YunoHost-Apps/freshrss_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/freshrss_ynh.git synced 2024-09-03 18:36:33 +02:00
Code Issues Activity Actions

Merge pull request #116 from Jules-Bertholet/testing

Browse source 
Harden permissions
This commit is contained in:
lapineige 2021-04-19 18:38:24 +02:00 committed by GitHub
commit 5995f12be6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 96 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
hooks/post_app_addaccess
View file

@ -1,18 +1,17 @@
#!/bin/bash
#!/usr/bin/env bash
set -a
source /usr/share/yunohost/helpers
app=$1
new_users=$2
app_path=/var/www/$app
# Source app helpers
. /usr/share/yunohost/helpers
if [[ "${0//.\/50-}" = "$app" ]]; then
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
if [[ "APPNAMETOCHANGE" = "$app" ]];
then
for myuser in $(echo "$new_users" | sed "s/,/ /g")
for user in $(echo "$new_users" | sed "s/,/ /g")
do
user_token=$(ynh_string_random)
$app_path/cli/create-user.php --user $myuser --language en --token $user_token
sudo chown -R $app: $app_path/data/users/$myuser/
sudo -u $app $final_path/cli/create-user.php --user $user --language en --token $user_token
done
fi

14
hooks/post_user_create
View file

@ -1,12 +1,10 @@
#!/bin/bash
app=APPNAMETOCHANGE
app_path=/var/www/$app
#!/usr/bin/env bash
myuser=$1
set -a
source /usr/share/yunohost/helpers
# Source app helpers
. /usr/share/yunohost/helpers
app="${0//.\/50-}"
username=$1
user_token=$(ynh_string_random)
sudo $app_path/cli/create-user.php --user $myuser --language en --token $user_token
sudo chown -R $app: $app_path/data/users/$myuser/
sudo -u $app $final_path/cli/create-user.php --user $username --language en --token $user_token

14
hooks/post_user_delete
View file

@ -1,6 +1,10 @@
#!/bin/bash
app=APPNAMETOCHANGE
app_path=/var/www/$app
#!/usr/bin/env bash
myuser=$1
$app_path/cli/delete-user.php --user $myuser
set -a
source /usr/share/yunohost/helpers
app="${0//.\/50-}"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
username=$1
sudo -u $app $final_path/cli/delete-user.php --user $username

9
scripts/_common.sh
View file

@ -4,6 +4,8 @@
# COMMON VARIABLES
#=================================================
pkg_dependencies="acl"
YNH_PHP_VERSION="7.3"
extra_php_dependencies="php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-zip php${YNH_PHP_VERSION}-dom php${YNH_PHP_VERSION}-mbstring php${YNH_PHP_VERSION}-gmp php${YNH_PHP_VERSION}-mysql php${YNH_PHP_VERSION}-sqlite3 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-intl php${YNH_PHP_VERSION}-xml"
@ -12,6 +14,13 @@ extra_php_dependencies="php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-zip php${
# PERSONAL HELPERS
#=================================================
function set_permissions {
chown -R root:$app $final_path
chmod -R g=u,g-w,o-rwx $final_path
chown -R $app:$app $final_path/{data,extensions}
setfacl -n -R -m u:www-data:rx -m d:u:www-data:rx $final_path
}
#=================================================
# EXPERIMENTAL HELPERS
#=================================================

2
scripts/change_url
View file

@ -103,7 +103,7 @@ fi
# SPECIFIC MODIFICATIONS
#=================================================
$final_path/cli/reconfigure.php --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
sudo -u $app $final_path/cli/reconfigure.php --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
#=================================================
# GENERIC FINALIZATION

47
scripts/install
View file

@ -48,6 +48,23 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=language --value=$language
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..." --weight=3
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..."
# Create a system user
ynh_system_user_create --username=$app
#=================================================
# CREATE A MYSQL DATABASE
#=================================================
@ -67,6 +84,8 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
set_permissions
#=================================================
# NGINX CONFIGURATION
#=================================================
@ -75,14 +94,6 @@ ynh_script_progression --message="Configuring NGINX web server..."
# Create a dedicated NGINX config
ynh_add_nginx_config
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..."
# Create a system user
ynh_system_user_create --username=$app
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
@ -92,20 +103,12 @@ ynh_script_progression --message="Configuring PHP-FPM..."
ynh_add_fpm_config --package="$extra_php_dependencies"
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# SPECIFIC SETUP
#=================================================
ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_app_addaccess"
ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_create"
ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_delete"
#=================================================
# SETUPING FRESHRSS
#=================================================
ynh_script_progression --message="FreshRSS setup script..."
$final_path/cli/do-install.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
sudo -u $app $final_path/cli/do-install.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
#=================================================
# CREATE DEDICATED USER
@ -115,7 +118,7 @@ ynh_script_progression --message="Creating users..."
for myuser in $(ynh_user_list)
do
user_token=$(ynh_string_random)
$final_path/cli/create-user.php --user $myuser --language $language --token $user_token
sudo -u $app $final_path/cli/create-user.php --user $myuser --language $language --token $user_token
done
#=================================================
@ -134,14 +137,6 @@ chmod 644 "$cron_path"
#=================================================
# GENERIC FINALIZATION
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================
# Set permissions to app files
chown -R root: $final_path
chown -R $app: $final_path/{data,extensions}
#=================================================
# SETUP SSOWAT
#=================================================

8
scripts/remove
View file

@ -29,6 +29,14 @@ ynh_script_progression --message="Removing the MySQL database..."
# Remove a database if it exists, along with the associated user
ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_script_progression --message="Removing dependencies..." --weight=1
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
#=================================================
# REMOVE APP MAIN DIR
#=================================================

25
scripts/restore
View file

@ -49,13 +49,6 @@ ynh_script_progression --message="Restoring NGINX configuration..."
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..."
ynh_restore_file --origin_path="$final_path"
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
@ -65,13 +58,21 @@ ynh_script_progression --message="Recreating the dedicated system user..."
ynh_system_user_create --username=$app
#=================================================
# RESTORE USER RIGHTS
# REINSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Reinstalling dependencies..." --weight=1
# Restore permissions on app files
chown -R root: $final_path
chown -R $app: $final_path/data/
chown -R $app: $final_path/extensions/
# Define and install dependencies
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..."
ynh_restore_file --origin_path="$final_path"
set_permissions
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION

40
scripts/upgrade
View file

@ -80,6 +80,21 @@ path_url=$(ynh_normalize_url_path --path_url=$path_url)
#=================================================
# STANDARD UPGRADE STEPS
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..."
# Create a dedicated user (if not existing)
ynh_system_user_create --username=$app
#=================================================
# UPGRADE DEPENDENCIES
#=================================================
ynh_script_progression --message="Upgrading dependencies..." --weight=1
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
@ -98,14 +113,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..."
# Create a dedicated nginx config
ynh_add_nginx_config
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..."
# Create a dedicated user (if not existing)
ynh_system_user_create --username=$app
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
@ -134,11 +141,6 @@ cp -r $final_path/extensions/. $tmp_path/extensions/
ynh_secure_remove "$final_path"
cp -rp "$tmp_path" "$final_path"
#update hook for multi instance
ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_app_addaccess"
ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_create"
ynh_replace_string --match_string="APPNAMETOCHANGE" --replace_string=$app --target_file="../hooks/post_user_delete"
#=================================================
# CRON SETUP
#=================================================
@ -163,13 +165,10 @@ fi
# SECURE FILES AND DIRECTORIES
#=================================================
# Set permissions on app files
chown -R root: $final_path
chmod 755 $final_path
chown -R $app: $final_path/{data,extensions}
set_permissions
# reconfigure application with latest parameters
$final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
sudo -u $app $final_path/cli/reconfigure.php --default_user $admin --auth_type http_auth --environment production --base_url https://$domain$path_url --title FreshRSS --api_enabled --db-type mysql --db-host localhost --db-user $db_name --db-password $db_pwd --db-base $db_name
#=================================================
# SETUP SSOWAT
@ -181,11 +180,12 @@ ynh_app_setting_delete --app="$app" --key=unprotected_regex
ynh_app_setting_delete --app="$app" --key=unprotected_uris
#=================================================
# RELOAD NGINX
# RELOAD NGINX AND PHP-FPM
#=================================================
ynh_script_progression --message="Reloading NGINX web server..."
ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..."
ynh_systemd_action --service_name=nginx --action=reload
ynh_systemd_action --service_name=php$YNH_PHP_VERSION-fpm --action=reload
#=================================================
# END OF SCRIPT