From 0ecb02b0725afc46056485632d445e99c2038ef1 Mon Sep 17 00:00:00 2001 From: Jules Bertholet Date: Mon, 22 Mar 2021 18:20:17 -0400 Subject: [PATCH 1/2] Harden permissions --- hooks/post_app_addaccess | 3 ++- hooks/post_user_create | 3 ++- scripts/_common.sh | 2 ++ scripts/install | 16 ++++++++++++++-- scripts/remove | 8 ++++++++ scripts/restore | 16 +++++++++++++--- scripts/upgrade | 15 ++++++++++++--- 7 files changed, 53 insertions(+), 10 deletions(-) diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index a66e3d5..bb78e42 100755 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -13,6 +13,7 @@ then do user_token=$(ynh_string_random) $app_path/cli/create-user.php --user $myuser --language en --token $user_token - sudo chown -R $app: $app_path/data/users/$myuser/ + sudo chown -R $app:$app $app_path/data/users/$myuser/ + setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/ done fi diff --git a/hooks/post_user_create b/hooks/post_user_create index de0d472..c6f92f9 100755 --- a/hooks/post_user_create +++ b/hooks/post_user_create @@ -9,4 +9,5 @@ myuser=$1 user_token=$(ynh_string_random) sudo $app_path/cli/create-user.php --user $myuser --language en --token $user_token -sudo chown -R $app: $app_path/data/users/$myuser/ +sudo chown -R $app:$app $app_path/data/users/$myuser/ +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/ diff --git a/scripts/_common.sh b/scripts/_common.sh index 651a47f..182c9d1 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,6 +4,8 @@ # COMMON VARIABLES #================================================= +pkg_dependencies="acl" + YNH_PHP_VERSION="7.3" extra_php_dependencies="php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-zip php${YNH_PHP_VERSION}-dom php${YNH_PHP_VERSION}-mbstring php${YNH_PHP_VERSION}-gmp php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-sqlite3 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-intl php${YNH_PHP_VERSION}-xml" diff --git a/scripts/install b/scripts/install index 9f66a19..11c68a3 100755 --- a/scripts/install +++ b/scripts/install @@ -48,6 +48,15 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin ynh_app_setting_set --app=$app --key=language --value=$language +#================================================= +# STANDARD MODIFICATIONS +#================================================= +# INSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Installing dependencies..." --weight=3 + +ynh_install_app_dependencies $pkg_dependencies + #================================================= # CREATE A MYSQL DATABASE #================================================= @@ -139,8 +148,11 @@ chmod 644 "$cron_path" #================================================= # Set permissions to app files -chown -R root: $final_path -chown -R $app: $final_path/{data,extensions} +chown -R root:$app $final_path +chmod -R g-w $final_path +chown -R $app:$app $final_path/{data,extensions} +chmod o-rwx $final_path +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path #================================================= # SETUP SSOWAT diff --git a/scripts/remove b/scripts/remove index f699b50..e3c5e6a 100755 --- a/scripts/remove +++ b/scripts/remove @@ -29,6 +29,14 @@ ynh_script_progression --message="Removing the MySQL database..." # Remove a database if it exists, along with the associated user ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name +#================================================= +# REMOVE DEPENDENCIES +#================================================= +ynh_script_progression --message="Removing dependencies..." --weight=1 + +# Remove metapackage and its dependencies +ynh_remove_app_dependencies + #================================================= # REMOVE APP MAIN DIR #================================================= diff --git a/scripts/restore b/scripts/restore index fa75827..1586a61 100644 --- a/scripts/restore +++ b/scripts/restore @@ -64,14 +64,24 @@ ynh_script_progression --message="Recreating the dedicated system user..." # Create the dedicated user (if not existing) ynh_system_user_create --username=$app +#================================================= +# REINSTALL DEPENDENCIES +#================================================= +ynh_script_progression --message="Reinstalling dependencies..." --weight=1 + +# Define and install dependencies +ynh_install_app_dependencies $pkg_dependencies + #================================================= # RESTORE USER RIGHTS #================================================= # Restore permissions on app files -chown -R root: $final_path -chown -R $app: $final_path/data/ -chown -R $app: $final_path/extensions/ +chown -R root:$app $final_path +chmod -R g-w $final_path +chown -R $app:$app $final_path/{data,extensions} +chmod o-rwx $final_path +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index c50675e..27d280b 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -98,6 +98,13 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." # Create a dedicated nginx config ynh_add_nginx_config +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +ynh_script_progression --message="Upgrading dependencies..." --weight=1 + +ynh_install_app_dependencies $pkg_dependencies + #================================================= # CREATE DEDICATED USER #================================================= @@ -164,9 +171,11 @@ fi #================================================= # Set permissions on app files -chown -R root: $final_path -chmod 755 $final_path -chown -R $app: $final_path/{data,extensions} +chown -R root:$app $final_path +chmod -R g-w $final_path +chown -R $app:$app $final_path/{data,extensions} +chmod o-rwx $final_path +setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path # reconfigure application with latest parameters $final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name From e6b8ecfd663004086b7e7f2735537d1a51a6d17c Mon Sep 17 00:00:00 2001 From: Jules Bertholet Date: Sat, 17 Apr 2021 12:39:02 -0400 Subject: [PATCH 2/2] More tweaks to permissions --- hooks/post_app_addaccess | 20 ++++++++-------- hooks/post_user_create | 15 +++++------- hooks/post_user_delete | 14 ++++++++---- scripts/_common.sh | 7 ++++++ scripts/change_url | 2 +- scripts/install | 41 ++++++++++----------------------- scripts/restore | 19 ++++------------ scripts/upgrade | 49 ++++++++++++++++------------------------ 8 files changed, 69 insertions(+), 98 deletions(-) diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index bb78e42..7af8106 100755 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -1,19 +1,17 @@ -#!/bin/bash +#!/usr/bin/env bash + +set -a +source /usr/share/yunohost/helpers + app=$1 new_users=$2 -app_path=/var/www/$app -# Source app helpers -. /usr/share/yunohost/helpers +if [[ "${0//.\/50-}" = "$app" ]]; then + final_path=$(ynh_app_setting_get --app=$app --key=final_path) - -if [[ "APPNAMETOCHANGE" = "$app" ]]; -then - for myuser in $(echo "$new_users" | sed "s/,/ /g") + for user in $(echo "$new_users" | sed "s/,/ /g") do user_token=$(ynh_string_random) - $app_path/cli/create-user.php --user $myuser --language en --token $user_token - sudo chown -R $app:$app $app_path/data/users/$myuser/ - setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/ + sudo -u $app $final_path/cli/create-user.php --user $user --language en --token $user_token done fi diff --git a/hooks/post_user_create b/hooks/post_user_create index c6f92f9..d0060f8 100755 --- a/hooks/post_user_create +++ b/hooks/post_user_create @@ -1,13 +1,10 @@ -#!/bin/bash -app=APPNAMETOCHANGE -app_path=/var/www/$app +#!/usr/bin/env bash -myuser=$1 +set -a +source /usr/share/yunohost/helpers -# Source app helpers -. /usr/share/yunohost/helpers +app="${0//.\/50-}" +username=$1 user_token=$(ynh_string_random) -sudo $app_path/cli/create-user.php --user $myuser --language en --token $user_token -sudo chown -R $app:$app $app_path/data/users/$myuser/ -setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $app_path/data/users/$myuser/ +sudo -u $app $final_path/cli/create-user.php --user $username --language en --token $user_token diff --git a/hooks/post_user_delete b/hooks/post_user_delete index 9b978a5..875c460 100755 --- a/hooks/post_user_delete +++ b/hooks/post_user_delete @@ -1,6 +1,10 @@ -#!/bin/bash -app=APPNAMETOCHANGE -app_path=/var/www/$app +#!/usr/bin/env bash -myuser=$1 -$app_path/cli/delete-user.php --user $myuser +set -a +source /usr/share/yunohost/helpers + +app="${0//.\/50-}" +final_path=$(ynh_app_setting_get --app=$app --key=final_path) +username=$1 + +sudo -u $app $final_path/cli/delete-user.php --user $username diff --git a/scripts/_common.sh b/scripts/_common.sh index 182c9d1..71401d9 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -14,6 +14,13 @@ extra_php_dependencies="php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-zip php${ # PERSONAL HELPERS #================================================= +function set_permissions { + chown -R root:$app $final_path + chmod -R g=u,g-w,o-rwx $final_path + chown -R $app:$app $final_path/{data,extensions} + setfacl -n -R -m u:www-data:rx -m d:u:www-data:rx $final_path +} + #================================================= # EXPERIMENTAL HELPERS #================================================= diff --git a/scripts/change_url b/scripts/change_url index 3494afb..35caa86 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -103,7 +103,7 @@ fi # SPECIFIC MODIFICATIONS #================================================= -$final_path/cli/reconfigure.php --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name +sudo -u $app $final_path/cli/reconfigure.php --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name #================================================= # GENERIC FINALIZATION diff --git a/scripts/install b/scripts/install index 11c68a3..8a0babd 100755 --- a/scripts/install +++ b/scripts/install @@ -57,6 +57,14 @@ ynh_script_progression --message="Installing dependencies..." --weight=3 ynh_install_app_dependencies $pkg_dependencies +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Configuring system user..." + +# Create a system user +ynh_system_user_create --username=$app + #================================================= # CREATE A MYSQL DATABASE #================================================= @@ -76,6 +84,8 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" +set_permissions + #================================================= # NGINX CONFIGURATION #================================================= @@ -84,14 +94,6 @@ ynh_script_progression --message="Configuring NGINX web server..." # Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Configuring system user..." - -# Create a system user -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= @@ -101,20 +103,12 @@ ynh_script_progression --message="Configuring PHP-FPM..." ynh_add_fpm_config --package="$extra_php_dependencies" phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) -#================================================= -# SPECIFIC SETUP -#================================================= - -ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_app_addaccess" -ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_create" -ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_delete" - #================================================= # SETUPING FRESHRSS #================================================= ynh_script_progression --message="FreshRSS setup script..." -$final_path/cli/do-install.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name +sudo -u $app $final_path/cli/do-install.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name #================================================= # CREATE DEDICATED USER @@ -124,7 +118,7 @@ ynh_script_progression --message="Creating users..." for myuser in $(ynh_user_list) do user_token=$(ynh_string_random) - $final_path/cli/create-user.php --user $myuser --language $language --token $user_token + sudo -u $app $final_path/cli/create-user.php --user $myuser --language $language --token $user_token done #================================================= @@ -143,17 +137,6 @@ chmod 644 "$cron_path" #================================================= # GENERIC FINALIZATION -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -# Set permissions to app files -chown -R root:$app $final_path -chmod -R g-w $final_path -chown -R $app:$app $final_path/{data,extensions} -chmod o-rwx $final_path -setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path - #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/restore b/scripts/restore index 1586a61..d324575 100644 --- a/scripts/restore +++ b/scripts/restore @@ -49,13 +49,6 @@ ynh_script_progression --message="Restoring NGINX configuration..." ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" -#================================================= -# RESTORE THE APP MAIN DIR -#================================================= -ynh_script_progression --message="Restoring the app main directory..." - -ynh_restore_file --origin_path="$final_path" - #================================================= # RECREATE THE DEDICATED USER #================================================= @@ -73,15 +66,13 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=1 ynh_install_app_dependencies $pkg_dependencies #================================================= -# RESTORE USER RIGHTS +# RESTORE THE APP MAIN DIR #================================================= +ynh_script_progression --message="Restoring the app main directory..." -# Restore permissions on app files -chown -R root:$app $final_path -chmod -R g-w $final_path -chown -R $app:$app $final_path/{data,extensions} -chmod o-rwx $final_path -setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path +ynh_restore_file --origin_path="$final_path" + +set_permissions #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 27d280b..6f57ad0 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -80,6 +80,21 @@ path_url=$(ynh_normalize_url_path --path_url=$path_url) #================================================= # STANDARD UPGRADE STEPS +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Making sure dedicated system user exists..." + +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app + +#================================================= +# UPGRADE DEPENDENCIES +#================================================= +ynh_script_progression --message="Upgrading dependencies..." --weight=1 + +ynh_install_app_dependencies $pkg_dependencies + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -98,21 +113,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." # Create a dedicated nginx config ynh_add_nginx_config -#================================================= -# UPGRADE DEPENDENCIES -#================================================= -ynh_script_progression --message="Upgrading dependencies..." --weight=1 - -ynh_install_app_dependencies $pkg_dependencies - -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." - -# Create a dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= @@ -141,11 +141,6 @@ cp -r $final_path/extensions/. $tmp_path/extensions/ ynh_secure_remove "$final_path" cp -rp "$tmp_path" "$final_path" -#update hook for multi instance -ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_app_addaccess" -ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_create" -ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_delete" - #================================================= # CRON SETUP #================================================= @@ -170,15 +165,10 @@ fi # SECURE FILES AND DIRECTORIES #================================================= -# Set permissions on app files -chown -R root:$app $final_path -chmod -R g-w $final_path -chown -R $app:$app $final_path/{data,extensions} -chmod o-rwx $final_path -setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path +set_permissions # reconfigure application with latest parameters -$final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name +sudo -u $app $final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name #================================================= # SETUP SSOWAT @@ -190,11 +180,12 @@ ynh_app_setting_delete --app="$app" --key=unprotected_regex ynh_app_setting_delete --app="$app" --key=unprotected_uris #================================================= -# RELOAD NGINX +# RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading NGINX web server..." +ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." ynh_systemd_action --service_name=nginx --action=reload +ynh_systemd_action --service_name=php$YNH_PHP_VERSION-fpm --action=reload #================================================= # END OF SCRIPT