||
IMPORTANT: Back up the passphrase to a secure offline location.
|
||||
Losing it means losing access to all encrypted data in the database.
|
||||
@@ -208,16 +203,16 @@ Next steps:
|
||||
5. Create the first admin account using mciasdb (while the server is
|
||||
running, or before first start):
|
||||
|
||||
MCIAS_MASTER_PASSPHRASE=\$(grep MCIAS_MASTER_PASSPHRASE /etc/mcias/env | cut -d= -f2) \\
|
||||
mciasdb --config /etc/mcias/mcias.conf account create \\
|
||||
MCIAS_MASTER_PASSPHRASE=\$(grep MCIAS_MASTER_PASSPHRASE /srv/mcias/env | cut -d= -f2) \\
|
||||
mciasdb --config /srv/mcias/mcias.toml account create \\
|
||||
--username admin --type human
|
||||
|
||||
Then set a password:
|
||||
MCIAS_MASTER_PASSPHRASE=... mciasdb --config /etc/mcias/mcias.conf \\
|
||||
MCIAS_MASTER_PASSPHRASE=... mciasdb --config /srv/mcias/mcias.toml \\
|
||||
account set-password --id <UUID>
|
||||
|
||||
And grant the admin role:
|
||||
MCIAS_MASTER_PASSPHRASE=... mciasdb --config /etc/mcias/mcias.conf \\
|
||||
MCIAS_MASTER_PASSPHRASE=... mciasdb --config /srv/mcias/mcias.toml \\
|
||||
role grant --id <UUID> --role admin
|
||||
|
||||
For full documentation, see: man mciassrv
|
||||
|
||||
Reference in New Issue
Block a user