From 0ecb02b0725afc46056485632d445e99c2038ef1 Mon Sep 17 00:00:00 2001 From: Jules Bertholet Date: Mon, 22 Mar 2021 18:20:17 -0400 Subject: [PATCH] Harden permissions --- hooks/post_app_addaccess | 3 ++- hooks/post_user_create | 3 ++- scripts/_common.sh | 2 ++ scripts/install | 16 ++++++++++++++-- scripts/remove | 8 ++++++++ scripts/restore | 16 +++++++++++++--- scripts/upgrade | 15 ++++++++++++--- 7 files changed, 53 insertions(+), 10 deletions(-) diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index a66e3d5..bb78e42 100755 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -13,6 +13,7 @@ then do user_token=$(ynh_string_random) $app_path/cli/create-user.php --user $myuser --language en --token $user_token - sudo chown -R $app: $app_path/data/users/$myuser/ + sudo chown -R $app:$app $app_path/data/users/$myuser/ + setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/ done fi diff --git a/hooks/post_user_create b/hooks/post_user_create index de0d472..c6f92f9 100755 --- a/hooks/post_user_create +++ b/hooks/post_user_create @@ -9,4 +9,5 @@ myuser=$1 user_token=$(ynh_string_random) sudo $app_path/cli/create-user.php --user $myuser --language en --token $user_token -sudo chown -R $app: $app_path/data/users/$myuser/ +sudo chown -R $app:$app $app_path/data/users/$myuser/ +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/ diff --git a/scripts/_common.sh b/scripts/_common.sh index 651a47f..182c9d1 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,6 +4,8 @@ # COMMON VARIABLES #================================================= +pkg_dependencies="acl" + YNH_PHP_VERSION="7.3" extra_php_dependencies="php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-zip php${YNH_PHP_VERSION}-dom php${YNH_PHP_VERSION}-mbstring php${YNH_PHP_VERSION}-gmp php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-sqlite3 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-intl php${YNH_PHP_VERSION}-xml" diff --git a/scripts/install b/scripts/install index 9f66a19..11c68a3 100755 --- a/scripts/install +++ b/scripts/install @@ -48,6 +48,15 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=language --value=$language +#================================================= +# STANDARD MODIFICATIONS +#================================================= +# INSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Installing dependencies..." --weight=3 + +ynh_install_app_dependencies $pkg_dependencies + #================================================= # CREATE A MYSQL DATABASE #================================================= @@ -139,8 +148,11 @@ chmod 644 "$cron_path" #================================================= # Set permissions to app files -chown -R root: $final_path -chown -R $app: $final_path/{data,extensions} +chown -R root:$app $final_path +chmod -R g-w $final_path +chown -R $app:$app $final_path/{data,extensions} +chmod o-rwx $final_path +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path #================================================= # SETUP SSOWAT diff --git a/scripts/remove b/scripts/remove index f699b50..e3c5e6a 100755 --- a/scripts/remove +++ b/scripts/remove @@ -29,6 +29,14 @@ ynh_script_progression --message="Removing the MySQL database..." # Remove a database if it exists, along with the associated user ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name +#================================================= +# REMOVE DEPENDENCIES +#================================================= +ynh_script_progression --message="Removing dependencies..." --weight=1 + +# Remove metapackage and its dependencies +ynh_remove_app_dependencies + #================================================= # REMOVE APP MAIN DIR #================================================= diff --git a/scripts/restore b/scripts/restore index fa75827..1586a61 100644 --- a/scripts/restore +++ b/scripts/restore @@ -64,14 +64,24 @@ ynh_script_progression --message="Recreating the dedicated system user..." # Create the dedicated user (if not existing) ynh_system_user_create --username=$app +#================================================= +# REINSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Reinstalling dependencies..." --weight=1 + +# Define and install dependencies +ynh_install_app_dependencies $pkg_dependencies + #================================================= # RESTORE USER RIGHTS #================================================= # Restore permissions on app files -chown -R root: $final_path -chown -R $app: $final_path/data/ -chown -R $app: $final_path/extensions/ +chown -R root:$app $final_path +chmod -R g-w $final_path +chown -R $app:$app $final_path/{data,extensions} +chmod o-rwx $final_path +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index c50675e..27d280b 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -98,6 +98,13 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." # Create a dedicated nginx config ynh_add_nginx_config +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +ynh_script_progression --message="Upgrading dependencies..." --weight=1 + +ynh_install_app_dependencies $pkg_dependencies + #================================================= # CREATE DEDICATED USER #================================================= @@ -164,9 +171,11 @@ fi #================================================= # Set permissions on app files -chown -R root: $final_path -chmod 755 $final_path -chown -R $app: $final_path/{data,extensions} +chown -R root:$app $final_path +chmod -R g-w $final_path +chown -R $app:$app $final_path/{data,extensions} +chmod o-rwx $final_path +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path # reconfigure application with latest parameters $final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name