YunoHost/package_check
1
0
Fork 0
mirror of https://github.com/YunoHost/package_check.git synced 2024-09-03 20:06:20 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add an error message when /var/www/ is world-readable/enterable

Browse source
This commit is contained in:
Alexandre Aubin 2021-03-13 02:28:53 +01:00
parent 1b3f2fba0f
commit 763f293531
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/tests.sh
View file

@ -85,6 +85,12 @@ _INSTALL_APP () {
local ret=$? local ret=$?
[ $ret -eq 0 ] && log_debug "Installation successful." || log_error "Installation failed." [ $ret -eq 0 ] && log_debug "Installation successful." || log_error "Installation failed."
if LXC_EXEC "su nobody -s /bin/bash -c 'test -r /var/www/$app_id || test -w /var/www/$app_id || test -x /var/www/$app_id'"
then
log_error "It looks like anybody can read/enter /var/www/$app_id, which ain't super great from a security point of view ... Config files or other files may contain secrets or information that should in most case not be world-readable. You should remove all 'others' permissions with 'chmod o-rwx', and setup appropriate, exclusive permissions to the appropriate owner/group with chmod/chown."
fi
return $ret return $ret
} }
@ -326,7 +332,7 @@ TEST_INSTALL () {
_PREINSTALL _PREINSTALL
# Install the application in a LXC container # Install the application in a LXC container
_INSTALL_APP "path=$check_path" "is_public=$is_public" \ _INSTALL_APP "path=$check_path" "is_public=$is_public" \
&& _VALIDATE_THAT_APP_CAN_BE_ACCESSED "$SUBDOMAIN" "$check_path" "$install_type" \ && _VALIDATE_THAT_APP_CAN_BE_ACCESSED "$SUBDOMAIN" "$check_path" "$install_type" \
local install=$? local install=$?