Fix permissions

scripts/backup

@@ -53,10 +53,10 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 #=================================================
 ynh_script_progression --message="Backing up php-fpm configuration..."
 
-ynh_backup --src_path="/etc/php/7.0/fpm/pool.d/$app.conf"
+ynh_backup --src_path="/etc/php/7.3/fpm/pool.d/$app.conf"
 
 #=================================================
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --time --last
+ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last

scripts/install

@@ -134,9 +134,14 @@ ynh_add_fpm_config
 ### that really need such authorization.
 
 # Set permissions to app files
-chown -R root:$app $final_path
-chmod -R 750 $final_path
-chmod -R 770 $final_path/temp
+chown -R root: $final_path
+find $final_path -type f | xargs chmod 644
+find $final_path -type d | xargs chmod 755
+
+# For temp subdir, the user must have write permissions
+mkdir -p $final_path/temp
+chown -R $app:root $final_path/temp
+chmod 711 $final_path/temp
 
 #=================================================
 # SETUP SSOWAT

scripts/remove

@@ -47,6 +47,8 @@ ynh_script_progression --message="Removing php-fpm configuration..."
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config
 
+ynh_systemd_action --action=restart --service_name=php7.3-fpm
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
@@ -61,4 +63,4 @@ ynh_system_user_delete --username=$app
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Removal of $app completed" --time --last
+ynh_script_progression --message="Removal of $app completed" --last

scripts/restore

@@ -69,15 +69,25 @@ ynh_system_user_create --username=$app
 # RESTORE USER RIGHTS
 #=================================================
 
+### For security reason, any app should set the permissions to root: before anything else.
+### Then, if write authorization is needed, any access should be given only to directories
+### that really need such authorization.
+
 # Set permissions to app files
-chown -R root:$app $final_path
-chmod -R g+w $final_path
+chown -R root: $final_path
+find $final_path -type f | xargs chmod 644
+find $final_path -type d | xargs chmod 755
+
+# For temp subdir, the user must have write permissions
+mkdir -p $final_path/temp
+chown -R $app:root $final_path/temp
+chmod 711 $final_path/temp
 
 #=================================================
 # RESTORE THE PHP-FPM CONFIGURATION
 #=================================================
 
-ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf"
+ynh_restore_file --origin_path="/etc/php/7.3/fpm/pool.d/$app.conf"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -86,11 +96,11 @@ ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf"
 #=================================================
 ynh_script_progression --message="Reloading nginx web server and php-fpm..."
 
-ynh_systemd_action --service_name=php7.0-fpm --action=reload
+ynh_systemd_action --service_name=php7.3-fpm --action=reload
 ynh_systemd_action --service_name=nginx --action=reload
 
 #=================================================
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Restoration completed for $app" --time --last
+ynh_script_progression --message="Restoration completed for $app" --last

scripts/upgrade

@@ -79,16 +79,12 @@ if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Upgrading source files..."
 
+	# Remove old version
+	ynh_secure_remove --file="$final_path"
+
 	# Download, check integrity, uncompress and patch the source from app.src
 	ynh_setup_source --dest_dir="$final_path"
 
-	# Remove unused directories or files from older release
-	ynh_secure_remove --file="$final_path/aide.svg"
-	ynh_secure_remove --file="$final_path/favicons"
-	ynh_secure_remove --file="$final_path/parinux.png"
-	ynh_secure_remove --file="$final_path/phpqrcode"
-	ynh_secure_remove --file="$final_path/ubuntu-dl.ttf"
-	ynh_secure_remove --file="$final_path/style.min.css"
 fi
 
 #=================================================
@@ -138,9 +134,19 @@ ynh_store_file_checksum --file="$final_path/config.inc.php"
 # SECURE FILES AND DIRECTORIES
 #=================================================
 
+### For security reason, any app should set the permissions to root: before anything else.
+### Then, if write authorization is needed, any access should be given only to directories
+### that really need such authorization.
+
 # Set permissions to app files
-chown -R root:$app $final_path
-chmod -R g+w $final_path
+chown -R root: $final_path
+find $final_path -type f | xargs chmod 644
+find $final_path -type d | xargs chmod 755
+
+# For temp subdir, the user must have write permissions
+mkdir -p $final_path/temp
+chown -R $app:root $final_path/temp
+chmod 711 $final_path/temp
 
 #=================================================
 # SETUP SSOWAT
@@ -150,8 +156,7 @@ ynh_script_progression --message="Upgrading SSOwat configuration..."
 # Make app public if necessary
 if [ $is_public -eq 1 ]
 then
-	# unprotected_uris allows SSO credentials to be passed anyway
-	ynh_app_setting_set --app=$app --key=unprotected_uris --value="/"
+	ynh_permission_update --permission "main" --add visitors
 fi
 
 #=================================================
@@ -165,4 +170,4 @@ ynh_systemd_action --service_name=nginx --action=reload
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Upgrade of $app completed" --time --last
+ynh_script_progression --message="Upgrade of $app completed" --last