-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid chown data_dir during the upgrade process #711
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can also try like that, I'm not sure why we should chown the data_dir
!testme |
!testme |
!testme |
!testme |
chown -R $app:www-data "$install_dir" | ||
chown -R $app: "$data_dir" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chown -R $app:www-data "$install_dir" | |
chown -R $app: "$data_dir" | |
chown -R $app:www-data "$install_dir" | |
chmod og-rwx "$install_dir/config" | |
chown -R $app: "$data_dir" |
(me being paranoid about compromission of www-data that would result in leaking secrets etc)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eeeh chmod 640 will still allow www-data to read the file, so in the event that www-data gets compromised (or some funky path traversal issue is discovered or whatever) it still allows to access secrets
@@ -207,7 +207,7 @@ then | |||
mv "$tmpdir" "$install_dir" | |||
|
|||
# Set write access for the following commands | |||
chown -R $app: "$install_dir" "$data_dir" | |||
chown -R $app:www-data "$install_dir" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chown -R $app:www-data "$install_dir" | |
chown -R $app:www-data "$install_dir" | |
chmod og-rwx "$install_dir/config" |
(me being paranoid about compromission of www-data that would result in leaking secrets etc)
@CodeShakingSheep (? with these changes or with the new stable version?) Then just wait, and don't try to restart your server or |
With the stable version. I didn't restart anything but my whole server just went down because of this. So, I have to restart it now. |
!testme |
!testme |
Problem
Solution
PR Status
Automatic tests
Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ after creating the PR, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)