From 4cf9a13d1d1d3d11b9a8fe7c517b182db5cd5ebd Mon Sep 17 00:00:00 2001 From: Jules Bertholet Date: Mon, 22 Mar 2021 12:59:00 -0400 Subject: [PATCH] Restrict permissions on app directories --- manifest.json | 2 +- scripts/_common.sh | 2 +- scripts/install | 16 +++++++++++----- scripts/restore | 26 ++++++++++++++++---------- scripts/upgrade | 14 +++++++++++--- 5 files changed, 40 insertions(+), 20 deletions(-) diff --git a/manifest.json b/manifest.json index a59daa6..85a9d84 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Manage podcast subscriptions, and sync them between apps and devices", "fr": "GĂ©rez vos sousciptions balado, et sychronisez-lez entre vos applis et appareils" }, - "version": "2.11.0~ynh2", + "version": "2.11.0~ynh3", "url": "https://github.com/gpodder/mygpo", "license": "AGPL-3.0-only", "maintainer": { diff --git a/scripts/_common.sh b/scripts/_common.sh index ebbac90..3e99049 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -5,7 +5,7 @@ #================================================= # dependencies used by the app -pkg_dependencies="python3 python3-pip python3-venv postgresql postgresql-contrib libpq-dev redis-server" +pkg_dependencies="acl python3 python3-pip python3-venv postgresql postgresql-contrib libpq-dev redis-server" #================================================= # PERSONAL HELPERS diff --git a/scripts/install b/scripts/install index 194be5d..4eda442 100755 --- a/scripts/install +++ b/scripts/install @@ -152,7 +152,9 @@ mkdir $datadir ynh_app_setting_set --app=$app --key=datadir --value="$datadir" # Give permission to the datadir -chown -R "$app":"$app" "$datadir" +chown -R $app:$app $datadir +chmod o-rwx $datadir +setfacl -n -R -m user:www-data:r -m default:user:www-data:r $datadir ynh_app_setting_set --app=$app --key=datadir --value="$datadir" @@ -165,7 +167,7 @@ ynh_script_progression --message="Setting up envdir..." --weight=1 env_path=$final_path/envs/prod -mkdir -p $env_path +mkdir -p $env_path echo "$admin <$admin_email>" > $env_path/ADMINS echo "None" > $env_path/BROKER_POOL_LIMIT @@ -189,8 +191,8 @@ pushd $final_path || ynh_die python3 -m venv $final_path/venv source $final_path/venv/bin/activate python3 -m pip install -U wheel pip setuptools - python3 -m pip install --requirement $final_path/requirements.txt - python3 -m pip install --requirement $final_path/requirements-setup.txt + python3 -m pip install --requirement $final_path/requirements.txt + python3 -m pip install --requirement $final_path/requirements-setup.txt deactivate 'dummy_arg' popd || ynh_die @@ -240,7 +242,11 @@ systemctl daemon-reload --quiet ### that really need such authorization. # Set permissions to app files -chown -R root: $final_path +chown -R root:$app $final_path +chmod -R o-rwx $final_path +chmod -R g-w $final_path +setfacl -n -R -m user:www-data:r -m default:user:www-data:r $final_path +setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs #================================================= # INTEGRATE SERVICE IN YUNOHOST diff --git a/scripts/restore b/scripts/restore index b2707db..04ffe6f 100755 --- a/scripts/restore +++ b/scripts/restore @@ -76,16 +76,6 @@ ynh_script_progression --message="Restoring the app data directory..." ynh_restore_file --origin_path="$datadir" --not_mandatory -#================================================= -# RESTORE USER RIGHTS -#================================================= - -# Restore permissions on app files -mkdir -p $datadir -chown -R $app: $datadir - -#================================================= -# SPECIFIC RESTORATION #================================================= # REINSTALL DEPENDENCIES #================================================= @@ -94,6 +84,22 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=1 # Define and install dependencies ynh_install_app_dependencies $pkg_dependencies +#================================================= +# RESTORE USER RIGHTS +#================================================= + +# Restore permissions on app files +chown -R root:$app $final_path +chmod -R o-rwx $final_path +chmod -R g-w $final_path +setfacl -n -R -m user:www-data:r -m default:user:www-data:r $final_path +setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs +chown -R $app:$app $datadir +chmod o-rwx $datadir +setfacl -n -R -m user:www-data:r -m default:user:www-data:r $datadir + +#================================================= +# SPECIFIC RESTORATION #================================================= # RESTORE THE POSTGRESQL DATABASE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 6a2c347..b5c7925 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -19,6 +19,7 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) +datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= # CHECK VERSION @@ -108,8 +109,8 @@ ynh_script_progression --message="Upgrading Python virtualenv..." --weight=2 pushd $final_path || ynh_die source $final_path/venv/bin/activate python3 -m pip install -U wheel pip setuptools - python3 -m pip install -U --requirement $final_path/requirements.txt - python3 -m pip install -U --requirement $final_path/requirements-setup.txt + python3 -m pip install -U --requirement $final_path/requirements.txt + python3 -m pip install -U --requirement $final_path/requirements-setup.txt deactivate 'dummy_arg' popd || ynh_die @@ -146,7 +147,14 @@ systemctl daemon-reload --quiet #================================================= # Set permissions on app files -chown -R root: $final_path +chown -R root:$app $final_path +chmod -R o-rwx $final_path +chmod -R g-w $final_path +setfacl -n -R -m user:www-data:r -m default:user:www-data:r $final_path +setfacl -n -R -m user:www-data:- -m default:user:www-data:- $final_path/envs +chown -R $app:$app $datadir +chmod o-rwx $datadir +setfacl -n -R -m user:www-data:r -m default:user:www-data:r $datadir #================================================= # INTEGRATE SERVICE IN YUNOHOST