From daf51e94bdb3c77787e1169549d4ef6ec8da1af6 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Fri, 26 May 2023 21:06:01 +0200
Subject: [PATCH] regeconf: fix security issue where apps' system conf would be
 owned by the app, which can enable priviledge escalation

---
 helpers/utils | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/helpers/utils b/helpers/utils
index 489c5c261..52d7c734f 100644
--- a/helpers/utils
+++ b/helpers/utils
@@ -1071,8 +1071,10 @@ _ynh_apply_default_permissions() {
         fi
     fi
 
-    # Crons should be owned by root otherwise they probably don't run
-    if echo "$target" | grep -q '^/etc/cron'
+    # Crons should be owned by root
+    # Also we don't want systemd conf, nginx conf or others stuff to be owned by the app,
+    # otherwise they could self-edit their own systemd conf and escalate privilege
+    if echo "$target" | grep -q '^/etc/cron\|/etc/php\|/etc/nginx/conf.d\|/etc/fail2ban\|/etc/systemd/system'
     then
         chmod 400 $target
         chown root:root $target