Restrict permissions on app directories

manifest.json

@@ -6,7 +6,7 @@
         "en": "Manage podcast subscriptions, and sync them between apps and devices",
         "fr": "Gérez vos sousciptions balado, et sychronisez-lez entre vos applis et appareils"
     },
-    "version": "2.11.0~ynh2",
+    "version": "2.11.0~ynh3",
     "url": "https://github.com/gpodder/mygpo",
     "license": "AGPL-3.0-only",
     "maintainer": {

scripts/_common.sh

@@ -5,7 +5,7 @@
 #=================================================
 
 # dependencies used by the app
-pkg_dependencies="python3 python3-pip python3-venv postgresql postgresql-contrib libpq-dev redis-server"
+pkg_dependencies="acl python3 python3-pip python3-venv postgresql postgresql-contrib libpq-dev redis-server"
 
 #=================================================
 # PERSONAL HELPERS

scripts/install

@@ -152,7 +152,9 @@ mkdir $datadir
 ynh_app_setting_set --app=$app --key=datadir --value="$datadir"
 
 # Give permission to the datadir
-chown -R "$app":"$app" "$datadir"
+chown -R $app:$app $datadir
+chmod o-rwx $datadir
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $datadir
 
 
 ynh_app_setting_set --app=$app --key=datadir --value="$datadir"
@@ -165,7 +167,7 @@ ynh_script_progression --message="Setting up envdir..." --weight=1
 
 env_path=$final_path/envs/prod
 
-mkdir -p  $env_path
+mkdir -p $env_path
 
 echo "$admin <$admin_email>" > $env_path/ADMINS
 echo "None" > $env_path/BROKER_POOL_LIMIT
@@ -189,8 +191,8 @@ pushd $final_path || ynh_die
 	python3 -m venv $final_path/venv
 	source $final_path/venv/bin/activate
 	python3 -m pip install -U wheel pip setuptools
-	python3 -m pip install --requirement  $final_path/requirements.txt
+	python3 -m pip install --requirement $final_path/requirements.txt
-	python3 -m pip install --requirement  $final_path/requirements-setup.txt
+	python3 -m pip install --requirement $final_path/requirements-setup.txt
 	deactivate 'dummy_arg'
 popd || ynh_die
 
@@ -240,7 +242,11 @@ systemctl daemon-reload --quiet
 ### that really need such authorization.
 
 # Set permissions to app files
-chown -R root: $final_path
+chown -R root:$app $final_path
+chmod -R o-rwx $final_path
+chmod -R g-w $final_path
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
+setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST

scripts/restore

@@ -76,16 +76,6 @@ ynh_script_progression --message="Restoring the app data directory..."
 
 ynh_restore_file --origin_path="$datadir" --not_mandatory
 
-#=================================================
-# RESTORE USER RIGHTS
-#=================================================
-
-# Restore permissions on app files
-mkdir -p $datadir
-chown -R $app: $datadir
-
-#=================================================
-# SPECIFIC RESTORATION
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================
@@ -94,6 +84,22 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=1
 # Define and install dependencies
 ynh_install_app_dependencies $pkg_dependencies
 
+#=================================================
+# RESTORE USER RIGHTS
+#=================================================
+
+# Restore permissions on app files
+chown -R root:$app $final_path
+chmod -R o-rwx $final_path
+chmod -R g-w $final_path
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
+setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs
+chown -R $app:$app $datadir
+chmod o-rwx $datadir
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $datadir
+
+#=================================================
+# SPECIFIC RESTORATION
 #=================================================
 # RESTORE THE POSTGRESQL DATABASE
 #=================================================

scripts/upgrade

@@ -19,6 +19,7 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+datadir=$(ynh_app_setting_get --app=$app --key=datadir)
 
 #=================================================
 # CHECK VERSION
@@ -108,8 +109,8 @@ ynh_script_progression --message="Upgrading Python virtualenv..." --weight=2
 pushd $final_path || ynh_die
 	source $final_path/venv/bin/activate
 	python3 -m pip install -U wheel pip setuptools
-	python3 -m pip install -U --requirement  $final_path/requirements.txt
+	python3 -m pip install -U --requirement $final_path/requirements.txt
-	python3 -m pip install -U --requirement  $final_path/requirements-setup.txt
+	python3 -m pip install -U --requirement $final_path/requirements-setup.txt
 	deactivate 'dummy_arg'
 popd || ynh_die
 
@@ -146,7 +147,14 @@ systemctl daemon-reload --quiet
 #=================================================
 
 # Set permissions on app files
-chown -R root: $final_path
+chown -R root:$app $final_path
+chmod -R o-rwx $final_path
+chmod -R g-w $final_path
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $final_path
+setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs
+chown -R $app:$app $datadir
+chmod o-rwx $datadir
+setfacl -n -R -m user:www-data:rx -m default:user:www-data:rx $datadir
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST