Adjust permissions

manifest.json

@@ -6,7 +6,7 @@
         "en": "Clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.",
         "fr": "Service de bureau à distance sans client. Fonctionne avec des protocoles standard comme VNC, RDP, et SSH."
     },
-    "version": "1.3.0~ynh1",
+    "version": "1.3.0~ynh2",
     "url": "https://example.com",
     "license": "Apache-2.0",
     "maintainer": {

scripts/_common.sh

@@ -5,7 +5,7 @@
 #=================================================
 
 # dependencies used by the app
-pkg_dependencies="build-essential libcairo2 libjpeg62-turbo-dev libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev tomcat9"
+pkg_dependencies="acl build-essential libcairo2 libjpeg62-turbo-dev libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev tomcat9"
 
 #=================================================
 # PERSONAL HELPERS

scripts/install

@@ -291,11 +291,15 @@ ynh_replace_string --match_string="8080" --replace_string="$port" --target_file=
 ### that really need such authorization.
 
 # Set permissions  to app files
-chown -R root: $final_path
-chown -R "$app-tomcat":"$app-guacd" "/var/log/$app/guacd/" "/var/log/$app/tomcat/"
-chown -R root:"$app-tomcat" "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/"
-chmod -R 650 "$final_path/etc/guacamole/"
+chown -R root:root $final_path
+chmod -R o-rwx $final_path
+setfacl -n -R -m user:$app-guacd:rx -m default:user:$app-guacd:rx $final_path
+setfacl -n -R -m user:$app-tomcat:rx -m default:user:$app-tomcat:rx $final_path
+chown -R $app-guacd:$app-guacd "/var/log/$app/guacd/"
+chown -R $app-tomcat:$app-tomcat "/var/log/$app/tomcat/"
+chown -R root:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/"
 chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps"
+setfacl -n -R -m user:$app-guacd:- -m default:user:$app-guacd:- "$final_path/var/lib/tomcat9/" "$final_path/etc/guacamole/" "$final_path/etc/tomcat9/"
 
 #=================================================
 # SETUP LOGROTATE

scripts/restore

@@ -74,28 +74,6 @@ ynh_system_user_create --username="$app-tomcat"
 
 ynh_restore_file --origin_path="/var/log/$app"
 
-#=================================================
-# RESTORE USER RIGHTS
-#=================================================
-
-# Restore permissions on app files
-chown -R root: $final_path
-chown -R "$app-tomcat":"$app-guacd" "/var/log/$app/guacd/" "/var/log/$app/tomcat/"
-chown -R root:"$app-tomcat" "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/"
-chmod -R 650 "$final_path/etc/guacamole/"
-chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps"
-
-#=================================================
-# RESTORE FAIL2BAN CONFIGURATION
-#=================================================
-ynh_script_progression --message="Restoring the Fail2Ban configuration..." --weight=1
-
-ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
-ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
-ynh_systemd_action --action=restart --service_name=fail2ban
-
-#=================================================
-# SPECIFIC RESTORATION
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================
@@ -122,6 +100,32 @@ if [ ! $tomcat_active ]; then
 	systemctl stop tomcat9 --quiet
 fi
 
+#=================================================
+# RESTORE USER RIGHTS
+#=================================================
+
+# Restore permissions on app files
+chown -R root:root $final_path
+chmod -R o-rwx $final_path
+setfacl -n -R -m user:$app-guacd:rx -m default:user:$app-guacd:rx $final_path
+setfacl -n -R -m user:$app-tomcat:rx -m default:user:$app-tomcat:rx $final_path
+chown -R $app-guacd:$app-guacd "/var/log/$app/guacd/"
+chown -R $app-tomcat:$app-tomcat "/var/log/$app/tomcat/"
+chown -R root:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/"
+chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps"
+setfacl -n -R -m user:$app-guacd:- -m default:user:$app-guacd:- "$final_path/var/lib/tomcat9/" "$final_path/etc/guacamole/" "$final_path/etc/tomcat9/"
+
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+ynh_script_progression --message="Restoring the Fail2Ban configuration..." --weight=1
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+ynh_systemd_action --action=restart --service_name=fail2ban
+
+#=================================================
+# SPECIFIC RESTORATION
 #=================================================
 # RESTORE THE MYSQL DATABASE
 #=================================================

scripts/upgrade

@@ -218,11 +218,15 @@ ynh_replace_string --match_string="8080" --replace_string="$port" --target_file=
 #=================================================
 
 # Set permissions on app files
-chown -R root: $final_path
-chown -R "$app-tomcat":"$app-guacd" "/var/log/$app/guacd/" "/var/log/$app/tomcat/"
-chown -R root:"$app-tomcat" "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/"
-chmod -R 650 "$final_path/etc/guacamole/"
+chown -R root:root $final_path
+chmod -R o-rwx $final_path
+setfacl -n -R -m user:$app-guacd:rx -m default:user:$app-guacd:rx $final_path
+setfacl -n -R -m user:$app-tomcat:rx -m default:user:$app-tomcat:rx $final_path
+chown -R $app-guacd:$app-guacd "/var/log/$app/guacd/"
+chown -R $app-tomcat:$app-tomcat "/var/log/$app/tomcat/"
+chown -R root:$app-tomcat "$final_path/etc/tomcat9/" "$final_path/etc/guacamole/"
 chown -R "$app-tomcat":"$app-tomcat" "$final_path/var/lib/tomcat9/webapps"
+setfacl -n -R -m user:$app-guacd:- -m default:user:$app-guacd:- "$final_path/var/lib/tomcat9/" "$final_path/etc/guacamole/" "$final_path/etc/tomcat9/"
 
 #=================================================
 # SETUP LOGROTATE