From 9463f0b62e56ada1969c40de728a03097e01bd63 Mon Sep 17 00:00:00 2001
From: Trent Piepho <tpiepho@gmail.com>
Date: Sat, 5 Jun 2021 14:18:42 -0700
Subject: [PATCH 1/4] Update rhel PAM config

This is more in line with current PAM setup for a service like sshd.  It
will handle systemd, audit, etc.
---
 package-with/pam-rhel.conf | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/package-with/pam-rhel.conf b/package-with/pam-rhel.conf
index 1daab90..0ba40d1 100644
--- a/package-with/pam-rhel.conf
+++ b/package-with/pam-rhel.conf
@@ -1,3 +1,11 @@
-auth		include	password-auth
-account		include	password-auth
-session		include	password-auth
+auth		substack	password-auth
+auth   		include		postlogin
+account		required	pam_sepermit.so
+account		include		password-auth
+session		required	pam_selinux.so close
+session		required 	pam_loginuid.so
+session		required	pam_selinux.so open env_params
+session		required	pam_namespace.so
+session		optional	pam_keyinit.so force revoke
+session		include		password-auth
+session		include		postlogin

From adacd304323d878ad5bec4712e3a3c1732d18fbf Mon Sep 17 00:00:00 2001
From: Trent Piepho <tpiepho@gmail.com>
Date: Sat, 5 Jun 2021 14:19:58 -0700
Subject: [PATCH 2/4] Configure systemd unit to start after network

This needs the network to be up to work and also to bind to specific
IPs.  Add ordering dependency on network.target.
---
 package-with/systemd.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package-with/systemd.service b/package-with/systemd.service
index b685661..cb4ac35 100644
--- a/package-with/systemd.service
+++ b/package-with/systemd.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=WebDAV file server
 Documentation=man:webdavd(1)
+After=network.target
 
 [Service]
 Type=simple

From 2289ac9ebed73526193b0d81564553e94dc72a2d Mon Sep 17 00:00:00 2001
From: Trent Piepho <tpiepho@gmail.com>
Date: Sat, 5 Jun 2021 14:21:45 -0700
Subject: [PATCH 3/4] Move logs to their own directory /var/log/webdavd

This is more in line with current practice for services that create
their own logfiles.

Add a line to the systemd unit that will create the log directory before
starting.  systemd will also handle permissions on the directory and can
do various things with namespaces to prevent access to other files in
/var or elsewhere.

Update logrotate to match.

Remove owner/permission setting for logrotate.  It will copy the
existing logfiles' values, which allows it to work properly if webdavd
runs as another user or with a different umask.
---
 package-with/conf.xml        | 4 ++--
 package-with/logrotate.conf  | 4 ++--
 package-with/systemd.service | 4 +---
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/package-with/conf.xml b/package-with/conf.xml
index b7bce47..67a9388 100644
--- a/package-with/conf.xml
+++ b/package-with/conf.xml
@@ -93,8 +93,8 @@
 
 		<!-- File location for logs. If not specified or left blank the error log 
 			will print to stdout and the access log to stderr -->
-		<error-log>/var/log/webdav-error.log</error-log>
-		<access-log>/var/log/webdav-access.log</access-log>
+		<error-log>/var/log/webdavd/error.log</error-log>
+		<access-log>/var/log/webdavd/access.log</access-log>
 
 		<!-- At least one of these must be configured if you want an SSL encrypted 
 			connection. Certificates MUST have a Subject Alternative Name specified. 
diff --git a/package-with/logrotate.conf b/package-with/logrotate.conf
index 343fa9e..56c93dc 100644
--- a/package-with/logrotate.conf
+++ b/package-with/logrotate.conf
@@ -1,8 +1,8 @@
-/var/log/webdav-access.log /var/log/webdav-error.log {
+/var/log/webdavd/access.log /var/log/webdavd/error.log {
         sharedscripts
         missingok
         delaycompress
-        create 640 root adm
+        create
 
         postrotate
 			service webdavd restart
diff --git a/package-with/systemd.service b/package-with/systemd.service
index cb4ac35..024f930 100644
--- a/package-with/systemd.service
+++ b/package-with/systemd.service
@@ -5,10 +5,8 @@ After=network.target
 
 [Service]
 Type=simple
-#Environment=statedir=/var/cache/foo
-#iExecStartPre=/usr/bin/mkdir -p ${statedir}
 ExecStart=/usr/sbin/webdavd /etc/webdavd
+LogsDirectory=webdavd
 
 [Install]
 WantedBy=multi-user.target
-

From 361bbce0c206aa331468ad6739dcf67cbf1b566f Mon Sep 17 00:00:00 2001
From: Trent Piepho <tpiepho@gmail.com>
Date: Sat, 5 Jun 2021 14:27:03 -0700
Subject: [PATCH 4/4] Turn on systemd ProtectSystem

This will protect various files from being edited by webdavd.

Additional protections, e.g. ProtectHome, cause a problem with webdavd's
worker attempts to start a new session as the remote user.
---
 package-with/systemd.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package-with/systemd.service b/package-with/systemd.service
index 024f930..fb631ff 100644
--- a/package-with/systemd.service
+++ b/package-with/systemd.service
@@ -7,6 +7,7 @@ After=network.target
 Type=simple
 ExecStart=/usr/sbin/webdavd /etc/webdavd
 LogsDirectory=webdavd
+ProtectSystem=full
 
 [Install]
 WantedBy=multi-user.target