From dddcb5789fc4f579b521f83de89d3045d74b5ac5 Mon Sep 17 00:00:00 2001 From: Jules-Bertholet Date: Thu, 8 Apr 2021 16:59:54 -0400 Subject: [PATCH] Tighten permissions (#99) * Tighten permissions * Check for existence of cache file before chmoding it --- scripts/_common.sh | 16 ++++++++++++++++ scripts/install | 7 +------ scripts/restore | 5 +++-- scripts/upgrade | 7 +------ 4 files changed, 21 insertions(+), 14 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index ab8759c..bf96bab 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -7,6 +7,22 @@ # dependencies used by the app pkg_dependencies="php-cli php-mysql php-json php-gd php-tidy php-curl php-gettext php-redis" +#================================================= +# PERSONAL HELPERS +#================================================= + +function set_permissions { + # Set permissions to app files + chown -R $app:www-data $final_path + chmod -R g=u,g-w,o-rwx $final_path + + # Restrict rights to Wallabag user only + chmod 600 $wb_conf + if [ -e $final_path/var/cache/prod/appProdProjectContainer.php ]; then + chmod 700 $final_path/var/cache/prod/appProdProjectContainer.php + fi +} + #================================================= # EXPERIMENTAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index 375add7..8867d0f 100644 --- a/scripts/install +++ b/scripts/install @@ -160,12 +160,7 @@ ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex= # SECURE FILES AND DIRECTORIES #================================================= -# Restrict rights to Wallabag user only -chmod 600 $wb_conf - -# Set permissions to app files -chown -R $app: $final_path -chmod 755 $final_path +set_permissions #================================================= # SETUP HOOKS diff --git a/scripts/restore b/scripts/restore index ec62624..1654db7 100644 --- a/scripts/restore +++ b/scripts/restore @@ -66,8 +66,9 @@ ynh_system_user_create --username=$app # RESTORE USER RIGHTS #================================================= -# Restore permissions on app files -chown -R $app: $final_path +wb_conf=$final_path/app/config/parameters.yml + +set_permissions #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 1170198..94bc0d9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -191,12 +191,7 @@ fi # SECURE FILES AND DIRECTORIES #================================================= -# Restrict rights to Wallabag user only -chmod 600 $wb_conf - -# Set permissions to app files -chown -R $app: $final_path -chmod 755 $final_path +set_permissions #================================================= # SETUP HOOKS