From 49671ab690a54658a72d080bbe978d74ca4107b3 Mon Sep 17 00:00:00 2001
From: Nils VAN ZUIJLEN <nils.van-zuijlen@mailo.com>
Date: Thu, 8 Apr 2021 12:03:17 +0200
Subject: [PATCH] Only allow $app and www-data to read $final_path folder

---
 scripts/install | 6 +++++-
 scripts/restore | 6 +++++-
 scripts/upgrade | 4 ++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/scripts/install b/scripts/install
index a5a402b..5d41a13 100644
--- a/scripts/install
+++ b/scripts/install
@@ -190,9 +190,13 @@ ynh_store_file_checksum --file="$final_path/protected/config/common.php"
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
-# Set permissions to app files
+# Set permissions on app files
 chown -R root: $final_path
 
+# Remove permission to others than $app and www-data (nginx user)
+chmod o-rwx $final_path
+chown $app:www-data $final_path
+
 chown -R $app $final_path/assets
 chown -R $app $final_path/protected/config
 chown -R $app $final_path/protected/modules
diff --git a/scripts/restore b/scripts/restore
index 1e017c7..ca8c817 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -72,9 +72,13 @@ ynh_system_user_create --username=$app
 # RESTORE USER RIGHTS
 #=================================================
 
-# Restore permissions on app files
+# Set permissions on app files
 chown -R root: $final_path
 
+# Remove permission to others than $app and www-data (nginx user)
+chmod o-rwx $final_path
+chown $app:www-data $final_path
+
 chown -R $app $final_path/assets
 chown -R $app $final_path/protected/config
 chown -R $app $final_path/protected/modules
diff --git a/scripts/upgrade b/scripts/upgrade
index 085e671..2dde7ab 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -144,6 +144,10 @@ ynh_add_config --template="../conf/cron" --destination="/etc/cron.d/${app}"
 # Set permissions on app files
 chown -R root: $final_path
 
+# Remove permission to others than $app and www-data (nginx user)
+chmod o-rwx $final_path
+chown $app:www-data $final_path
+
 chown -R $app $final_path/assets
 chown -R $app $final_path/protected/config
 chown -R $app $final_path/protected/modules