From aefc100ab4142a6d2e3deefa6393a2187a2a63f9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 9 Apr 2021 22:49:02 +0200 Subject: [PATCH 1/3] security: Enforce some permission for regular yunohost users --- data/hooks/conf_regen/01-yunohost | 8 ++++++++ data/hooks/conf_regen/12-metronome | 5 ++++- data/hooks/conf_regen/25-dovecot | 5 ++++- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/data/hooks/conf_regen/01-yunohost b/data/hooks/conf_regen/01-yunohost index 30828c462..0a92a6a32 100755 --- a/data/hooks/conf_regen/01-yunohost +++ b/data/hooks/conf_regen/01-yunohost @@ -130,6 +130,7 @@ do_post_regen() { # Enfore permissions # ###################### + chmod 750 /home/admin chmod 750 /home/yunohost.conf chmod 750 /home/yunohost.backup chmod 750 /home/yunohost.backup/archives @@ -146,6 +147,13 @@ do_post_regen() { chown root:root /var/cache/yunohost chmod 700 /var/cache/yunohost + chown root:root /var/cache/moulinette + chmod 700 /var/cache/moulinette + + setfacl -m g:all_users:--- /var/www + setfacl -m g:all_users:--- /var/log/nginx + setfacl -m g:all_users:--- /etc/yunohost + setfacl -m g:all_users:--- /etc/ssowat # Misc configuration / state files chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome index 31d11555a..ca5d5dc82 100755 --- a/data/hooks/conf_regen/12-metronome +++ b/data/hooks/conf_regen/12-metronome @@ -52,11 +52,14 @@ do_post_regen() { mkdir -p "/var/lib/metronome/${domain//./%2e}/pep" # http_upload directory must be writable by metronome and readable by nginx mkdir -p "/var/xmpp-upload/${domain}/upload" + # sgid bit allows that file created in that dir will be owned by www-data + # despite the fact that metronome ain't in the www-data group chmod g+s "/var/xmpp-upload/${domain}/upload" - chown -R metronome:www-data "/var/xmpp-upload/${domain}" done # fix some permissions + [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/" + [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/" # metronome should be in ssl-cert group to let it access SSL certificates usermod -aG ssl-cert metronome diff --git a/data/hooks/conf_regen/25-dovecot b/data/hooks/conf_regen/25-dovecot index 46c9bdf3e..ce2722bf4 100755 --- a/data/hooks/conf_regen/25-dovecot +++ b/data/hooks/conf_regen/25-dovecot @@ -41,7 +41,10 @@ do_post_regen() { # create vmail user id vmail > /dev/null 2>&1 \ - || adduser --system --ingroup mail --uid 500 vmail + || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home + + # Delete legacy home for vmail that existed in the past but was empty, poluting /home/ + [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail # fix permissions chown -R vmail:mail /etc/dovecot/global_script From fc26837aa789fd228fe863e354de9caa249a83e9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 10 Apr 2021 01:04:59 +0200 Subject: [PATCH 2/3] security: Enforce permissions on /home/ so that they can't sneak in each other home --- data/hooks/conf_regen/01-yunohost | 5 +++++ src/yunohost/user.py | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/data/hooks/conf_regen/01-yunohost b/data/hooks/conf_regen/01-yunohost index 0a92a6a32..204b33b7d 100755 --- a/data/hooks/conf_regen/01-yunohost +++ b/data/hooks/conf_regen/01-yunohost @@ -155,6 +155,11 @@ do_post_regen() { setfacl -m g:all_users:--- /etc/yunohost setfacl -m g:all_users:--- /etc/ssowat + for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username') + do + [ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER + done + # Misc configuration / state files chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) diff --git a/src/yunohost/user.py b/src/yunohost/user.py index 089f2ba0e..755bbd6ee 100644 --- a/src/yunohost/user.py +++ b/src/yunohost/user.py @@ -229,6 +229,11 @@ def user_create( if not os.path.isdir("/home/{0}".format(username)): logger.warning(m18n.n("user_home_creation_failed"), exc_info=1) + try: + subprocess.check_call(["setfacl", "-m", "g:all_users:---", "/home/%s" % username]) + except subprocess.CalledProcessError: + logger.warning("Failed to protect /home/%s" % username, exc_info=1) + # Create group for user and add to group 'all_users' user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False) user_group_update(groupname="all_users", add=username, force=True, sync_perm=True) From 50bd61fe5144cc67311258d7db98531612806fcf Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 10 Apr 2021 01:09:20 +0200 Subject: [PATCH 3/3] Update changelog for 4.2.1 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index f8211b82e..fe1f42a23 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +yunohost (4.2.1) testing; urgency=low + + - security: Various permissions tweaks to protect from malicious yunohost users (aefc100a, fc26837a) + + -- Alexandre Aubin Sat, 10 Apr 2021 01:08:04 +0200 + yunohost (4.2.0) testing; urgency=low - [mod] Python2 -> Python3 ([#1116](https://github.com/yunohost/yunohost/pull/1116), a97a9df3, 1387dff4, b53859db, f5ab4443, f9478b93, dc6033c3)