From 7e13c46051f14a2d89e9142c1ca29bc56ddd2bda Mon Sep 17 00:00:00 2001
From: Julien Malik <julien.malik@paraiso.me>
Date: Mon, 5 Sep 2016 11:01:13 +0200
Subject: [PATCH] [enh] Avoid web/config being world-readable, finer lock down
 for web/var/cache

---
 scripts/install | 13 +++++++++++--
 scripts/restore | 13 +++++++++++--
 scripts/upgrade | 13 +++++++++++--
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/scripts/install b/scripts/install
index 3dc40cd..d50c9da 100644
--- a/scripts/install
+++ b/scripts/install
@@ -80,9 +80,18 @@ sudo mv "$TMPDIR" "$DESTDIR"
 sudo useradd -c "$app system account" \
   -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
   || ynh_die "Unable to create $app system account"
+
+# Protect source code against modifications
 sudo chown -hR root: "$DESTDIR"
-sudo chown -hR $app: "${DESTDIR}/web/var"
-sudo chmod -R 750 "${DESTDIR}/web/var"
+
+# Only agendav user should write here
+sudo chown -hR $app: "${DESTDIR}/web/var/cache/"{profiler,twig}
+sudo chmod -R 750 "${DESTDIR}/web/var/cache/"{profiler,twig}
+
+# The agendav user should read here, but does not need to write
+# Other users should not be able to read as it stores passwords.
+sudo find "${DESTDIR}/web/config" -type f -exec chown root:$app {} \; -exec chmod 640 {} \;
+sudo find "${DESTDIR}/web/config" -type d -exec chown root:$app {} \; -exec chmod 750 {} \;
 
 # Create log directory
 sudo install -m 750 -o $app -g adm -d "$LOGDIR"
diff --git a/scripts/restore b/scripts/restore
index 8bea2a4..8a8bca2 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -54,9 +54,18 @@ fi
 
 # Restore the app files and set permissions
 sudo cp -a ./sources "$DESTDIR"
+
+# Protect source code against modifications
 sudo chown -hR root: "$DESTDIR"
-sudo chown -hR $app: "${DESTDIR}/web/var"
-sudo chmod -R 750 "${DESTDIR}/web/var"
+
+# Only agendav user should write here
+sudo chown -hR $app: "${DESTDIR}/web/var/cache/"{profiler,twig}
+sudo chmod -R 750 "${DESTDIR}/web/var/cache/"{profiler,twig}
+
+# The agendav user should read here, but does not need to write
+# Other users should not be able to read as it stores passwords.
+sudo find "${DESTDIR}/web/config" -type f -exec chown root:$app {} \; -exec chmod 640 {} \;
+sudo find "${DESTDIR}/web/config" -type d -exec chown root:$app {} \; -exec chmod 750 {} \;
 
 # Clean caches
 sudo rm -rf "${DESTDIR}/web/var/cache/"{profiler,twig}/*
diff --git a/scripts/upgrade b/scripts/upgrade
index aba3bce..4a63481 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -83,9 +83,18 @@ if ! id -u $app > /dev/null 2>&1 ; then
     -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
     || ynh_die "Unable to create $app system account"
 fi
+
+# Protect source code against modifications
 sudo chown -hR root: "$DESTDIR"
-sudo chown -hR $app: "${DESTDIR}/web/var"
-sudo chmod -R 750 "${DESTDIR}/web/var"
+
+# Only agendav user should write here
+sudo chown -hR $app: "${DESTDIR}/web/var/cache/"{profiler,twig}
+sudo chmod -R 750 "${DESTDIR}/web/var/cache/"{profiler,twig}
+
+# The agendav user should read here, but does not need to write
+# Other users should not be able to read as it stores passwords.
+sudo find "${DESTDIR}/web/config" -type f -exec chown root:$app {} \; -exec chmod 640 {} \;
+sudo find "${DESTDIR}/web/config" -type d -exec chown root:$app {} \; -exec chmod 750 {} \;
 
 # Create log directory
 sudo install -m 750 -o $app -g adm -d "$LOGDIR"