Merge tag 'debian/4.2.1' into dev

2024-09-03 20:06:10 +02:00 · 2021-04-10 01:33:33 +02:00 · 2021-04-10 01:33:33 +02:00 · 64c6d7aa64
commit 64c6d7aa64
parent e6312db3c0 50bd61fe51
5 changed files with 32 additions and 2 deletions
--- a/data/hooks/conf_regen/01-yunohost
+++ b/data/hooks/conf_regen/01-yunohost
@ -144,6 +144,7 @@ do_post_regen() {
  # Enfore permissions #
  ######################

+  chmod 750 /home/admin
  chmod 750 /home/yunohost.conf
  chmod 750 /home/yunohost.backup
  chmod 750 /home/yunohost.backup/archives
@ -164,6 +165,18 @@ do_post_regen() {

  chown root:root /var/cache/yunohost
  chmod 700 /var/cache/yunohost
+  chown root:root /var/cache/moulinette
+  chmod 700 /var/cache/moulinette
+
+  setfacl -m g:all_users:--- /var/www
+  setfacl -m g:all_users:--- /var/log/nginx
+  setfacl -m g:all_users:--- /etc/yunohost
+  setfacl -m g:all_users:--- /etc/ssowat
+
+  for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username')
+  do
+    [ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
+  done


  # Misc configuration / state files
--- a/data/hooks/conf_regen/12-metronome
+++ b/data/hooks/conf_regen/12-metronome
@ -52,11 +52,14 @@ do_post_regen() {
    mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
    # http_upload directory must be writable by metronome and readable by nginx
    mkdir -p  "/var/xmpp-upload/${domain}/upload"
+    # sgid bit allows that file created in that dir will be owned by www-data
+    # despite the fact that metronome ain't in the www-data group
    chmod g+s "/var/xmpp-upload/${domain}/upload"
-    chown -R metronome:www-data "/var/xmpp-upload/${domain}"
  done

  # fix some permissions
+  [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
+  [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"

  # metronome should be in ssl-cert group to let it access SSL certificates
  usermod -aG ssl-cert metronome
--- a/data/hooks/conf_regen/25-dovecot
+++ b/data/hooks/conf_regen/25-dovecot
@ -41,7 +41,10 @@ do_post_regen() {

  # create vmail user
  id vmail > /dev/null 2>&1 \
-    || adduser --system --ingroup mail --uid 500 vmail
+    || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
+
+  # Delete legacy home for vmail that existed in the past but was empty, poluting /home/
+  [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail

  # fix permissions
  chown -R vmail:mail /etc/dovecot/global_script
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+yunohost (4.2.1) testing; urgency=low
+
+  - security: Various permissions tweaks to protect from malicious yunohost users (aefc100a, fc26837a)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Sat, 10 Apr 2021 01:08:04 +0200
+
 yunohost (4.2.0) testing; urgency=low

  - [mod] Python2 -> Python3 ([#1116](https://github.com/yunohost/yunohost/pull/1116), a97a9df3, 1387dff4, b53859db, f5ab4443, f9478b93, dc6033c3)
--- a/src/yunohost/user.py
+++ b/src/yunohost/user.py
@ -229,6 +229,11 @@ def user_create(
        if not os.path.isdir("/home/{0}".format(username)):
            logger.warning(m18n.n("user_home_creation_failed"), exc_info=1)

+    try:
+        subprocess.check_call(["setfacl", "-m", "g:all_users:---", "/home/%s" % username])
+    except subprocess.CalledProcessError:
+        logger.warning("Failed to protect /home/%s" % username, exc_info=1)
+
    # Create group for user and add to group 'all_users'
    user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False)
    user_group_update(groupname="all_users", add=username, force=True, sync_perm=True)