From a84ad788d4c6d8c2c51ec6647022cf72651eb35e Mon Sep 17 00:00:00 2001
From: Jules Bertholet <jules.bertholet@gmail.com>
Date: Mon, 29 Mar 2021 21:42:04 -0400
Subject: [PATCH] Don't run Python as root

---
 hooks/post_user_create |  3 +--
 hooks/post_user_delete |  3 +--
 scripts/install        | 32 ++++++++++++++++++--------------
 scripts/upgrade        | 28 ++++++++++++++++------------
 4 files changed, 36 insertions(+), 30 deletions(-)

diff --git a/hooks/post_user_create b/hooks/post_user_create
index 39e57b5..b7d523b 100644
--- a/hooks/post_user_create
+++ b/hooks/post_user_create
@@ -9,8 +9,7 @@ mail=$2
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 
 pushd $final_path/backend
-	source $final_path/backend/venv/bin/activate
-	$final_path/bin/librephotos-cli shell <<< "
+	sudo -u $app $final_path/bin/librephotos-cli shell <<< "
 from django.contrib.auth import get_user_model
 User = get_user_model()
 try:
diff --git a/hooks/post_user_delete b/hooks/post_user_delete
index c45266e..e85f678 100644
--- a/hooks/post_user_delete
+++ b/hooks/post_user_delete
@@ -9,8 +9,7 @@ purge=$2
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 
 pushd $final_path/backend
-	source $final_path/backend/venv/bin/activate
-	$final_path/bin/librephotos-cli shell <<< "
+	sudo -u $app $final_path/bin/librephotos-cli shell <<< "
 from django.contrib.auth import get_user_model
 User = get_user_model()
 try:
diff --git a/scripts/install b/scripts/install
index dd4a94a..105836f 100755
--- a/scripts/install
+++ b/scripts/install
@@ -141,15 +141,15 @@ usermod -d $data_path $app 2>&1
 ynh_script_progression --message="Initializing backend Python virtualenv..." --weight=60
 
 pushd $final_path/backend || ynh_die
-	python3 -m venv $final_path/backend/venv
-	source $final_path/backend/venv/bin/activate
-	python3 -m pip install -U wheel pip setuptools
-	python3 -m pip install torch==1.7.1+cpu torchvision==0.8.2+cpu -f https://download.pytorch.org/whl/torch_stable.html 2>&1
-	python3 -m pip install --install-option="--no" --install-option="DLIB_USE_CUDA" --install-option="--no" --install-option="USE_AVX_INSTRUCTIONS" --install-option="--no" --install-option="USE_SSE4_INSTRUCTIONS" dlib
-	python3 -m pip install --requirement $final_path/backend/requirements.txt
-	python3 -m pip install --requirement $final_path/backend/requirements-ynh.txt
-	python3 -m spacy download en_core_web_sm
-	deactivate 'dummy_arg'
+	chown -R $app:$app $final_path/backend
+	sudo -u $app python3 -m venv $final_path/backend/venv
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U wheel pip setuptools
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U torch==1.7.1+cpu torchvision==0.8.2+cpu -f https://download.pytorch.org/whl/torch_stable.html 2>&1
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U --install-option="--no" --install-option="DLIB_USE_CUDA" --install-option="--no" --install-option="USE_AVX_INSTRUCTIONS" --install-option="--no" --install-option="USE_SSE4_INSTRUCTIONS" dlib
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U --requirement $final_path/backend/requirements.txt
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U --requirement $final_path/backend/requirements-ynh.txt
+	sudo -u $app $final_path/backend/venv/bin/python -m spacy download en_core_web_sm
+	chown -R root:root $final_path/backend
 popd || ynh_die
 
 #=================================================
@@ -194,6 +194,10 @@ for file in $final_path/bin/*; do
 	ynh_replace_string -m "librephotos-backend.env" -r "librephotos.env" -f $file
 	ynh_replace_special_string -m 'su - -s $(which bash) librephotos << EOF' -r '' -f $file
 	ynh_replace_special_string -m 'EOF' -r '' -f $file
+	ynh_replace_string -m "python" -r "$final_path/backend/venv/bin/python" -f $file
+	ynh_replace_string -m "gunicorn" -r "$final_path/backend/venv/bin/gunicorn" -f $file
+	ynh_replace_string -m "$final_path/backend/venv/bin/$final_path/backend/venv/bin/python" -r "$final_path/backend/venv/bin/python" -f $file
+	ynh_replace_string -m "$final_path/backend/venv/bin/$final_path/backend/venv/bin/gunicorn" -r "$final_path/backend/venv/bin/gunicorn" -f $file
 	ynh_store_file_checksum --file="$file"
 done
 
@@ -203,13 +207,12 @@ done
 ynh_script_progression --message="Finalizing database..." --weight=1
 
 pushd $final_path || ynh_die
-	python3 -m venv $final_path/backend/venv
-	source $final_path/backend/venv/bin/activate
-	$final_path/bin/librephotos-upgrade
-	$final_path/bin/librephotos-createadmin "$admin"  "$(ynh_user_get_info $admin 'mail')" $(ynh_string_random -l 64)
+	chown -R root:$app $final_path
+	sudo -u $app $final_path/bin/librephotos-upgrade
+	sudo -u $app $final_path/bin/librephotos-createadmin "$admin"  "$(ynh_user_get_info $admin 'mail')" $(ynh_string_random -l 64)
 	for username in $(ynh_user_list); do
 		user_email=$(ynh_user_get_info --username="$username" --key=mail)
-		$final_path/bin/librephotos-cli shell <<< "
+		sudo -u $app $final_path/bin/librephotos-cli shell <<< "
 from django.contrib.auth import get_user_model
 User = get_user_model()
 try:
@@ -220,6 +223,7 @@ except User.DoesNotExist:
     User.objects.create_user('$username', email='$user_email', scan_directory='/home/yunohost.multimedia/$username/Picture')
 "
 	done
+	chown -R root:root $final_path
 popd || ynh_die
 
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index 5ea9972..7c0c859 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -126,15 +126,15 @@ usermod -d $data_path $app 2>&1
 ynh_script_progression --message="Upgrading backend Python virtualenv..." --weight=50
 
 pushd $final_path/backend || ynh_die
-	python3 -m venv $final_path/backend/venv
-	source $final_path/backend/venv/bin/activate
-	python3 -m pip install -U wheel pip setuptools
-	python3 -m pip install -U torch==1.7.1+cpu torchvision==0.8.2+cpu -f https://download.pytorch.org/whl/torch_stable.html 2>&1
-	python3 -m pip install -U --install-option="--no" --install-option="DLIB_USE_CUDA" --install-option="--no" --install-option="USE_AVX_INSTRUCTIONS" --install-option="--no" --install-option="USE_SSE4_INSTRUCTIONS" dlib
-	python3 -m pip install -U --requirement $final_path/backend/requirements.txt
-	python3 -m pip install -U --requirement $final_path/backend/requirements-ynh.txt
-	python3 -m spacy download en_core_web_sm
-	deactivate 'dummy_arg'
+	chown -R $app:$app $final_path/backend
+	sudo -u $app python3 -m venv $final_path/backend/venv
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U wheel pip setuptools
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U torch==1.7.1+cpu torchvision==0.8.2+cpu -f https://download.pytorch.org/whl/torch_stable.html 2>&1
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U --install-option="--no" --install-option="DLIB_USE_CUDA" --install-option="--no" --install-option="USE_AVX_INSTRUCTIONS" --install-option="--no" --install-option="USE_SSE4_INSTRUCTIONS" dlib
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U --requirement $final_path/backend/requirements.txt
+	sudo -u $app $final_path/backend/venv/bin/pip --cache-dir $final_path/backend/.cache/pip install -U --requirement $final_path/backend/requirements-ynh.txt
+	sudo -u $app $final_path/backend/venv/bin/python -m spacy download en_core_web_sm
+	chown -R root:root $final_path/backend
 popd || ynh_die
 
 #=================================================
@@ -179,6 +179,10 @@ for file in $final_path/bin/*; do
 	ynh_replace_string -m "librephotos-backend.env" -r "librephotos.env" -f $file
 	ynh_replace_special_string -m 'su - -s $(which bash) librephotos << EOF' -r '' -f $file
 	ynh_replace_special_string -m 'EOF' -r '' -f $file
+	ynh_replace_string -m "python" -r "$final_path/backend/venv/bin/python" -f $file
+	ynh_replace_string -m "gunicorn" -r "$final_path/backend/venv/bin/gunicorn" -f $file
+	ynh_replace_string -m "$final_path/backend/venv/bin/$final_path/backend/venv/bin/python" -r "$final_path/backend/venv/bin/python" -f $file
+	ynh_replace_string -m "$final_path/backend/venv/bin/$final_path/backend/venv/bin/gunicorn" -r "$final_path/backend/venv/bin/gunicorn" -f $file
 	ynh_store_file_checksum --file="$file"
 done
 
@@ -188,9 +192,9 @@ done
 ynh_script_progression --message="Finalizing database..." --weight=1
 
 pushd $final_path || ynh_die
-	python3 -m venv $final_path/backend/venv
-	source $final_path/backend/venv/bin/activate
-	$final_path/bin/librephotos-upgrade
+	chown -R root:$app $final_path
+	sudo -u $app $final_path/bin/librephotos-upgrade
+	chown -R root:root $final_path
 popd || ynh_die
 
 #=================================================