Merge tag 'debian/4.2.1' into dev

data/hooks/conf_regen/01-yunohost

@@ -144,6 +144,7 @@ do_post_regen() {
   # Enfore permissions #
   ######################
 
+  chmod 750 /home/admin
   chmod 750 /home/yunohost.conf
   chmod 750 /home/yunohost.backup
   chmod 750 /home/yunohost.backup/archives
@@ -164,6 +165,18 @@ do_post_regen() {
 
   chown root:root /var/cache/yunohost
   chmod 700 /var/cache/yunohost
+  chown root:root /var/cache/moulinette
+  chmod 700 /var/cache/moulinette
+
+  setfacl -m g:all_users:--- /var/www
+  setfacl -m g:all_users:--- /var/log/nginx
+  setfacl -m g:all_users:--- /etc/yunohost
+  setfacl -m g:all_users:--- /etc/ssowat
+
+  for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username')
+  do
+    [ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
+  done
 
 
   # Misc configuration / state files

data/hooks/conf_regen/12-metronome

@@ -52,11 +52,14 @@ do_post_regen() {
     mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
     # http_upload directory must be writable by metronome and readable by nginx
     mkdir -p  "/var/xmpp-upload/${domain}/upload"
+    # sgid bit allows that file created in that dir will be owned by www-data
+    # despite the fact that metronome ain't in the www-data group
     chmod g+s "/var/xmpp-upload/${domain}/upload"
-    chown -R metronome:www-data "/var/xmpp-upload/${domain}"
   done
 
   # fix some permissions
+  [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
+  [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"
 
   # metronome should be in ssl-cert group to let it access SSL certificates
   usermod -aG ssl-cert metronome

data/hooks/conf_regen/25-dovecot

@@ -41,7 +41,10 @@ do_post_regen() {
 
   # create vmail user
   id vmail > /dev/null 2>&1 \
-    || adduser --system --ingroup mail --uid 500 vmail
+    || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
+
+  # Delete legacy home for vmail that existed in the past but was empty, poluting /home/
+  [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail
 
   # fix permissions
   chown -R vmail:mail /etc/dovecot/global_script

debian/changelog

@@ -1,3 +1,9 @@
+yunohost (4.2.1) testing; urgency=low
+
+  - security: Various permissions tweaks to protect from malicious yunohost users (aefc100a, fc26837a)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Sat, 10 Apr 2021 01:08:04 +0200
+
 yunohost (4.2.0) testing; urgency=low
 
   - [mod] Python2 -> Python3 ([#1116](https://github.com/yunohost/yunohost/pull/1116), a97a9df3, 1387dff4, b53859db, f5ab4443, f9478b93, dc6033c3)

src/yunohost/user.py

@@ -229,6 +229,11 @@ def user_create(
         if not os.path.isdir("/home/{0}".format(username)):
             logger.warning(m18n.n("user_home_creation_failed"), exc_info=1)
 
+    try:
+        subprocess.check_call(["setfacl", "-m", "g:all_users:---", "/home/%s" % username])
+    except subprocess.CalledProcessError:
+        logger.warning("Failed to protect /home/%s" % username, exc_info=1)
+
     # Create group for user and add to group 'all_users'
     user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False)
     user_group_update(groupname="all_users", add=username, force=True, sync_perm=True)