From e899e4edd97c296a29b2a8da2c2e3b598622c36e Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Mon, 6 Feb 2023 15:42:53 +0100
Subject: More robust application of access permissions (#5062)

* More robust application of access permissions
We were in particular missing directory traversal `+X` in our current recommendations.
Extracted to own shell script so it can easily be invoked.
Update access permissions in Docker to account to be more robust.
#fix https://github.com/FreshRSS/FreshRSS/discussions/5037

* Minor simplification

* Restrict mkdir permissions
Default mkdir permissions are 0777, which is not good for security, so downgrade to 0770.
---
 cli/README.md             |  4 +---
 cli/_cli.php              |  2 +-
 cli/access-permissions.sh | 19 +++++++++++++++++++
 cli/i18n/I18nFile.php     |  2 +-
 4 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100755 cli/access-permissions.sh

(limited to 'cli')

diff --git a/cli/README.md b/cli/README.md
index e290cc267..cb43b7340 100644
--- a/cli/README.md
+++ b/cli/README.md
@@ -18,9 +18,7 @@ In any case, when you are done with a series of commands, you should re-apply th
 
 ```sh
 cd /usr/share/FreshRSS
-sudo chown -R :www-data .
-sudo chmod -R g+r .
-sudo chmod -R g+w ./data/
+sudo cli/access-permissions.sh
 ```
 
 
diff --git a/cli/_cli.php b/cli/_cli.php
index 10a92385a..0d2c8695f 100644
--- a/cli/_cli.php
+++ b/cli/_cli.php
@@ -44,7 +44,7 @@ function cliInitUser($username) {
 
 function accessRights() {
 	echo 'ℹ️ Remember to re-apply the appropriate access rights, such as:',
-		"\t", 'sudo chown -R :www-data . && sudo chmod -R g+r . && sudo chmod -R g+w ./data/', "\n";
+		"\t", 'sudo cli/access-permissions.sh', "\n";
 }
 
 function done($ok = true) {
diff --git a/cli/access-permissions.sh b/cli/access-permissions.sh
new file mode 100755
index 000000000..c13130a4b
--- /dev/null
+++ b/cli/access-permissions.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Apply access permissions
+
+if [ ! -f './constants.php' ] || [ ! -d './cli/' ]; then
+	echo >&2 '⛔ It does not look like a FreshRSS directory; exiting!'
+	exit 2
+fi
+
+if [ "$(id -u)" -ne 0 ]; then
+	echo >&2 '⛔ Applying access permissions require running as root or sudo!'
+	exit 3
+fi
+
+# Based on group access
+chown -R :www-data .
+# Read files, and directory traversal
+chmod -R g+rX .
+# Write access
+chmod -R g+w ./data/
diff --git a/cli/i18n/I18nFile.php b/cli/i18n/I18nFile.php
index fca31d662..12a04c6a2 100644
--- a/cli/i18n/I18nFile.php
+++ b/cli/i18n/I18nFile.php
@@ -27,7 +27,7 @@ class I18nFile {
 		foreach ($i18n as $language => $file) {
 			$dir = I18N_PATH . DIRECTORY_SEPARATOR . $language;
 			if (!file_exists($dir)) {
-				mkdir($dir);
+				mkdir($dir, 0770, true);
 			}
 			foreach ($file as $name => $content) {
 				$filename = $dir . DIRECTORY_SEPARATOR . $name;
-- 
cgit v1.2.3