More robust application of access permissions (#5062)

* More robust application of access permissions We were in particular missing directory traversal `+X` in our current recommendations. Extracted to own shell script so it can easily be invoked. Update access permissions in Docker to account to be more robust. #fix https://github.com/FreshRSS/FreshRSS/discussions/5037 * Minor simplification * Restrict mkdir permissions Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
author: Alexandre Alapetite <alexandre@alapetite.fr> 2023-02-06 15:42:53 +0100
committer: GitHub <noreply@github.com> 2023-02-06 15:42:53 +0100
commit: e899e4edd97c296a29b2a8da2c2e3b598622c36e (patch)
tree: 3a1c0f3afe381ffc7e7954fd0e2e8cc43e8a54fe /app/Models/Feed.php
parent: de2077b56388c5196d5c1ddcbbd4a141ea8cf67b (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/app/Models/Feed.php b/app/Models/Feed.php
index 09cacbd61..f7ff76768 100644
--- a/app/Models/Feed.php
+++ b/app/Models/Feed.php
@@ -979,14 +979,14 @@ class FreshRSS_Feed extends Minz_Model {
 					$key = $hubJson['key'];	//To renew our lease
 				}
 			} else {
-				@mkdir($path, 0777, true);
+				@mkdir($path, 0770, true);
 				$key = sha1($path . FreshRSS_Context::$system_conf->salt);
 				$hubJson = array(
 					'hub' => $this->hubUrl,
 					'key' => $key,
 				);
 				file_put_contents($hubFilename, json_encode($hubJson));
-				@mkdir(PSHB_PATH . '/keys/');
+				@mkdir(PSHB_PATH . '/keys/', 0770, true);
 				file_put_contents(PSHB_PATH . '/keys/' . $key . '.txt', $this->selfUrl);
 				$text = 'WebSub prepared for ' . $this->url;
 				Minz_Log::debug($text);
author	Alexandre Alapetite <alexandre@alapetite.fr>	2023-02-06 15:42:53 +0100
committer	GitHub <noreply@github.com>	2023-02-06 15:42:53 +0100
commit	e899e4edd97c296a29b2a8da2c2e3b598622c36e (patch)
tree	3a1c0f3afe381ffc7e7954fd0e2e8cc43e8a54fe /app/Models/Feed.php
parent	de2077b56388c5196d5c1ddcbbd4a141ea8cf67b (diff)