[Feature] Hestia Repair Tool

[amaramadex]

Describe the feature or change in detail

It would be nice to have Hestia Repair Tool, so if you mess up something that you can revert it to default values/permissions/templates, etc.

Sample 1: https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/plesk-repair-utility.74649/
Sample 2: https://keyhelp-toolbox.tiiny.site/

Would you like to sponsor this feature to have it implemented?

No

[gOOvER]

Describe the feature or change in detail

It would be nice to have Hestia Repair Tool, so if you mess up something that you can revert it to default values/permissions/templates, etc.

Sample 1: https://docs.plesk.com/en-US/obsidian/administrator-guide/plesk-administration/plesk-repair-utility.74649/

when you messed up sth, then you should be able to revert it,
Would be nice feature, but not needed. Such tools are only for lazy people or people, which dont have the basics ;)

Sample 2: https://keyhelp-toolbox.tiiny.site/

Thats not an "official" tool ;)

[amaramadex]

Dear @gOOvER, your answer has a very childish approach.

[gOOvER]

Dear @gOOvER, your answer has a very childish approach.

Dear @amaramadex not really. This is my personal opinion. And you as Sys Admin shouldn't need such a Tool. ;) (Btw Europe and Imprint ;) )

[mdlaat]

It would be nice to have Hestia Repair Tool, so if you mess up something that you can revert it to default values/permissions/templates, etc.

Isn´t that called a backup?

[Skamasle]

It would be nice to have Hestia Repair Tool, so if you mess up something that you can revert it to default values/permissions/templates, etc.

Isn´t that called a backup?

Not necesary, a repair tool can be used just as "integrity check of system"

This can detect modified files, owners etc and inform you about that.

You may have broken something by mistake and months later something fails and you need to know what happened, checking the integrity of the panel with a single tool is better than restoring a full backup.

Not to mention that it can help check if everything is OK regarding security, that there is no injected code or modifications by someone in the control panel

[amaramadex]

@Skamasle bravo 🫡

[Skamasle]

I make a lite script to start with this.

May this can help some body, I modify one of my system check scripts

In this case, this script just check /usr/local/hestia status, I have another script than just chmod / chown back if found some issues, but inst relevant for this part.

First, get correct permisions, owners, gruop and sha files from clean and resent hestia install ( this just check, files, you can add directories easy

#!/bin/bash
out="permission_file"
find /usr/local/hestia -type d \( -name rrd \) -prune -o -type f | while read -r line; do
   fil="$(stat -c '%U:%G' "$line")"
   fil2="$(stat -c '%a' "$line")"
   sha=$(sha256sum $line | awk '{ print $1 }')
   printf "%s\t%s\t%s\t%s\t\n" $line $fil $fil2 $sha | tee -a "$out"

done

Then you get a file called: permission_file

Copy this file and over this file you can check any server with same hestia version

With this script:

#!/bin/bash
file=permission_file
echo "Working... this will take some minutes"
while IFS=$'\t' read -r file owner_group permissions sha256 || [[ -n $file ]]; do
    if [[ -f "$file" ]]; then
        current_owner_group=$(stat -c "%U:%G" "$file" | tr -d ' ')
        current_permissions=$(stat -c "%a" "$file" | tr -d ' ')
        current_sha256=$(sha256sum "$file" | cut -d' ' -f1 | tr -d ' ')
        if [[ $current_owner_group != $owner_group || $current_permissions != $permissions || $current_sha256 != $sha256 ]]; then
            echo "The file $file has been modified:"
            if [[ $current_owner_group != $owner_group ]]; then
                echo "  Owner and/or group: Expected=$owner_group, Actual=$current_owner_group"
            fi
            if [[ $current_permissions != $permissions ]]; then
                echo "  Permissions: Expected=$permissions, Current=$current_permissions"
            fi
            if [[ $current_sha256 != $sha256 ]]; then
                echo "  SHA256: Expected=$sha256, Current=$current_sha256"
            fi
            echo ""
            error_found=1
        fi
    else
        echo "File $file does not exist."
        error_found=1
    fi
done < $file

if [[ -z $error_found ]]; then
    echo "No discrepancies found in any file."
fi

From this base, you can start working

This script just print if found any issue with sha, with owner / gruop or permisions of file.

Then, you can add another functions to fix if broken or download new if sha isnt correct

This print something like this:

The file /usr/local/hestia/nginx/conf/koi-win has been modified:
  SHA256: Expected=de518a9eafe86c8bc705e296d0ef26135835b46bdc0de01d1d50a630fa5d341e, Current=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

The file /usr/local/hestia/nginx/conf/mime.types has been modified:
  Owner and/or group: Expected=root:root, Actual=root:admin

I hope this can help some body to detect some issue in hestia.

You can add some option to fix owner and off course need some options to check /home/ and orther dirs permisions.

As i say It's just the basis of how this can work.

[Anuril]

And you as Sys Admin shouldn't need such a Tool. ;)

Generally, I'm in agreement with this, but I can see an integrity check as a security feature (Like Nextcloud) could make sense, and when you're there, you can also check for stuff that's not how it should be, f.ex with permissions.

The issue is that parsing all services(apache, nginx, maridadb, psql, dovecot, exim, spamassassin, etc.) to repair them if you break something - that's unrealistic and not possible.

Do I think hestia should have a config check? Yes - if the tools support it like apache2ctl configtest
Do I think we should do stuff to parse the config files of the services named above? No.

What I can see as helpful is something like opnsense has with the configuration backups (See here) so when you change a service config from the webinterface, hestia saves the previous version and allows you to show a diff to the previous versions and restore them. This would not prevent you from changing it via ssh and then not have this feature active, but it would certainly be nice.

PS: I'd love to invite everyone to keep the tone professional.

[jaapmarcus]

And you as Sys Admin shouldn't need such a Tool. ;)

Generally, I'm in agreement with this, but I can see an integrity check as a security feature (Like Nextcloud) could make sense, and when you're there, you can also check for stuff that's not how it should be, f.ex with permissions.

The issue is that parsing all services(apache, nginx, maridadb, psql, dovecot, exim, spamassassin, etc.) to repair them if you break something - that's unrealistic and not possible.

Do I think hestia should have a config check? Yes - if the tools support it like apache2ctl configtest Do I think we should do stuff to parse the config files of the services named above? No.

What I can see as helpful is something like opnsense has with the configuration backups (See here) so when you change a service config from the webinterface, hestia saves the previous version and allows you to show a diff to the previous versions and restore them. This would not prevent you from changing it via ssh and then not have this feature active, but it would certainly be nice.

PS: I'd love to invite everyone to keep the tone professional.

We already make backups of config files before we update Hestia ...

[Anuril]

I'll look into that.

[tlcd96]

If this is implement, this could run after "do-release-upgrade" when the distro finished upgrading