From 1ee015bd50e08c27d7cbaa74baa8d8e432939e4a Mon Sep 17 00:00:00 2001
From: Gofannon <gofannon+github@riseup.net>
Date: Sun, 8 Jul 2018 00:04:33 +0200
Subject: [PATCH] [enh] rework linux permissions

---
 conf/plugins.local.php |  8 +++++
 scripts/install        | 65 ++++++++++++++++++++++++++++-----
 scripts/upgrade        | 81 +++++++++++++++++++++++++++++++++---------
 3 files changed, 130 insertions(+), 24 deletions(-)
 create mode 100644 conf/plugins.local.php

diff --git a/conf/plugins.local.php b/conf/plugins.local.php
new file mode 100644
index 0000000..4f256a9
--- /dev/null
+++ b/conf/plugins.local.php
@@ -0,0 +1,8 @@
+<?php
+/*
+ * Local plugin enable/disable settings
+ * Auto-generated through plugin/extension manager
+ *
+ * NOTE: Plugins will not be added to this file unless there is a need to override a default setting. Plugins are
+ *       enabled by default.
+ */
diff --git a/scripts/install b/scripts/install
index 813681a..63ab4f2 100755
--- a/scripts/install
+++ b/scripts/install
@@ -112,7 +112,7 @@ ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php"
 # Loading order of configuration files
 #
 # By default DokuWiki loads its configuration files in the following order:
-# 
+#
 # 1. conf/dokuwiki.php
 # 2. conf/local.php
 # 3. conf/local.protected.php
@@ -133,6 +133,33 @@ cp ../conf/local.php           $final_path/conf
 # Default is "8"
 cp ../conf/acl.auth.php $final_path/conf
 
+#=================================================
+# CREATE DEFAULT FILES
+#=================================================
+
+# For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
+# Other files will be read ony and owned by root.
+# See https://www.dokuwiki.org/install:permissions
+
+
+cp $final_path/conf/local.php.dist      $final_path/conf/local.php.bak
+cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php
+
+# There is no template .dist provided inside DokuWiki installation folder
+# Create "empty" files to be able to manage linux permissions
+# Files content is taken from an existing DokuWiki installation
+cp ../conf/plugins.local.php            $final_path/conf
+cp ../conf/plugins.local.php            $final_path/conf/plugins.local.php.bak
+
+# Create file if it does not exist
+if [ ! -f "$final_path/conf/local.protected.php" ]; then
+	# Set the default "admin"
+	# Replace string in order to have a functionnal configuration file
+	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php"
+
+	cp ../conf/local.protected.php $final_path/conf
+fi
+
 #=================================================
 # STORE THE CHECKSUM OF THE CONFIG FILE
 #=================================================
@@ -149,15 +176,37 @@ ynh_store_file_checksum "$final_path/conf/acl.auth.php"
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# Files owned by dokuwiki can just read
+# Try to use "least privilege" to grant minimal access
+# For details, see https://www.dokuwiki.org/install:permissions
+
+# Files owned by DokuWiki can just read
 chown -R root: $final_path
 
-# except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions
-chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl}
-chmod -R 700 $final_path/conf
-chmod -R 700 $final_path/data
-chmod -R 755 $final_path/lib/plugins
-chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images}
+# DokuWiki needs to write inside the "conf" folder. Do "DokuWiki" owner of the folder.
+chown $app:root $final_path/conf
+
+# Do "DokuWiki" owner of onfiguration files that must be writable
+chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}
+# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
+# There are only files in the folder and there is sublevels. No need to use "find"
+chmod -R a+r $final_path/conf
+
+# Give write access to "data" and subfolders
+chown -R $app:root $final_path/data
+# Remove access to "other"
+chmod -R o-rwx $final_path/data
+
+# Allow the web admin panel to run, aka "Extension Manager"
+chown -R $app:root $final_path/lib/plugins
+# Allow to install templates
+chown -R $app:root $final_path/lib/tpl
+
+# Allow access to public assets like style sheets
+find $final_path/lib -type f -print0 | xargs -0 chmod 0644
+find $final_path/lib -type d -print0 | xargs -0 chmod 0755
+# Using "find" instead of "chmod -R 755" so files does not become executable too
+# chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
+# find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD
 
 #=================================================
 # SETUP SSOWAT
diff --git a/scripts/upgrade b/scripts/upgrade
index 24c33aa..af12f47 100755
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -64,7 +64,7 @@ fi
 # Loading order of configuration files
 #
 # By default DokuWiki loads its configuration files in the following order:
-# 
+#
 # 1. conf/dokuwiki.php
 # 2. conf/local.php
 # 3. conf/local.protected.php
@@ -101,6 +101,42 @@ if [ ! -f "$final_path/conf/acl.auth.php" ]; then
 	cp ../conf/acl.auth.php $final_path/conf
 fi
 
+# For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
+# Other files will be read ony and owned by root.
+# See https://www.dokuwiki.org/install:permissions
+
+# Create file if it does not exist
+if [ ! -f "$final_path/conf/local.protected.php" ]; then
+	# Set the default "admin"
+	# Replace string in order to have a functionnal configuration file
+	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php"
+
+	cp ../conf/local.protected.php $final_path/conf
+fi
+
+# If file does not exists
+if [ ! -f "$final_path/conf/local.php.bak" ]; then
+	# if template exists
+	if [ -f "$final_path/conf/local.php.dist" ]; then
+		# Copy template to create default file
+		cp "$final_path/conf/local.php.dist" "$final_path/conf/local.php.bak"
+	fi
+fi
+
+if [ ! -f "$final_path/conf/users.auth.php" ]; then
+	if [ -f "$final_path/conf/users.auth.php.dist" ]; then
+		cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php
+	fi
+fi
+
+if [ ! -f "$final_path/conf/plugins.local.php" ]; then
+	cp ../conf/plugins.local.php $final_path/conf
+fi
+
+if [ ! -f "$final_path/conf/plugins.local.php.bak" ]; then
+	cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak
+fi
+
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@@ -155,11 +191,6 @@ ynh_add_fpm_config
 # SPECIFIC UPGRADE
 #=================================================
 
-# TODO Taken from old "upgrade" script. Should check if it is needed and what it does
-if [ -d "${final_path}/data/media" ]; then
-	chown -R $app:root $final_path/{data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp}
-fi
-
 # Remove upgrade notification inside Dokuwiki's admin panel
 # See https://www.dokuwiki.org/update_check
 touch $final_path/doku.php
@@ -183,6 +214,7 @@ if [ -f "$final_path/data/deleted.files" ]; then
 	)
 fi
 
+# TODO Taken from old "upgrade" script. Should check if it is needed and what it does
 # Update all plugins
 for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F':' '{print $3}');
 do
@@ -222,20 +254,37 @@ ynh_store_file_checksum "$final_path/conf/local.protected.php"
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# Files owned by dokuwiki can just read
+# Try to use "least privilege" to grant minimal access
+# For details, see https://www.dokuwiki.org/install:permissions
+
+# Files owned by DokuWiki can just read
 chown -R root: $final_path
 
-# except for conf, data, some data subfolders, and lib/plugin, where dokuwiki must have write permissions
-#TODO compare rights with install script !!!
-# Install script :
-#sudo chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl}
+# DokuWiki needs to write inside the "conf" folder. Do "DokuWiki" owner of the folder.
+chown $app:root $final_path/conf
 
-chown -R $app:root $final_path/{conf,data,lib/plugins,lib/tpl}
-chmod -R 700 $final_path/conf
-chmod -R 700 $final_path/data
-chmod -R 755 $final_path/lib/plugins
-chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images}
+# Do "DokuWiki" owner of onfiguration files that must be writable
+chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}
+# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
+# There are only files in the folder and there is sublevels. No need to use "find"
+chmod -R a+r $final_path/conf
 
+# Give write access to "data" and subfolders
+chown -R $app:root $final_path/data
+# Remove access to "other"
+chmod -R o-rwx $final_path/data
+
+# Allow the web admin panel to run, aka "Extension Manager"
+chown -R $app:root $final_path/lib/plugins
+# Allow to install templates
+chown -R $app:root $final_path/lib/tpl
+
+# Allow access to public assets like style sheets
+find $final_path/lib -type f -print0 | xargs -0 chmod 0644
+find $final_path/lib -type d -print0 | xargs -0 chmod 0755
+# Using "find" instead of "chmod -R 755" so files does not become executable too
+# chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
+# find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD
 
 #=================================================
 # SETUP SSOWAT