Harden permissions

hooks/post_app_addaccess

@@ -13,6 +13,7 @@ then
     do
         user_token=$(ynh_string_random)
         $app_path/cli/create-user.php --user $myuser --language en --token $user_token
-        sudo chown -R $app: $app_path/data/users/$myuser/
+        sudo chown -R $app:$app $app_path/data/users/$myuser/
+        setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/
     done
 fi

hooks/post_user_create

@@ -9,4 +9,5 @@ myuser=$1
 
 user_token=$(ynh_string_random)
 sudo $app_path/cli/create-user.php --user $myuser --language en --token $user_token
-sudo chown -R $app: $app_path/data/users/$myuser/
+sudo chown -R $app:$app $app_path/data/users/$myuser/
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/

scripts/_common.sh

@@ -4,6 +4,8 @@
 # COMMON VARIABLES
 #=================================================
 
+pkg_dependencies="acl"
+
 YNH_PHP_VERSION="7.3"
 
 extra_php_dependencies="php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-zip php${YNH_PHP_VERSION}-dom php${YNH_PHP_VERSION}-mbstring php${YNH_PHP_VERSION}-gmp php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-sqlite3 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-intl php${YNH_PHP_VERSION}-xml"

scripts/install

@@ -48,6 +48,15 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin
 ynh_app_setting_set --app=$app --key=language --value=$language
 
+#=================================================
+# STANDARD MODIFICATIONS
+#=================================================
+# INSTALL DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Installing dependencies..." --weight=3
+
+ynh_install_app_dependencies $pkg_dependencies
+
 #=================================================
 # CREATE A MYSQL DATABASE
 #=================================================
@@ -139,8 +148,11 @@ chmod 644 "$cron_path"
 #=================================================
 
 # Set permissions to app files
-chown -R root: $final_path
-chown -R $app: $final_path/{data,extensions}
+chown -R root:$app $final_path
+chmod -R g-w $final_path
+chown -R $app:$app $final_path/{data,extensions}
+chmod o-rwx $final_path
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
 
 #=================================================
 # SETUP SSOWAT

scripts/remove

@@ -29,6 +29,14 @@ ynh_script_progression --message="Removing the MySQL database..."
 # Remove a database if it exists, along with the associated user
 ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
 
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Removing dependencies..." --weight=1
+
+# Remove metapackage and its dependencies
+ynh_remove_app_dependencies
+
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================

scripts/restore

@@ -64,14 +64,24 @@ ynh_script_progression --message="Recreating the dedicated system user..."
 # Create the dedicated user (if not existing)
 ynh_system_user_create --username=$app
 
+#=================================================
+# REINSTALL DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Reinstalling dependencies..." --weight=1
+
+# Define and install dependencies
+ynh_install_app_dependencies $pkg_dependencies
+
 #=================================================
 # RESTORE USER RIGHTS
 #=================================================
 
 # Restore permissions on app files
-chown -R root: $final_path
-chown -R $app: $final_path/data/
-chown -R $app: $final_path/extensions/
+chown -R root:$app $final_path
+chmod -R g-w $final_path
+chown -R $app:$app $final_path/{data,extensions}
+chmod o-rwx $final_path
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
 
 #=================================================
 # RESTORE THE PHP-FPM CONFIGURATION

scripts/upgrade

@@ -98,6 +98,13 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..."
 # Create a dedicated nginx config
 ynh_add_nginx_config
 
+#=================================================
+# UPGRADE DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Upgrading dependencies..." --weight=1
+
+ynh_install_app_dependencies $pkg_dependencies
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@@ -164,9 +171,11 @@ fi
 #=================================================
 
 # Set permissions on app files
-chown -R root: $final_path
-chmod 755 $final_path
-chown -R $app: $final_path/{data,extensions}
+chown -R root:$app $final_path
+chmod -R g-w $final_path
+chown -R $app:$app $final_path/{data,extensions}
+chmod o-rwx $final_path
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
 
 # reconfigure application with latest parameters
 $final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name