From e899e4edd97c296a29b2a8da2c2e3b598622c36e Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Mon, 6 Feb 2023 15:42:53 +0100
Subject: More robust application of access permissions (#5062)

* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037

* Minor simplification

* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
---
 Docker/entrypoint.sh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'Docker')

diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh
index 018946397..cbc2443d6 100755
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -7,8 +7,6 @@ find /etc/php*/ -type f -name php.ini -exec sed -r -i "\\#^;?date.timezone#s#^.*
 find /etc/php*/ -type f -name php.ini -exec sed -r -i "\\#^;?post_max_size#s#^.*#post_max_size = 32M#" {} \;
 find /etc/php*/ -type f -name php.ini -exec sed -r -i "\\#^;?upload_max_filesize#s#^.*#upload_max_filesize = 32M#" {} \;
 
-php -f ./cli/prepare.php >/dev/null
-
 if [ -n "$LISTEN" ]; then
 	find /etc/apache2/ -type f -name FreshRSS.Apache.conf -exec sed -r -i "\\#^Listen#s#^.*#Listen $LISTEN#" {} \;
 fi
@@ -24,6 +22,10 @@ if [ -n "$CRON_MIN" ]; then
 		-r "s#^[^ ]+ #$CRON_MIN #" | crontab -
 fi
 
+./cli/access-permissions.sh
+
+php -f ./cli/prepare.php >/dev/null
+
 if [ -n "$FRESHRSS_INSTALL" ]; then
 	# shellcheck disable=SC2046
 	php -f ./cli/do-install.php -- \
@@ -57,9 +59,6 @@ if [ -n "$FRESHRSS_USER" ]; then
 	fi
 fi
 
-chown -R :www-data .
-chmod -R g+r .
-chmod -R g+w ./data/
-chmod g+x ./extensions/
+./cli/access-permissions.sh
 
 exec "$@"
-- 
cgit v1.2.3