diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2023-02-06 15:42:53 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2023-02-06 15:42:53 +0100 |
| commit | e899e4edd97c296a29b2a8da2c2e3b598622c36e (patch) | |
| tree | 3a1c0f3afe381ffc7e7954fd0e2e8cc43e8a54fe /cli | |
| parent | de2077b56388c5196d5c1ddcbbd4a141ea8cf67b (diff) | |
More robust application of access permissions (#5062)
* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037
* Minor simplification
* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
Diffstat (limited to 'cli')
| -rw-r--r-- | cli/README.md | 4 | ||||
| -rw-r--r-- | cli/_cli.php | 2 | ||||
| -rwxr-xr-x | cli/access-permissions.sh | 19 | ||||
| -rw-r--r-- | cli/i18n/I18nFile.php | 2 |
4 files changed, 22 insertions, 5 deletions
diff --git a/cli/README.md b/cli/README.md index e290cc267..cb43b7340 100644 --- a/cli/README.md +++ b/cli/README.md @@ -18,9 +18,7 @@ In any case, when you are done with a series of commands, you should re-apply th ```sh cd /usr/share/FreshRSS -sudo chown -R :www-data . -sudo chmod -R g+r . -sudo chmod -R g+w ./data/ +sudo cli/access-permissions.sh ``` diff --git a/cli/_cli.php b/cli/_cli.php index 10a92385a..0d2c8695f 100644 --- a/cli/_cli.php +++ b/cli/_cli.php @@ -44,7 +44,7 @@ function cliInitUser($username) { function accessRights() { echo 'âšī¸ Remember to re-apply the appropriate access rights, such as:', - "\t", 'sudo chown -R :www-data . && sudo chmod -R g+r . && sudo chmod -R g+w ./data/', "\n"; + "\t", 'sudo cli/access-permissions.sh', "\n"; } function done($ok = true) { diff --git a/cli/access-permissions.sh b/cli/access-permissions.sh new file mode 100755 index 000000000..c13130a4b --- /dev/null +++ b/cli/access-permissions.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# Apply access permissions + +if [ ! -f './constants.php' ] || [ ! -d './cli/' ]; then + echo >&2 'â It does not look like a FreshRSS directory; exiting!' + exit 2 +fi + +if [ "$(id -u)" -ne 0 ]; then + echo >&2 'â Applying access permissions require running as root or sudo!' + exit 3 +fi + +# Based on group access +chown -R :www-data . +# Read files, and directory traversal +chmod -R g+rX . +# Write access +chmod -R g+w ./data/ diff --git a/cli/i18n/I18nFile.php b/cli/i18n/I18nFile.php index fca31d662..12a04c6a2 100644 --- a/cli/i18n/I18nFile.php +++ b/cli/i18n/I18nFile.php @@ -27,7 +27,7 @@ class I18nFile { foreach ($i18n as $language => $file) { $dir = I18N_PATH . DIRECTORY_SEPARATOR . $language; if (!file_exists($dir)) { - mkdir($dir); + mkdir($dir, 0770, true); } foreach ($file as $name => $content) { $filename = $dir . DIRECTORY_SEPARATOR . $name; |