From 743bee0048e91cd7ba15bf31c2d5d8d8c2cd6db1 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Fri, 15 Apr 2022 07:58:05 +0200 Subject: [PATCH 1/3] Update check_process --- check_process | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/check_process b/check_process index b570167..aa21d5f 100644 --- a/check_process +++ b/check_process @@ -1,4 +1,4 @@ -;; Complete Test +;; Complete Test # First Run of complete test ; Manifest domain="domain.tld" @@ -31,4 +31,4 @@ Notification=none ; commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9 name=Version 0.96.0~ynh4 manifest_arg=domain=DOMAIN&path=PATH&admin=USER&password=pass&is_public=1& - \ No newline at end of file + From 592e71bee4a616fd6360f6e3930157904f42e3fe Mon Sep 17 00:00:00 2001 From: Krakinou Date: Mon, 18 Apr 2022 14:28:42 +0200 Subject: [PATCH 2/3] 0.6.18 remove 0.6.0 from check_process add werkzeug dependency in optionnal-requirement use venv to install pip package hardened systemd service --- check_process | 8 +-- conf/app.src | 4 +- conf/systemd.service | 32 ++++++++++- manifest.json | 4 +- scripts/_common.sh | 2 +- scripts/install | 54 +++++++++++++------ scripts/remove | 2 +- scripts/restore | 7 --- scripts/upgrade | 47 ++++++++++------ .../app-optional-requirements.txt.patch | 19 ++++--- 10 files changed, 120 insertions(+), 59 deletions(-) diff --git a/check_process b/check_process index aa21d5f..247b265 100644 --- a/check_process +++ b/check_process @@ -17,9 +17,7 @@ setup_public=1 upgrade=1 #Last version - upgrade=1 from_commit=79c6c4ad03f62d2ed4f4180ac6b7dac1c117a62a -#v0.6.6 -# upgrade=1 from_commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9 + upgrade=1 from_commit=581a4e1de5caa7aa19a64f63348b174b7602753 backup_restore=1 multi_instance=1 port_already_use=1 (8083) @@ -27,8 +25,4 @@ ;;; Options Email=nicolas@aubonalbanais.ovh Notification=none -;;; Upgrade options - ; commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9 - name=Version 0.96.0~ynh4 - manifest_arg=domain=DOMAIN&path=PATH&admin=USER&password=pass&is_public=1& diff --git a/conf/app.src b/conf/app.src index 180c76c..f3b2c40 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,3 +1,3 @@ -SOURCE_URL=https://github.com/janeczku/calibre-web/releases/download/0.6.17/calibre-web-0.6.17.zip -SOURCE_SUM=3560aa9f793eead98d8df053963a569fbe08ace93418b6e8e70a2831a9314733 +SOURCE_URL=https://github.com/janeczku/calibre-web/releases/download/0.6.18/calibre-web-0.6.18.zip +SOURCE_SUM=65a267fc44629f9373a391333154b277a3fb9124031c1e20cd1b3acac939c95a SOURCE_FORMAT=zip diff --git a/conf/systemd.service b/conf/systemd.service index 877f964..1ced809 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -7,7 +7,37 @@ Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ -ExecStart=/bin/sh -c '/usr/bin/python3 __FINALPATH__/cps.py' +ExecStart=/bin/sh -c '__FINALPATH__/venv/bin/python3 __FINALPATH__/cps.py' + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 603d9db..b66ef8c 100644 --- a/manifest.json +++ b/manifest.json @@ -6,10 +6,10 @@ "en": "Browsing, reading and downloading eBooks using a Calibre database", "fr": "Explorer, lire et télécharger des eBooks à partir d'une base de données Calibre" }, - "version": "0.96.17~ynh1", + "version": "0.96.18~ynh1", "url": "https://github.com/janeczku/calibre-web", "upstream": { - "version": "0.6.17", + "version": "0.6.18", "license": "GPL-3.0-only", "admindoc": "https://github.com/janeczku/calibre-web/wiki", "code": "https://github.com/janeczku/calibre-web" diff --git a/scripts/_common.sh b/scripts/_common.sh index a693094..a028de8 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -1,6 +1,6 @@ #!/bin/bash -PKG_DEPENDENCIES="sqlite3 libldap2-dev libsasl2-dev python3-dev imagemagick python3-lxml libjpeg-dev zlib1g-dev libffi-dev" +PKG_DEPENDENCIES="sqlite3 imagemagick libldap2-dev libsasl2-dev python3-venv python3-dev python3-lxml libjpeg-dev zlib1g-dev libffi-dev" #PKG_DEPENDENCIES="sqlite3 python3-pip imagemagick" DOSSIER_MEDIA=/home/yunohost.multimedia diff --git a/scripts/install b/scripts/install index 7942c7e..cac174d 100755 --- a/scripts/install +++ b/scripts/install @@ -92,6 +92,14 @@ ynh_add_config --template="../sources/patches/app-constants.py.patch.src" --dest # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source "$final_path" +#================================================= +# CREATE DEDICATED USER +#================================================= +ynh_script_progression --message="Configuring system user..." --weight=1 +# Create a system user +ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell + + #================================================= # INSTALL DEPENDENCIES #================================================= @@ -99,15 +107,28 @@ ynh_setup_source "$final_path" ynh_script_progression --message="Installing package dependencies..." --weight=80 ynh_install_app_dependencies $PKG_DEPENDENCIES -#use latest version of pip as per documentation in https://github.com/pypa/get-pip -#cannot use helper as maintaining the checksum would be a pain in the a*** -ynh_exec_quiet curl https://bootstrap.pypa.io/get-pip.py | python3 +#Use venv to install pip requirements - Inspired from https://github.com/YunoHost-Apps/pyinventory_ynh/blob/master/scripts/install +ynh_script_progression --message="Installing pip requirements..." --weight=70 +# Always recreate everything fresh with current python version +if [ -d "${final_path}/venv" ] ; then + ynh_secure_remove "${final_path}/venv" +fi -ynh_script_progression --message="Installing pip requirements..." --weight=40 -pip3 install --no-cache-dir --target $final_path/vendor -r $final_path/requirements.txt +# Skip pip because of: https://github.com/YunoHost/issues/issues/1960 +python3 -m venv --without-pip "${final_path}/venv" +chown -R "$app:" "$final_path" + +#run source in a 'sub shell' +( + set +o nounset + source "${final_path}/venv/bin/activate" + set -o nounset + ynh_exec_as $app $final_path/venv/bin/python3 -m ensurepip + ynh_exec_as $app $final_path/venv/bin/pip3 install --upgrade wheel pip setuptools + ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/requirements.txt" + ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/optional-requirements.txt" +) -ynh_script_progression --message="Installing pip additionnal requirements..." --weight=40 -pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/optional-requirements.txt #================================================= # NGINX CONFIGURATION @@ -123,15 +144,6 @@ fi # Create a dedicated nginx config ynh_add_nginx_config -#================================================= -# CREATE DEDICATED USER -#================================================= - -# Create a system user -ynh_system_user_create $app - -chown -R $app: $final_path -chmod 740 $final_path #================================================= # SETUP SYSTEMD @@ -195,6 +207,16 @@ ynh_replace_string --match_string="=1.7.11,<2.37.0 +-google-api-python-client>=1.7.11,<2.43.0 gevent>20.6.0,<22.0.0 -greenlet>=0.4.17,<1.2.0 -httplib2>=0.9.2,<0.21.0 @@ -15,8 +15,8 @@ -rsa>=3.4.2,<4.9.0 - -# Gmail --google-auth-oauthlib>=0.4.3,<0.5.0 --google-api-python-client>=1.7.11,<2.37.0 +-google-auth-oauthlib>=0.4.3,<0.6.0 +-google-api-python-client>=1.7.11,<2.43.0 # goodreads goodreads>=0.3.2,<0.4.0 @@ -30,4 +30,11 @@ - # metadata extraction rarfile>=3.2 - scholarly>=1.2.0,<1.6 + scholarly>=1.2.0,<1.7 +@@ -42,3 +24,6 @@ + + # Kobo integration + jsonschema>=3.2.0,<4.5.0 ++ ++#readded to avoid 2.2 from dependencies ++werkzeug<2.1.0 From 17687954493450a827f75bd32f961698e780a3be Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Mon, 18 Apr 2022 12:28:51 +0000 Subject: [PATCH 3/3] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 88a4d03..5baf7e5 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Browsing, reading and downloading eBooks using a Calibre database -**Shipped version:** 0.6.17 +**Shipped version:** 0.6.18 diff --git a/README_fr.md b/README_fr.md index a83a2b8..8116866 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Explorer, lire et télécharger des eBooks à partir d'une base de données Calibre -**Version incluse :** 0.6.17 +**Version incluse :** 0.6.18