More robust application of access permissions (#5062)

* More robust application of access permissions We were in particular missing directory traversal `+X` in our current recommendations. Extracted to own shell script so it can easily be invoked. Update access permissions in Docker to account to be more robust. #fix https://github.com/FreshRSS/FreshRSS/discussions/5037 * Minor simplification * Restrict mkdir permissions Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
author: Alexandre Alapetite <alexandre@alapetite.fr> 2023-02-06 15:42:53 +0100
committer: GitHub <noreply@github.com> 2023-02-06 15:42:53 +0100
commit: e899e4edd97c296a29b2a8da2c2e3b598622c36e (patch)
tree: 3a1c0f3afe381ffc7e7954fd0e2e8cc43e8a54fe /cli/access-permissions.sh
parent: de2077b56388c5196d5c1ddcbbd4a141ea8cf67b (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/cli/access-permissions.sh b/cli/access-permissions.sh
new file mode 100755
index 000000000..c13130a4b
--- /dev/null
+++ b/cli/access-permissions.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Apply access permissions
+
+if [ ! -f './constants.php' ] || [ ! -d './cli/' ]; then
+	echo >&2 '⛔ It does not look like a FreshRSS directory; exiting!'
+	exit 2
+fi
+
+if [ "$(id -u)" -ne 0 ]; then
+	echo >&2 '⛔ Applying access permissions require running as root or sudo!'
+	exit 3
+fi
+
+# Based on group access
+chown -R :www-data .
+# Read files, and directory traversal
+chmod -R g+rX .
+# Write access
+chmod -R g+w ./data/
author	Alexandre Alapetite <alexandre@alapetite.fr>	2023-02-06 15:42:53 +0100
committer	GitHub <noreply@github.com>	2023-02-06 15:42:53 +0100
commit	e899e4edd97c296a29b2a8da2c2e3b598622c36e (patch)
tree	3a1c0f3afe381ffc7e7954fd0e2e8cc43e8a54fe /cli/access-permissions.sh
parent	de2077b56388c5196d5c1ddcbbd4a141ea8cf67b (diff)