Medowar
/
system-tools


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239
							#!/bin/bash
#
# setup_testenv.sh — General PHP development environment setup for Fedora
# Usage: bash setup_testenv.sh
# Sets up Apache (httpd) with PHP to serve /var/www/html on localhost
# Requires sudo privileges for package installation and service management
#
# PRIVILEGE SEPARATION: This script must NOT be run as root.
# The running user should not have direct rights to install packages
# (i.e., must use sudo which requires authentication).
#

set -euo pipefail

# ── Colors for output ─────────────────────────────────────────────────────
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# ── Check for privilege separation ─────────────────────────────────────────
echo "→ Checking user privileges..."

CURRENT_USER=$(whoami)

# Check if running as root (violates privilege separation)
if [[ $EUID -eq 0 ]]; then
    echo -e "${RED}ERROR: This script should not be run as root directly.${NC}"
    echo "  Please run as a normal user with sudo privileges."
    echo "  This ensures proper separation of privileges."
    exit 1
fi

echo -e "${GREEN}✓${NC} Not running as root (good for privilege separation)"

# Check if user has sudo privileges (Fedora uses wheel group for sudo access)
if groups | grep -qw wheel; then
    echo -e "${GREEN}✓${NC} User '$CURRENT_USER' is in wheel group (has sudo privileges)"
else
    echo -e "${YELLOW}WARNING:${NC} User '$CURRENT_USER' is not in the wheel group."
    echo "  This user may not have sudo privileges required for this script."
    echo "  The script will attempt to use sudo, which may prompt for a password."
    echo ""
    read -p "  Continue anyway? (y/N) " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        echo "Aborting."
        exit 1
    fi
fi

echo ""
echo "Note: sudo commands will prompt for your password if required."

# ── Configuration ─────────────────────────────────────────────────────────
DOCROOT="/var/www/html"
APACHE_USER="apache"
APACHE_GROUP="apache"
APACHE_CONF="/etc/httpd/conf.d/dev.conf"

# ── 1. Install Apache, PHP, and required modules ──────────────────────────
echo ""
echo "→ Installing Apache (httpd), PHP, and required modules..."

sudo dnf install -y httpd php php-json php-mbstring php-xml php-fpm jq acl

echo -e "${GREEN}✓${NC} Packages installed"

# ── 2. Ensure document root exists ────────────────────────────────────────
echo ""
echo "→ Ensuring document root exists: $DOCROOT"

sudo mkdir -p "$DOCROOT"
echo -e "${GREEN}✓${NC} Document root ready"

# ── 3. Set ownership and permissions for Apache + current user ────────────
echo ""
echo "→ Setting permissions for user '$CURRENT_USER' and Apache user '$APACHE_USER'..."

# Ensure ACL support is available (should be installed now)
if ! command -v setfacl &>/dev/null; then
    echo "  Installing ACL tools..."
    sudo dnf install -y acl
fi

# Set ownership to current user (so user can easily create files)
sudo chown -R "$CURRENT_USER:$CURRENT_USER" "$DOCROOT"

# Set base permissions
sudo chmod 0755 "$DOCROOT"

# Set ACLs so both the current user and Apache can read/write
sudo setfacl -R -m u:"$CURRENT_USER":rwx,u:"$APACHE_USER":rwx "$DOCROOT"
sudo setfacl -R -d -m u:"$CURRENT_USER":rwx,u:"$APACHE_USER":rwx "$DOCROOT"

# Also allow the apache group to access
sudo setfacl -R -m g:"$APACHE_GROUP":r-x "$DOCROOT"
sudo setfacl -R -d -m g:"$APACHE_GROUP":r-x "$DOCROOT"

echo -e "${GREEN}✓${NC} Permissions configured (ACLs set for $CURRENT_USER and $APACHE_USER)"

# ── 4. Create/update Apache configuration ─────────────────────────────────
echo ""
echo "→ Creating Apache configuration: $APACHE_CONF"

sudo tee "$APACHE_CONF" > /dev/null << EOF
# Development environment - serve /var/www/html on localhost
<Directory "$DOCROOT">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    
    # Enable directory listing if no index file found
    DirectoryIndex index.php index.html index.htm
</Directory>

# Ensure PHP files are processed
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>
EOF

echo -e "${GREEN}✓${NC} Apache configuration written"

# ── 5. Configure PHP for development ──────────────────────────────────────
echo ""
echo "→ Configuring PHP for development..."

PHP_INI="/etc/php.ini"
if [[ -f "$PHP_INI" ]]; then
    # Backup original
    sudo cp "$PHP_INI" "$PHP_INI.backup.$(date +%Y%m%d_%H%M%S)" 2>/dev/null || true
    
    # Enable error display for development
    sudo sed -i 's/^display_errors = .*/display_errors = On/' "$PHP_INI" 2>/dev/null || true
    sudo sed -i 's/^display_startup_errors = .*/display_startup_errors = On/' "$PHP_INI" 2>/dev/null || true
    sudo sed -i 's/^error_reporting = .*/error_reporting = E_ALL/' "$PHP_INI" 2>/dev/null || true
    
    echo -e "${GREEN}✓${NC} PHP configured for development (errors displayed)"
fi

# ── 6. Enable and start httpd ─────────────────────────────────────────────
echo ""
echo "→ Enabling and starting httpd..."

sudo systemctl enable httpd
sudo systemctl restart httpd

echo -e "${GREEN}✓${NC} Apache (httpd) is running"

# ── 7. Configure SELinux permissions ─────────────────────────────────────
echo ""
echo "→ Configuring SELinux permissions..."

# Check if SELinux is enabled
if command -v getenforce &>/dev/null; then
    SELINUX_STATUS=$(getenforce 2>/dev/null || echo "Disabled")
    if [[ "$SELINUX_STATUS" != "Disabled" && "$SELINUX_STATUS" != "Permissive" ]]; then
        echo "  SELinux is enabled ($SELINUX_STATUS), setting contexts..."
        
        # Install SELinux tools if not present
        if ! command -v semanage &>/dev/null; then
            echo "  Installing SELinux management tools..."
            sudo dnf install -y policycoreutils-python-utils
        fi
        
        # Set SELinux context for web content (readable/writable by httpd)
        echo "  → Setting httpd_sys_rw_content_t context for $DOCROOT..."
        sudo semanage fcontext -a -t httpd_sys_rw_content_t "$DOCROOT(/.*)?" 2>/dev/null || \
        sudo semanage fcontext -m -t httpd_sys_rw_content_t "$DOCROOT(/.*)?" 2>/dev/null || true
        
        # Apply the contexts
        sudo restorecon -Rv "$DOCROOT" 2>/dev/null || true
        
        # Allow httpd to read/write to the document root via PHP
        echo "  → Setting SELinux boolean: httpd_can_network_connect..."
        sudo setsebool -P httpd_can_network_connect on 2>/dev/null || true
        
        # Allow httpd to send mail (sometimes needed for PHP mail())
        sudo setsebool -P httpd_can_sendmail on 2>/dev/null || true
        
        echo -e "${GREEN}✓${NC} SELinux contexts configured"
    else
        echo "  SELinux is $SELINUX_STATUS, skipping SELinux configuration"
    fi
else
    echo "  (SELinux tools not found, skipping SELinux configuration)"
fi

# ── 8. Open firewall for HTTP ─────────────────────────────────────────────
echo ""
echo "→ Configuring firewall for HTTP..."

if command -v firewall-cmd &>/dev/null; then
    sudo firewall-cmd --permanent --add-service=http 2>/dev/null || true
    sudo firewall-cmd --reload 2>/dev/null || true
    echo -e "${GREEN}✓${NC} Firewall updated (HTTP service added)"
else
    echo "  (firewall-cmd not found, skipping firewall configuration)"
fi

# ── 9. Create a test PHP file ─────────────────────────────────────────────
echo ""
echo "→ Creating test PHP file..."

TEST_FILE="$DOCROOT/info.php"
sudo tee "$TEST_FILE" > /dev/null << 'EOF'
<?php
phpinfo();
?>
EOF

# Set proper ownership on the test file
sudo chown "$CURRENT_USER:$CURRENT_USER" "$TEST_FILE"
sudo setfacl -m u:"$APACHE_USER":r "$TEST_FILE"

echo -e "${GREEN}✓${NC} Test file created: $TEST_FILE"

# ── Done ───────────────────────────────────────────────────────────────────
echo ""
echo -e "${GREEN}========================================${NC}"
echo -e "${GREEN}  Setup complete!${NC}"
echo -e "${GREEN}========================================${NC}"
echo ""
echo "  Document root : $DOCROOT"
echo "  Served at     : http://localhost/"
echo "  Test page     : http://localhost/info.php"
echo ""
echo "  Next steps:"
echo "  1. Open http://localhost/ in your browser"
echo "  2. Place your PHP files in $DOCROOT"
echo "  3. Check httpd status:   sudo systemctl status httpd"
echo "  4. View PHP errors:      sudo tail -f /var/log/httpd/error_log"
echo "  5. Check SELinux denials: sudo ausearch -m AVC -ts recent"
echo ""
echo -e "${YELLOW}Note:${NC} Files created in $DOCROOT will be owned by $CURRENT_USER"
echo "      and accessible by Apache. Use standard file permissions"
echo "      or ACLs if you need to adjust access for specific files."
echo ""