From 19c753acf2a4f5c718894e53dc123f52b2e66f3d Mon Sep 17 00:00:00 2001 From: tituspijean Date: Fri, 26 Mar 2021 19:57:20 +0100 Subject: [PATCH] Sanitize permissions assignment and commands execution --- scripts/install | 20 ++++++++++---------- scripts/restore | 10 +++++----- scripts/upgrade | 28 +++++++++++++--------------- 3 files changed, 28 insertions(+), 30 deletions(-) diff --git a/scripts/install b/scripts/install index a275de3..0297f9d 100644 --- a/scripts/install +++ b/scripts/install @@ -95,24 +95,24 @@ ynh_add_fpm_config --usage=medium --footprint=medium --package="$extra_php_depen #================================================= # Set permissions on app files -chown -R $app:www-data $final_path -find $final_path -type f -exec chmod 660 {} \; -find $final_path/bin -type f -exec chmod 770 {} \; -find $final_path -type d -exec chmod 770 {} \; -find $final_path -type d -exec chmod +s {} \; +chown -R $app:$app "$final_path" +find "$final_path" -type f -exec chmod 640 {} \; +find "$final_path/bin" -type f -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod +s {} \; #================================================= # INSTALL LDAP PLUGIN #================================================= ynh_script_progression --message="Installing and configuring LDAP plugin..." --weight=1 -pushd "$final_path" - exec_as $app php${YNH_PHP_VERSION} bin/gpm install login-ldap --all-yes --no-interaction - exec_as $app mkdir -p user/config/plugins/login-ldap - exec_as $app touch user/accounts/admin.yaml -popd +exec_as $app php${YNH_PHP_VERSION} "$final_path/bin/gpm" install login-ldap --all-yes --no-interaction +exec_as $app mkdir -p "$final_path/user/config/plugins/login-ldap" +exec_as $app touch "$final_path/user/accounts/admin.yaml" ynh_add_config --template="../conf/login-ldap.yaml" --destination="$final_path/user/config/plugins/login-ldap.yaml" +chown $app:$app "$final_path/user/config/plugins/login-ldap.yaml" +chmod 640 "$final_path/user/config/plugins/login-ldap.yaml" #================================================= # CREATE A CRON TASK diff --git a/scripts/restore b/scripts/restore index 75cbdf4..b71f282 100644 --- a/scripts/restore +++ b/scripts/restore @@ -73,11 +73,11 @@ ynh_system_user_create --username=$app --home_dir=$final_path #================================================= # Restore permissions on app files -chown -R $app:www-data $final_path -find $final_path -type f -exec chmod 660 {} \; -find $final_path/bin -type f -exec chmod 770 {} \; -find $final_path -type d -exec chmod 770 {} \; -find $final_path -type d -exec chmod +s {} \; +chown -R $app:$app "$final_path" +find "$final_path" -type f -exec chmod 640 {} \; +find "$final_path/bin" -type f -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod +s {} \; #================================================= # RESTORE THE CRON diff --git a/scripts/upgrade b/scripts/upgrade index d398ff2..b887d90 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -144,40 +144,38 @@ if [ -f /etc/php/$YNH_PHP_VERSION/fpm/conf.d/20-$app.ini ]; then ynh_secure_remove --file=/etc/php/$YNH_PHP_VERSION/fpm/conf.d/20-$app.ini fi +#================================================= +# SPECIFIC UPGRADE #================================================= # SECURE FILES AND DIRECTORIES #================================================= # Set permissions on app files -chown -R $app:www-data $final_path -find $final_path -type f -exec chmod 660 {} \; -find $final_path/bin -type f -exec chmod 770 {} \; -find $final_path -type d -exec chmod 770 {} \; -find $final_path -type d -exec chmod +s {} \; +chown -R $app:$app "$final_path" +find "$final_path" -type f -exec chmod 640 {} \; +find "$final_path/bin" -type f -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod 750 {} \; +find "$final_path" -type d -exec chmod +s {} \; -#================================================= -# SPECIFIC UPGRADE #================================================= # UPGRADE PLUGINS #================================================= ynh_script_progression --message="Updating all plugins..." --weight=1 -pushd "$final_path" - exec_as $app yes N | exec_as $app php${YNH_PHP_VERSION} bin/gpm update --all-yes --no-interaction -popd +yes N | ynh_exec_warn_less exec_as $app php${YNH_PHP_VERSION} $final_path/bin/gpm update --all-yes --no-interaction #================================================= # INSTALL LDAP PLUGIN #================================================= ynh_script_progression --message="Installing and configuring LDAP plugin..." --weight=3 -pushd "$final_path" - exec_as $app php${YNH_PHP_VERSION} bin/gpm install login-ldap --all-yes --no-interaction - exec_as $app mkdir -p user/config/plugins/login-ldap - exec_as $app touch user/accounts/admin.yaml -popd +exec_as $app php${YNH_PHP_VERSION} "$final_path/bin/gpm" install login-ldap --all-yes --no-interaction +exec_as $app mkdir -p "$final_path/user/config/plugins/login-ldap" +exec_as $app touch "$final_path/user/accounts/admin.yaml" ynh_add_config --template="../conf/login-ldap.yaml" --destination="$final_path/user/config/plugins/login-ldap.yaml" +chown $app:$app "$final_path/user/config/plugins/login-ldap.yaml" +chmod 640 "$final_path/user/config/plugins/login-ldap.yaml" #================================================= # CREATE A CRON TASK