summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 00:52:10 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 01:30:44 +0200
commite43ef0c7b9490ece68af38f8a658ad8a710e4e37 (patch)
treef9dedcfa6dee7cfe280aedf10695e73f9ce69962
parent38c697083d50764d833adc039b10b203d36c8f56 (diff)
Nextcloud: use dedicated user and PHP FPM pool.
There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely.
-rw-r--r--roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf1
-rw-r--r--roles/nextcloud/files/etc/cron.d/nextcloud2
-rw-r--r--roles/nextcloud/files/etc/nginx/sites-available/nextcloud1
-rw-r--r--roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf17
-rw-r--r--roles/nextcloud/tasks/main.yml50
5 files changed, 52 insertions, 19 deletions
diff --git a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
index 48ebc63..f82bc5d 100644
--- a/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
+++ b/roles/common-web/files/etc/nginx/snippets/fastcgi-php.conf
@@ -11,4 +11,3 @@ fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include snippets/fastcgi.conf;
-fastcgi_pass unix:/run/php/php7.3-fpm.sock;
diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud
index 681cd43..3c4aac0 100644
--- a/roles/nextcloud/files/etc/cron.d/nextcloud
+++ b/roles/nextcloud/files/etc/cron.d/nextcloud
@@ -1,2 +1,2 @@
MAILTO=root
-*/5 * * * * www-data php -f /usr/local/share/nextcloud/cron.php
+*/5 * * * * _nextcloud php -f /usr/local/share/nextcloud/cron.php
diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
index d748dc9..f1f4b66 100644
--- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
+++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
@@ -76,6 +76,7 @@ server {
post_max_size=512M
memory_limit=512M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev";
+ fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
new file mode 100644
index 0000000..dfbb8bf
--- /dev/null
+++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
@@ -0,0 +1,17 @@
+[nextcloud]
+user = _nextcloud
+group = nogroup
+listen = /run/php/php7.3-fpm@nextcloud.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0600
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 86b505b..8878987 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -29,18 +29,25 @@
notify:
- Restart php7.3-fpm
-- name: Configure PHP 7.3 pool environment
- lineinfile: dest=/etc/php/7.3/fpm/pool.d/www.conf
- regexp='^;?env\[{{ item.var }}\]\\s*='
- line="env[{{ item.var }}] = {{ item.value }}"
- owner=root group=root
- mode=0644
- with_items:
- - { var: HOSTNAME, value: "$HOSTNAME" }
- - { var: PATH, value: "/usr/bin:/bin" }
- - { var: TMP, value: "/tmp" }
- - { var: TMPDIR, value: "/tmp" }
- - { var: TEMP, value: "/tmp" }
+- name: Create '_nextcloud' user
+ user: name=_nextcloud system=yes
+ group=nogroup
+ createhome=no
+ home=/nonexistent
+ shell=/usr/sbin/nologin
+ password=!
+ state=present
+
+- name: Delete PHP 7.3 FPM's www pool
+ file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
+ notify:
+ - Restart php7.3-fpm
+
+- name: Configure PHP 7.3 FPM's nextcloud pool
+ copy: src=etc/php/fpm/pool.d/nextcloud.conf
+ dest=/etc/php/7.3/fpm/pool.d/nextcloud.conf
+ owner=root group=root
+ mode=0644
notify:
- Restart php7.3-fpm
@@ -102,6 +109,15 @@
tags:
- ldap
+# Note: intentionally don't set an owner/group as we don't want to set
+# ownership unless the path is a mountpoint. The service will fail
+# unless the data directory is mounted and accessible, and that's what
+# we want.
+- name: Create directory /mnt/nextcloud-data
+ file: path=/mnt/nextcloud-data
+ state=directory
+ mode=0700
+
- name: Create directory /var/www/nextcloud
file: path=/var/www/nextcloud
state=directory
@@ -114,19 +130,19 @@
- name: Create directory /var/www/nextcloud/apps
file: path=/var/www/nextcloud/apps
state=directory
- owner=www-data group=www-data
+ owner=_nextcloud group=nogroup
mode=0755
- name: Create directory /var/log/nextcloud
file: path=/var/log/nextcloud
state=directory
- owner=www-data group=adm
+ owner=_nextcloud group=adm
mode=0750
- name: Create directory /var/cache/nextcloud
file: path=/var/cache/nextcloud
state=directory
- owner=www-data group=www-data
+ owner=_nextcloud group=nogroup
mode=0700
- name: Copy Nextcloud logrotate snippet
@@ -160,7 +176,7 @@
- name: Start redis-server
service: name=redis-server state=started
-- name: Add 'www-data' to the group 'redis'
- user: name=www-data groups=redis append=yes
+- name: Add '_nextcloud' user to 'redis' group
+ user: name=_nextcloud groups=redis append=yes
notify:
- Restart php7.3-fpm