YunoHost-Apps/agendav_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/agendav_ynh.git synced 2024-09-03 20:36:12 +02:00
Code Issues Activity Actions

[enh] Avoid web/config being world-readable, finer lock down for web/var/cache

Browse source
This commit is contained in:
Julien Malik 2016-09-05 11:01:13 +02:00
parent 5ef522193f
commit 7e13c46051
3 changed files with 33 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
scripts/install
View file

@ -80,9 +80,18 @@ sudo mv "$TMPDIR" "$DESTDIR"
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
# Protect source code against modifications
sudo chown -hR root: "$DESTDIR"
sudo chown -hR $app: "${DESTDIR}/web/var"
sudo chmod -R 750 "${DESTDIR}/web/var"
# Only agendav user should write here
sudo chown -hR $app: "${DESTDIR}/web/var/cache/"{profiler,twig}
sudo chmod -R 750 "${DESTDIR}/web/var/cache/"{profiler,twig}
# The agendav user should read here, but does not need to write
# Other users should not be able to read as it stores passwords.
sudo find "${DESTDIR}/web/config" -type f -exec chown root:$app {} \; -exec chmod 640 {} \;
sudo find "${DESTDIR}/web/config" -type d -exec chown root:$app {} \; -exec chmod 750 {} \;
# Create log directory
sudo install -m 750 -o $app -g adm -d "$LOGDIR"

13
scripts/restore
View file

@ -54,9 +54,18 @@ fi
# Restore the app files and set permissions
sudo cp -a ./sources "$DESTDIR"
# Protect source code against modifications
sudo chown -hR root: "$DESTDIR"
sudo chown -hR $app: "${DESTDIR}/web/var"
sudo chmod -R 750 "${DESTDIR}/web/var"
# Only agendav user should write here
sudo chown -hR $app: "${DESTDIR}/web/var/cache/"{profiler,twig}
sudo chmod -R 750 "${DESTDIR}/web/var/cache/"{profiler,twig}
# The agendav user should read here, but does not need to write
# Other users should not be able to read as it stores passwords.
sudo find "${DESTDIR}/web/config" -type f -exec chown root:$app {} \; -exec chmod 640 {} \;
sudo find "${DESTDIR}/web/config" -type d -exec chown root:$app {} \; -exec chmod 750 {} \;
# Clean caches
sudo rm -rf "${DESTDIR}/web/var/cache/"{profiler,twig}/*

13
scripts/upgrade
View file

@ -83,9 +83,18 @@ if ! id -u $app > /dev/null 2>&1 ; then
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
fi
# Protect source code against modifications
sudo chown -hR root: "$DESTDIR"
sudo chown -hR $app: "${DESTDIR}/web/var"
sudo chmod -R 750 "${DESTDIR}/web/var"
# Only agendav user should write here
sudo chown -hR $app: "${DESTDIR}/web/var/cache/"{profiler,twig}
sudo chmod -R 750 "${DESTDIR}/web/var/cache/"{profiler,twig}
# The agendav user should read here, but does not need to write
# Other users should not be able to read as it stores passwords.
sudo find "${DESTDIR}/web/config" -type f -exec chown root:$app {} \; -exec chmod 640 {} \;
sudo find "${DESTDIR}/web/config" -type d -exec chown root:$app {} \; -exec chmod 750 {} \;
# Create log directory
sudo install -m 750 -o $app -g adm -d "$LOGDIR"