security: Enforce permissions on /home/ so that they can't sneak in each other home

2024-09-03 20:06:10 +02:00 · 2021-04-10 01:04:59 +02:00 · 2021-04-10 01:04:59 +02:00 · fc26837aa7
commit fc26837aa7
parent aefc100ab4
2 changed files with 10 additions and 0 deletions
--- a/data/hooks/conf_regen/01-yunohost
+++ b/data/hooks/conf_regen/01-yunohost
@ -155,6 +155,11 @@ do_post_regen() {
  setfacl -m g:all_users:--- /etc/yunohost
  setfacl -m g:all_users:--- /etc/ssowat

+  for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username')
+  do
+    [ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
+  done
+
  # Misc configuration / state files
  chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
  chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
--- a/src/yunohost/user.py
+++ b/src/yunohost/user.py
@ -229,6 +229,11 @@ def user_create(
        if not os.path.isdir("/home/{0}".format(username)):
            logger.warning(m18n.n("user_home_creation_failed"), exc_info=1)

+    try:
+        subprocess.check_call(["setfacl", "-m", "g:all_users:---", "/home/%s" % username])
+    except subprocess.CalledProcessError:
+        logger.warning("Failed to protect /home/%s" % username, exc_info=1)
+
    # Create group for user and add to group 'all_users'
    user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False)
    user_group_update(groupname="all_users", add=username, force=True, sync_perm=True)