security: Enforce some permission for regular yunohost users

2024-09-03 20:06:10 +02:00 · 2021-04-09 22:49:02 +02:00 · 2021-04-09 22:49:02 +02:00 · aefc100ab4
commit aefc100ab4
parent 8751dcdd1b
3 changed files with 16 additions and 2 deletions
--- a/data/hooks/conf_regen/01-yunohost
+++ b/data/hooks/conf_regen/01-yunohost
@ -130,6 +130,7 @@ do_post_regen() {
  # Enfore permissions #
  ######################

+  chmod 750 /home/admin
  chmod 750 /home/yunohost.conf
  chmod 750 /home/yunohost.backup
  chmod 750 /home/yunohost.backup/archives
@ -146,6 +147,13 @@ do_post_regen() {

  chown root:root /var/cache/yunohost
  chmod 700 /var/cache/yunohost
+  chown root:root /var/cache/moulinette
+  chmod 700 /var/cache/moulinette
+
+  setfacl -m g:all_users:--- /var/www
+  setfacl -m g:all_users:--- /var/log/nginx
+  setfacl -m g:all_users:--- /etc/yunohost
+  setfacl -m g:all_users:--- /etc/ssowat

  # Misc configuration / state files
  chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
--- a/data/hooks/conf_regen/12-metronome
+++ b/data/hooks/conf_regen/12-metronome
@ -52,11 +52,14 @@ do_post_regen() {
    mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
    # http_upload directory must be writable by metronome and readable by nginx
    mkdir -p  "/var/xmpp-upload/${domain}/upload"
+    # sgid bit allows that file created in that dir will be owned by www-data
+    # despite the fact that metronome ain't in the www-data group
    chmod g+s "/var/xmpp-upload/${domain}/upload"
-    chown -R metronome:www-data "/var/xmpp-upload/${domain}"
  done

  # fix some permissions
+  [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
+  [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"

  # metronome should be in ssl-cert group to let it access SSL certificates
  usermod -aG ssl-cert metronome
--- a/data/hooks/conf_regen/25-dovecot
+++ b/data/hooks/conf_regen/25-dovecot
@ -41,7 +41,10 @@ do_post_regen() {

  # create vmail user
  id vmail > /dev/null 2>&1 \
-    || adduser --system --ingroup mail --uid 500 vmail
+    || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
+
+  # Delete legacy home for vmail that existed in the past but was empty, poluting /home/
+  [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail

  # fix permissions
  chown -R vmail:mail /etc/dovecot/global_script