From a72232e5c84d154820fced1644b591f53b63a5ce Mon Sep 17 00:00:00 2001 From: Miraty Date: Sat, 31 Oct 2020 22:01:13 +0100 Subject: [PATCH] Fix permissions --- scripts/backup | 4 ++-- scripts/install | 11 ++++++++--- scripts/remove | 4 +++- scripts/restore | 20 +++++++++++++++----- scripts/upgrade | 29 +++++++++++++++++------------ 5 files changed, 45 insertions(+), 23 deletions(-) diff --git a/scripts/backup b/scripts/backup index 18a3c31..6bcde3e 100755 --- a/scripts/backup +++ b/scripts/backup @@ -53,10 +53,10 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= ynh_script_progression --message="Backing up php-fpm configuration..." -ynh_backup --src_path="/etc/php/7.0/fpm/pool.d/$app.conf" +ynh_backup --src_path="/etc/php/7.3/fpm/pool.d/$app.conf" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --time --last +ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last diff --git a/scripts/install b/scripts/install index 6b20f72..b5800e5 100755 --- a/scripts/install +++ b/scripts/install @@ -134,9 +134,14 @@ ynh_add_fpm_config ### that really need such authorization. # Set permissions to app files -chown -R root:$app $final_path -chmod -R 750 $final_path -chmod -R 770 $final_path/temp +chown -R root: $final_path +find $final_path -type f | xargs chmod 644 +find $final_path -type d | xargs chmod 755 + +# For temp subdir, the user must have write permissions +mkdir -p $final_path/temp +chown -R $app:root $final_path/temp +chmod 711 $final_path/temp #================================================= # SETUP SSOWAT diff --git a/scripts/remove b/scripts/remove index 623bb1d..ee40376 100755 --- a/scripts/remove +++ b/scripts/remove @@ -47,6 +47,8 @@ ynh_script_progression --message="Removing php-fpm configuration..." # Remove the dedicated php-fpm config ynh_remove_fpm_config +ynh_systemd_action --action=restart --service_name=php7.3-fpm + #================================================= # GENERIC FINALIZATION #================================================= @@ -61,4 +63,4 @@ ynh_system_user_delete --username=$app # END OF SCRIPT #================================================= -ynh_script_progression --message="Removal of $app completed" --time --last +ynh_script_progression --message="Removal of $app completed" --last diff --git a/scripts/restore b/scripts/restore index 0dd3e39..c440d16 100755 --- a/scripts/restore +++ b/scripts/restore @@ -69,15 +69,25 @@ ynh_system_user_create --username=$app # RESTORE USER RIGHTS #================================================= +### For security reason, any app should set the permissions to root: before anything else. +### Then, if write authorization is needed, any access should be given only to directories +### that really need such authorization. + # Set permissions to app files -chown -R root:$app $final_path -chmod -R g+w $final_path +chown -R root: $final_path +find $final_path -type f | xargs chmod 644 +find $final_path -type d | xargs chmod 755 + +# For temp subdir, the user must have write permissions +mkdir -p $final_path/temp +chown -R $app:root $final_path/temp +chmod 711 $final_path/temp #================================================= # RESTORE THE PHP-FPM CONFIGURATION #================================================= -ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf" +ynh_restore_file --origin_path="/etc/php/7.3/fpm/pool.d/$app.conf" #================================================= # GENERIC FINALIZATION @@ -86,11 +96,11 @@ ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf" #================================================= ynh_script_progression --message="Reloading nginx web server and php-fpm..." -ynh_systemd_action --service_name=php7.0-fpm --action=reload +ynh_systemd_action --service_name=php7.3-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Restoration completed for $app" --time --last +ynh_script_progression --message="Restoration completed for $app" --last diff --git a/scripts/upgrade b/scripts/upgrade index e323220..4862fcc 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -79,16 +79,12 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." + # Remove old version + ynh_secure_remove --file="$final_path" + # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" - # Remove unused directories or files from older release - ynh_secure_remove --file="$final_path/aide.svg" - ynh_secure_remove --file="$final_path/favicons" - ynh_secure_remove --file="$final_path/parinux.png" - ynh_secure_remove --file="$final_path/phpqrcode" - ynh_secure_remove --file="$final_path/ubuntu-dl.ttf" - ynh_secure_remove --file="$final_path/style.min.css" fi #================================================= @@ -138,9 +134,19 @@ ynh_store_file_checksum --file="$final_path/config.inc.php" # SECURE FILES AND DIRECTORIES #================================================= +### For security reason, any app should set the permissions to root: before anything else. +### Then, if write authorization is needed, any access should be given only to directories +### that really need such authorization. + # Set permissions to app files -chown -R root:$app $final_path -chmod -R g+w $final_path +chown -R root: $final_path +find $final_path -type f | xargs chmod 644 +find $final_path -type d | xargs chmod 755 + +# For temp subdir, the user must have write permissions +mkdir -p $final_path/temp +chown -R $app:root $final_path/temp +chmod 711 $final_path/temp #================================================= # SETUP SSOWAT @@ -150,8 +156,7 @@ ynh_script_progression --message="Upgrading SSOwat configuration..." # Make app public if necessary if [ $is_public -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" + ynh_permission_update --permission "main" --add visitors fi #================================================= @@ -165,4 +170,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Upgrade of $app completed" --time --last +ynh_script_progression --message="Upgrade of $app completed" --last