From aefc100ab4142a6d2e3deefa6393a2187a2a63f9 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Fri, 9 Apr 2021 22:49:02 +0200
Subject: [PATCH] security: Enforce some permission for regular yunohost users

---
 data/hooks/conf_regen/01-yunohost  | 8 ++++++++
 data/hooks/conf_regen/12-metronome | 5 ++++-
 data/hooks/conf_regen/25-dovecot   | 5 ++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/data/hooks/conf_regen/01-yunohost b/data/hooks/conf_regen/01-yunohost
index 30828c462..0a92a6a32 100755
--- a/data/hooks/conf_regen/01-yunohost
+++ b/data/hooks/conf_regen/01-yunohost
@@ -130,6 +130,7 @@ do_post_regen() {
   # Enfore permissions #
   ######################
 
+  chmod 750 /home/admin
   chmod 750 /home/yunohost.conf
   chmod 750 /home/yunohost.backup
   chmod 750 /home/yunohost.backup/archives
@@ -146,6 +147,13 @@ do_post_regen() {
 
   chown root:root /var/cache/yunohost
   chmod 700 /var/cache/yunohost
+  chown root:root /var/cache/moulinette
+  chmod 700 /var/cache/moulinette
+
+  setfacl -m g:all_users:--- /var/www
+  setfacl -m g:all_users:--- /var/log/nginx
+  setfacl -m g:all_users:--- /etc/yunohost
+  setfacl -m g:all_users:--- /etc/ssowat
 
   # Misc configuration / state files
   chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
diff --git a/data/hooks/conf_regen/12-metronome b/data/hooks/conf_regen/12-metronome
index 31d11555a..ca5d5dc82 100755
--- a/data/hooks/conf_regen/12-metronome
+++ b/data/hooks/conf_regen/12-metronome
@@ -52,11 +52,14 @@ do_post_regen() {
     mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
     # http_upload directory must be writable by metronome and readable by nginx
     mkdir -p  "/var/xmpp-upload/${domain}/upload"
+    # sgid bit allows that file created in that dir will be owned by www-data
+    # despite the fact that metronome ain't in the www-data group
     chmod g+s "/var/xmpp-upload/${domain}/upload"
-    chown -R metronome:www-data "/var/xmpp-upload/${domain}"
   done
 
   # fix some permissions
+  [ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
+  [ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"
 
   # metronome should be in ssl-cert group to let it access SSL certificates
   usermod -aG ssl-cert metronome
diff --git a/data/hooks/conf_regen/25-dovecot b/data/hooks/conf_regen/25-dovecot
index 46c9bdf3e..ce2722bf4 100755
--- a/data/hooks/conf_regen/25-dovecot
+++ b/data/hooks/conf_regen/25-dovecot
@@ -41,7 +41,10 @@ do_post_regen() {
 
   # create vmail user
   id vmail > /dev/null 2>&1 \
-    || adduser --system --ingroup mail --uid 500 vmail
+    || adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
+
+  # Delete legacy home for vmail that existed in the past but was empty, poluting /home/
+  [ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail
 
   # fix permissions
   chown -R vmail:mail /etc/dovecot/global_script