From de257863a82ba5690c265dff8aa83a50f91cb212 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristhian=20Mart=C3=ADnez=20Ochoa?= <cristhian@qrokes.com>
Date: Thu, 27 Jun 2024 07:08:14 -0700
Subject: [PATCH] permissions

Better permissions for better security.
---
 lib/install                          | 14 ++++++++------
 lib/verify                           | 12 ++++++------
 lib/webin                            |  5 +++--
 templates/nginx/conf.d/upstream.conf |  2 +-
 4 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/lib/install b/lib/install
index b887961..2487743 100644
--- a/lib/install
+++ b/lib/install
@@ -415,8 +415,9 @@ fastcgi_param  HTTP_ACCEPT_ENCODING "";
 	sudo sed -i "/fastcgi_cache_path/c \fastcgi_cache_path /run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m max_size=$(((9*$ramb*$(check_var run-folder-size))/1000))m inactive=7d;" /etc/nginx/conf.d/fastcgi.conf
 	sudo sed -i "/fastcgi_read_timeout/c \fastcgi_read_timeout $(check_var php-max-time)s;" /etc/nginx/conf.d/fastcgi.conf
 	
-	# www-data sftp default uploads permissions 755 and 644, instead of 775 and 664.
-	sudo sed -i '/USERGROUPS_ENAB/c \USERGROUPS_ENAB no' /etc/login.defs
+	# www-data sftp default uploads permissions 750 and 640, instead of 775 and 664.
+	sudo sed -i '/USERGROUPS_ENAB /c \USERGROUPS_ENAB no' /etc/login.defs
+	sudo sed -i '/^UMASK/c \UMASK		027' /etc/login.defs
 
 	# Check for dynamic variables.
 	sudo systemctl restart nginx # We need to kill the process, don't use reload (I don't know why here, but it's needed!)
@@ -526,8 +527,9 @@ php_optim() {
 	sudo sed -i -r '/^[;]?pm.max_requests =/c\pm.max_requests = 1000' /etc/php/$ver/fpm/pool.d/www.conf
 	sudo sed -i -r '/^[;]?pm.status_path =/c\pm.status_path = /status' /etc/php/$ver/fpm/pool.d/www.conf
 	sudo sed -i -r '/^[;]?ping.path =/c\ping.path = /ping' /etc/php/$ver/fpm/pool.d/www.conf
-	sudo sed -i -r '/^[;]?listen = /c\listen = 127.0.0.1:9000' /etc/php/$ver/fpm/pool.d/www.conf
-	sudo sed -i -r '/^[;]?listen.allowed_clients = /c\listen.allowed_clients = 127.0.0.1' /etc/php/$ver/fpm/pool.d/www.conf
+	sudo sed -i -r '/^[;]?listen.mode = /c\listen.mode = 0600' /etc/php/$ver/fpm/pool.d/www.conf
+	#sudo sed -i -r '/^[;]?listen = /c\listen = 127.0.0.1:9000' /etc/php/$ver/fpm/pool.d/www.conf
+	#sudo sed -i -r '/^[;]?listen.allowed_clients = /c\listen.allowed_clients = 127.0.0.1' /etc/php/$ver/fpm/pool.d/www.conf
 	
 	[[ $(conf_read php-tool-redis) == "true" && -n $(conf_read redis-max-mem) ]] && redis_optim
 	conf_write php-optim true
@@ -818,8 +820,8 @@ mysql_tool_pma() {
 		sudo cp /var/www/$ADMIN_TOOLS_SITE/htdocs/pma/config.sample.inc.php /var/www/$ADMIN_TOOLS_SITE/htdocs/pma/config.inc.php
 		sudo sed -i "/blowfish_secret/c \$cfg['blowfish_secret'] = '$(pwgen -s -1 32)';" /var/www/$ADMIN_TOOLS_SITE/htdocs/pma/config.inc.php
 		sudo chown -R www-data:www-data /var/www/$ADMIN_TOOLS_SITE/htdocs/pma
-		sudo find /var/www/$ADMIN_TOOLS_SITE/htdocs/pma -type f -print0 | sudo xargs -r -0 chmod 644
-		sudo find /var/www/$ADMIN_TOOLS_SITE/htdocs/pma -type d -print0 | sudo xargs -r -0 chmod 755
+		sudo find /var/www/$ADMIN_TOOLS_SITE/htdocs/pma -type f -print0 | sudo xargs -r -0 chmod 640
+		sudo find /var/www/$ADMIN_TOOLS_SITE/htdocs/pma -type d -print0 | sudo xargs -r -0 chmod 750
 		
 		conf_write mysql-tool-pma true
 		
diff --git a/lib/verify b/lib/verify
index 4500d7f..119d59a 100644
--- a/lib/verify
+++ b/lib/verify
@@ -1132,8 +1132,8 @@ if [[ -z $critical_mode ]]; then
 	# /var/www
 	if [[ -d /var/www ]]; then
 		local ver_perm_user=$(find /var/www -path "/var/www/*" ! -path "/var/www/\.*" ! -user www-data | head -10)
-		local ver_perm_dire=$(find /var/www ! -path "/var/www/\.*" -type d ! -perm 755 | head -10) # Exclude dotted folders
-		local ver_perm_file=$(find /var/www ! -path "/var/www/\.*/*" -type f ! -perm 644 | head -10) # Exclude files inside dotted folders
+		local ver_perm_dire=$(find /var/www ! -path "/var/www/\.*" -type d -perm /22 | head -10) # Exclude dotted folders (i.e.: 755 octal XOR 777 octal)
+		local ver_perm_file=$(find /var/www ! -path "/var/www/\.*/*" -type f -perm /133 | head -10) # Exclude files inside dotted folders (i.e.: 644 octal XOR 777 octal)
 
 		if [[ $(conf_read login-www-data) != "true" && -d /var/www && $(stat -c '%U' /var/www) != "www-data" ]]; then
 			echo "${dim}- [WARNING] Directory owner is not 'www-data' /var/www ${end}${red}"
@@ -1147,11 +1147,11 @@ if [[ -z $critical_mode ]]; then
 			local ver_eight_war="1"
 		fi
 		if [[ -n $ver_perm_dire ]]; then
-			echo "$ver_perm_dire" | sed "s/^/${dim}- \[WARNING\] Directory permission is not 755 /" | sed "s/$/${end}${red}/"
+			echo "$ver_perm_dire" | sed "s/^/${dim}- \[WARNING\] Directory permission is more than 755 /" | sed "s/$/${end}${red}/"
 			local ver_eight_war="1"
 		fi
 		if [[ -n $ver_perm_file ]]; then
-			echo "$ver_perm_file" | sed "s/^/${dim}- \[WARNING\] File permission is not 644 /" | sed "s/$/${end}${red}/"
+			echo "$ver_perm_file" | sed "s/^/${dim}- \[WARNING\] File permission is more than 644 /" | sed "s/$/${end}${red}/"
 			local ver_eight_war="1"
 		fi
 	fi
@@ -1181,7 +1181,7 @@ if [[ -z $critical_mode ]]; then
 			local ver_ssh_owner=$(find $ver_check_dir/.ssh ! -user $ver_check_user | head -10)
 			local ver_ssh_dire=$(sudo find $ver_check_dir/.ssh -type d ! -perm 700 | head -10)
 			local ver_ssh_file=$(sudo find $ver_check_dir/.ssh ! -path "$ver_check_dir/.ssh/*.pub" -type f ! -perm 600 | head -10)
-			local ver_ssh_fpub=$(sudo find $ver_check_dir/.ssh -path "$ver_check_dir/.ssh/*.pub" -type f ! -perm 644 | head -10)
+			local ver_ssh_fpub=$(sudo find $ver_check_dir/.ssh -path "$ver_check_dir/.ssh/*.pub" -type f -perm /133 | head -10) # (i.e.: 644 octal XOR 777 octal)
 			
 			if [[ -n $ver_ssh_owner ]]; then
 				echo "$ver_ssh_owner" | sed "s/^/${dim}- \[WARNING\] File owner is not '${ver_check_user}' /" | sed "s/$/${end}${red}/"
@@ -1196,7 +1196,7 @@ if [[ -z $critical_mode ]]; then
 				local ver_eight_war="1"
 			fi
 			if [[ -n $ver_ssh_fpub ]]; then
-				echo "$ver_ssh_fpub" | sed "s/^/${dim}- \[WARNING\] File permission is not 644 /" | sed "s/$/${end}${red}/"
+				echo "$ver_ssh_fpub" | sed "s/^/${dim}- \[WARNING\] File permission is more than 644 /" | sed "s/$/${end}${red}/"
 				local ver_eight_war="1"
 			fi
 		fi
diff --git a/lib/webin b/lib/webin
index f7364a3..8b3a340 100644
--- a/lib/webin
+++ b/lib/webin
@@ -445,8 +445,9 @@ webinoly_update() {
 
 fix_permissions() {
 	# https://github.com/QROkes/webinoly/issues/49
-	sudo find /var/www ! -path "/var/www/\.*" -type d -print0 | sudo xargs -r -0 chmod 755
-	sudo find /var/www ! -path "/var/www/\.*" -type f -print0 | sudo xargs -r -0 chmod 644
+	sudo find /var/www/* ! -path "/var/www/\.*" -type d -print0 | sudo xargs -r -0 chmod 750
+	sudo find /var/www/* ! -path "/var/www/\.*" -type f -print0 | sudo xargs -r -0 chmod 640
+	sudo chmod 755 /var/www
 	
 	if [[ -d /var/www/.ssh ]]; then
 		sudo find /var/www/.ssh -type d -print0 | sudo xargs -r -0 chmod 700
diff --git a/templates/nginx/conf.d/upstream.conf b/templates/nginx/conf.d/upstream.conf
index ddd0898..7da999c 100644
--- a/templates/nginx/conf.d/upstream.conf
+++ b/templates/nginx/conf.d/upstream.conf
@@ -8,7 +8,7 @@
 
 upstream php {
 	zone upstreams 64k;
-	server 127.0.0.1:9000;
+	server unix:/run/php/php-fpm.sock;
 	
 	# We recommend setting the 'keepalive' parameter to twice the number of servers listed in the upstream block.
 	# For FastCGI servers, it is required to set 'fastcgi_keep_conn' for keepalive connections to work (conf.d/fastcgi.conf)