diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 00:52:10 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 01:30:44 +0200 |
commit | e43ef0c7b9490ece68af38f8a658ad8a710e4e37 (patch) | |
tree | f9dedcfa6dee7cfe280aedf10695e73f9ce69962 | |
parent | 38c697083d50764d833adc039b10b203d36c8f56 (diff) |
Nextcloud: use dedicated user and PHP FPM pool.
There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
-rw-r--r-- | roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf | 1 | ||||
-rw-r--r-- | roles/nextcloud/files/etc/cron.d/nextcloud | 2 | ||||
-rw-r--r-- | roles/nextcloud/files/etc/nginx/sites-available/nextcloud | 1 | ||||
-rw-r--r-- | roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf | 17 | ||||
-rw-r--r-- | roles/nextcloud/tasks/main.yml | 50 |
5 files changed, 52 insertions, 19 deletions
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf index 48ebc63..f82bc5d 100644 --- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf +++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf @@ -11,4 +11,3 @@ fastcgi_param PATH_INFO $path_info; fastcgi_index index.php; include snippets/fastcgi.conf; -fastcgi_pass unix:/run/php/php7.3-fpm.sock; diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud index 681cd43..3c4aac0 100644 --- a/roles/nextcloud/files/etc/cron.d/nextcloud +++ b/roles/nextcloud/files/etc/cron.d/nextcloud @@ -1,2 +1,2 @@ MAILTO=root -*/5 * * * * www-data php -f /usr/local/share/nextcloud/cron.php +*/5 * * * * _nextcloud php -f /usr/local/share/nextcloud/cron.php diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud index d748dc9..f1f4b66 100644 --- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud +++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud @@ -76,6 +76,7 @@ server { post_max_size=512M memory_limit=512M"; fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev"; + fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf new file mode 100644 index 0000000..dfbb8bf --- /dev/null +++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf @@ -0,0 +1,17 @@ +[nextcloud] +user = _nextcloud +group = nogroup +listen = /run/php/php7.3-fpm@nextcloud.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0600 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/bin:/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 86b505b..8878987 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -29,18 +29,25 @@ notify: - Restart php7.3-fpm -- name: Configure PHP 7.3 pool environment - lineinfile: dest=/etc/php/7.3/fpm/pool.d/www.conf - regexp='^;?env\[{{ item.var }}\]\\s*=' - line="env[{{ item.var }}] = {{ item.value }}" - owner=root group=root - mode=0644 - with_items: - - { var: HOSTNAME, value: "$HOSTNAME" } - - { var: PATH, value: "/usr/bin:/bin" } - - { var: TMP, value: "/tmp" } - - { var: TMPDIR, value: "/tmp" } - - { var: TEMP, value: "/tmp" } +- name: Create '_nextcloud' user + user: name=_nextcloud system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Delete PHP 7.3 FPM's www pool + file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent + notify: + - Restart php7.3-fpm + +- name: Configure PHP 7.3 FPM's nextcloud pool + copy: src=etc/php/fpm/pool.d/nextcloud.conf + dest=/etc/php/7.3/fpm/pool.d/nextcloud.conf + owner=root group=root + mode=0644 notify: - Restart php7.3-fpm @@ -102,6 +109,15 @@ tags: - ldap +# Note: intentionally don't set an owner/group as we don't want to set +# ownership unless the path is a mountpoint. The service will fail +# unless the data directory is mounted and accessible, and that's what +# we want. +- name: Create directory /mnt/nextcloud-data + file: path=/mnt/nextcloud-data + state=directory + mode=0700 + - name: Create directory /var/www/nextcloud file: path=/var/www/nextcloud state=directory @@ -114,19 +130,19 @@ - name: Create directory /var/www/nextcloud/apps file: path=/var/www/nextcloud/apps state=directory - owner=www-data group=www-data + owner=_nextcloud group=nogroup mode=0755 - name: Create directory /var/log/nextcloud file: path=/var/log/nextcloud state=directory - owner=www-data group=adm + owner=_nextcloud group=adm mode=0750 - name: Create directory /var/cache/nextcloud file: path=/var/cache/nextcloud state=directory - owner=www-data group=www-data + owner=_nextcloud group=nogroup mode=0700 - name: Copy Nextcloud logrotate snippet @@ -160,7 +176,7 @@ - name: Start redis-server service: name=redis-server state=started -- name: Add 'www-data' to the group 'redis' - user: name=www-data groups=redis append=yes +- name: Add '_nextcloud' user to 'redis' group + user: name=_nextcloud groups=redis append=yes notify: - Restart php7.3-fpm |