Report usage of 'chown root '

This commit is contained in:
Alexandre Aubin 2021-09-29 18:01:01 +02:00
parent ab8696322d
commit c4af75125a

View file

@ -787,8 +787,6 @@ class Configurations(TestSuite):
yield Info(f"You are encouraged to harden the security of the systemd configuration {filename}. You can have a look at https://github.com/YunoHost/example_ynh/blob/master/conf/systemd.service#L14-L42 for a baseline.") yield Info(f"You are encouraged to harden the security of the systemd configuration {filename}. You can have a look at https://github.com/YunoHost/example_ynh/blob/master/conf/systemd.service#L14-L42 for a baseline.")
@test() @test()
def php_config_specific_user(self): def php_config_specific_user(self):
@ -1621,6 +1619,13 @@ class Script(TestSuite):
"(If you need to run a command using a specific user, use 'ynh_exec_as' (or 'sudo -u'))" "(If you need to run a command using a specific user, use 'ynh_exec_as' (or 'sudo -u'))"
) )
@test()
def chownroot(self):
if self.containsregex(r"^\s*chown.* root:?[^$]* .*final_path"):
yield Info(
"Using 'chown root $final_path' is usually symptomatic of misconfigured and wide-open 'other' permissions ... Usually ynh_setup_source should now set sane default permissions on $final_path (if the app requires Yunohost >= 4.2) ... Otherwise, consider using 'chown $app', 'chown nobody' or 'chmod' to limit access to $final_path ..."
)
@test() @test()
def chmod777(self): def chmod777(self):
if self.containsregex(r"chmod .*777") or self.containsregex(r'chmod .*o\+w'): if self.containsregex(r"chmod .*777") or self.containsregex(r'chmod .*o\+w'):