From a8400d07a6d2b12d394267e04b41d470e6bc0797 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Tue, 8 Nov 2022 14:52:02 -0800 Subject: [PATCH] searx: Ensure that socket is only reachable by Apache and root When the security access restrictions are removed from /etc/security/access.d, we don't want users to bypass Apache access control and directly access the app. Tests: - Without the patch, the uwsgi socket file is with permissions 666 in /run/uwsgi/apps/searx/socket. nc -U succeeds as non-admin user on the system. - Apply the patch and restart FreedomBox. searx set is run and uwsgi service is restarted and permissions are 660 on /run/uwsgi/apps/searx/socket. nc -U fails as non-admin user on the system. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/searx/__init__.py | 2 +- plinth/modules/searx/privileged.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/plinth/modules/searx/__init__.py b/plinth/modules/searx/__init__.py index 675483d41..9a51a9f2c 100644 --- a/plinth/modules/searx/__init__.py +++ b/plinth/modules/searx/__init__.py @@ -28,7 +28,7 @@ class SearxApp(app_module.App): app_id = 'searx' - _version = 4 + _version = 5 def __init__(self): """Create components for the app.""" diff --git a/plinth/modules/searx/privileged.py b/plinth/modules/searx/privileged.py index 9279d61b3..fd5c35997 100644 --- a/plinth/modules/searx/privileged.py +++ b/plinth/modules/searx/privileged.py @@ -44,6 +44,8 @@ def _update_uwsgi_configuration(): aug.load() aug.set('/files/etc/uwsgi/apps-available/searx.ini/uwsgi/autoload', 'false') + aug.set('/files/etc/uwsgi/apps-available/searx.ini/uwsgi/chmod-socket', + '660') aug.save()