blob: 10b71f185f0468fda21d869867e5455e4cae3f42 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
From caead923a7d539622ba7aa508918e6e5f1e07983 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Tue, 16 Feb 2016 22:30:45 +0200
Subject: [PATCH] security hardening: make static files non-writable by webuser
---
Makefile.am | 2 +-
src/Makefile.am | 2 +-
web/Makefile.am | 4 +---
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 62f767e..b7e69e6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -27,7 +27,7 @@ EXTRA_DIST = \
# Yes, you are correct. This is a HACK!
install-data-hook:
- ( cd $(DESTDIR)$(zmconfigdir); chown $(webuser):$(webgroup) $(zmconfig_DATA); chmod 600 $(zmconfig_DATA) )
+ ( cd $(DESTDIR)$(zmconfigdir); chgrp $(webgroup) $(zmconfig_DATA); chmod 640 $(zmconfig_DATA) )
( if ! test -e $(DESTDIR)$(ZM_RUNDIR); then mkdir -p $(DESTDIR)$(ZM_RUNDIR); fi; if test "$(DESTDIR)$(ZM_RUNDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_RUNDIR); chmod u+w $(DESTDIR)$(ZM_RUNDIR); fi )
( if ! test -e $(DESTDIR)$(ZM_SOCKDIR); then mkdir -p $(DESTDIR)$(ZM_SOCKDIR); fi; if test "$(DESTDIR)$(ZM_SOCKDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_SOCKDIR); chmod u+w $(DESTDIR)$(ZM_SOCKDIR); fi )
( if ! test -e $(DESTDIR)$(ZM_TMPDIR); then mkdir -m 700 -p $(DESTDIR)$(ZM_TMPDIR); fi; if test "$(DESTDIR)$(ZM_TMPDIR)" != "/tmp" && test "$(DESTDIR)$(ZM_TMPDIR)" != "/var/tmp"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_TMPDIR); chmod u+w $(DESTDIR)$(ZM_TMPDIR); fi )
diff --git a/src/Makefile.am b/src/Makefile.am
index 9314daa..26c9934 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -128,7 +128,7 @@ dist-hook:
# Yes, you are correct. This is a HACK!
install-exec-hook:
( cd $(DESTDIR)@bindir@; mkdir -p $(DESTDIR)$(cgidir); mv zms $(DESTDIR)$(cgidir) )
- ( cd $(DESTDIR)$(cgidir); chown $(webuser):$(webgroup) zms; ln -f zms nph-zms )
+ ( cd $(DESTDIR)$(cgidir); ln -f zms nph-zms )
uninstall-hook:
( cd $(DESTDIR)$(cgidir); rm -f zms nph-zms )
diff --git a/web/Makefile.am b/web/Makefile.am
index 077a4ff..3538c67 100644
--- a/web/Makefile.am
+++ b/web/Makefile.am
@@ -22,12 +22,10 @@ dist_web_DATA = \
# Yes, you are correct. This is a HACK!
install-data-hook:
- ( cd $(DESTDIR)$(webdir); chown $(webuser):$(webgroup) $(dist_web_DATA) )
- ( cd $(DESTDIR)$(webdir); chown -R $(webuser):$(webgroup) $(SUBDIRS) )
@-( cd $(DESTDIR)$(webdir); if ! test -e events; then mkdir events; fi; chown $(webuser):$(webgroup) events; chmod u+w events )
@-( cd $(DESTDIR)$(webdir); if ! test -e images; then mkdir images; fi; chown $(webuser):$(webgroup) images; chmod u+w images )
@-( cd $(DESTDIR)$(webdir); if ! test -e sounds; then mkdir sounds; fi; chown $(webuser):$(webgroup) sounds; chmod u+w sounds )
- @-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi; chown $(webuser):$(webgroup) tools; chmod u+w tools )
+ @-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi )
@-( cd $(DESTDIR)$(webdir); if ! test -e temp; then mkdir temp; fi; chown $(webuser):$(webgroup) temp; chmod u+w temp )
uninstall-hook:
--
2.5.0
|