YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

security: Enforce permissions on /home/ so that they can't sneak in each other home

Browse source
This commit is contained in:
Alexandre Aubin 2021-04-10 01:04:59 +02:00
parent aefc100ab4
commit fc26837aa7
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
data/hooks/conf_regen/01-yunohost
View file

@ -155,6 +155,11 @@ do_post_regen() {
setfacl -m g:all_users:--- /etc/yunohost setfacl -m g:all_users:--- /etc/yunohost
setfacl -m g:all_users:--- /etc/ssowat setfacl -m g:all_users:--- /etc/ssowat
for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username')
do
[ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
done
# Misc configuration / state files # Misc configuration / state files
chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null) chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)

5
src/yunohost/user.py
View file

@ -229,6 +229,11 @@ def user_create(
if not os.path.isdir("/home/{0}".format(username)): if not os.path.isdir("/home/{0}".format(username)):
logger.warning(m18n.n("user_home_creation_failed"), exc_info=1) logger.warning(m18n.n("user_home_creation_failed"), exc_info=1)
try:
subprocess.check_call(["setfacl", "-m", "g:all_users:---", "/home/%s" % username])
except subprocess.CalledProcessError:
logger.warning("Failed to protect /home/%s" % username, exc_info=1)
# Create group for user and add to group 'all_users' # Create group for user and add to group 'all_users'
user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False) user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False)
user_group_update(groupname="all_users", add=username, force=True, sync_perm=True) user_group_update(groupname="all_users", add=username, force=True, sync_perm=True)