From dacc3415955507b27343cf6691b6692e7972e5d4 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sat, 4 Dec 2021 00:52:48 +0100 Subject: [PATCH 1/2] Fix permissions, remove access to other users --- scripts/install | 1 + scripts/restore | 1 + scripts/upgrade | 29 +++++++++++++++-------------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/scripts/install b/scripts/install index db02e8b..0ea769f 100755 --- a/scripts/install +++ b/scripts/install @@ -183,6 +183,7 @@ ynh_store_file_checksum --file="$final_path/menu.php" # Set permissions to app files chown -R root: $final_path +chmod -R o-rwx $final_path # Wiki needs to write inside these folders. Make "Wiki" owner chown -R $app:root $final_path/var diff --git a/scripts/restore b/scripts/restore index a05d5b0..447d2f4 100755 --- a/scripts/restore +++ b/scripts/restore @@ -69,6 +69,7 @@ ynh_system_user_create --username=$app # Restore permissions on app files chown -R root: $final_path +chmod -R o-rwx $final_path #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index b37a8c0..26d2f22 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,6 +29,20 @@ phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) upgrade_type=$(ynh_check_app_version_changed) +#================================================= +# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +#================================================= +ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=4 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors + #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -47,20 +61,6 @@ if ynh_legacy_permissions_exists; then ynh_app_setting_delete --app=$app --key=is_public fi -#================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP -#================================================= -ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=4 - -# Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { - # restore it if the upgrade fails - ynh_restore_upgradebackup -} -# Exit if an error occurs during the execution of the script -ynh_abort_if_errors - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -126,6 +126,7 @@ ynh_restore_file -o "conf/config.php" # Set permissions on app files chown -R root: $final_path +chmod -R o-rwx $final_path #================================================= # RELOAD NGINX From fb9f51e5bb8dfa015778cfa4ed38de127a749a55 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sat, 4 Dec 2021 01:21:13 +0100 Subject: [PATCH 2/2] Simplify permissions --- scripts/install | 19 +++---------------- scripts/restore | 4 +++- scripts/upgrade | 4 +++- 3 files changed, 9 insertions(+), 18 deletions(-) diff --git a/scripts/install b/scripts/install index 0ea769f..dcd4254 100755 --- a/scripts/install +++ b/scripts/install @@ -182,23 +182,10 @@ ynh_store_file_checksum --file="$final_path/menu.php" #================================================= # Set permissions to app files -chown -R root: $final_path +chown -R $app:www-data $final_path chmod -R o-rwx $final_path - -# Wiki needs to write inside these folders. Make "Wiki" owner -chown -R $app:root $final_path/var -chown -R $app:root $final_path/templates - -# write everything, even config files, for pheditor: -chown -R $app:root $final_path/ - -# Allow access to public assets like style sheets -find $final_path/templates -type f -print0 | xargs -0 chmod 0644 -find $final_path/templates -type d -print0 | xargs -0 chmod 0755 -find $final_path/templates/minimaxing/minimaxing.css -type f -print0 | xargs -0 chmod 0755 -# Using "find" instead of "chmod -R 755" so files does not become executable too -# chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD -# find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD +find $final_path -type d -exec chmod g=rx {} + +find $final_path -type f -exec chmod g=r {} + #================================================= # SETUP SSOWAT diff --git a/scripts/restore b/scripts/restore index 447d2f4..5ce6cce 100755 --- a/scripts/restore +++ b/scripts/restore @@ -68,8 +68,10 @@ ynh_system_user_create --username=$app #================================================= # Restore permissions on app files -chown -R root: $final_path +chown -R $app:www-data $final_path chmod -R o-rwx $final_path +find $final_path -type d -exec chmod g=rx {} + +find $final_path -type f -exec chmod g=r {} + #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 26d2f22..376a498 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -125,8 +125,10 @@ ynh_restore_file -o "conf/config.php" #================================================= # Set permissions on app files -chown -R root: $final_path +chown -R $app:www-data $final_path chmod -R o-rwx $final_path +find $final_path -type d -exec chmod g=rx {} + +find $final_path -type f -exec chmod g=r {} + #================================================= # RELOAD NGINX