diff --git a/README.md b/README.md index 7736e49..8cb8950 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Publishing, memberships, subscriptions and newsletters platform -**Shipped version:** 4.17.1~ynh1 +**Shipped version:** 4.20.1~ynh1 diff --git a/README_fr.md b/README_fr.md index 032fa09..673ee60 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Plateforme d'édition, d'adhésions, d'abonnements et de newsletters -**Version incluse :** 4.17.1~ynh1 +**Version incluse :** 4.20.1~ynh1 diff --git a/conf/admin.src b/conf/admin.src index 616504a..13362ea 100644 --- a/conf/admin.src +++ b/conf/admin.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.17.1.zip -SOURCE_SUM=1f6631834bddd99a302734060a966b59fd69e924e14f560e9367428b1013a056 +SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.20.1.zip +SOURCE_SUM=be297eda8d618759de25abe7fed5c6d11345623e0e8b27f537566036d88945fa SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index 3dc8cd8..a7e7935 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.17.1/Ghost-4.17.1.zip -SOURCE_SUM=71b8ae299a7f985e45ff60a583ad3d858450330d19b631b9fa1ca6bc0ee53032 +SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.20.1/Ghost-4.20.1.zip +SOURCE_SUM=12d9850826676d7a402e12843f0832396cc302a3a9081c270250bdd6f1b55aa0 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/systemd.service b/conf/systemd.service index 42265a6..fcd502c 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,33 @@ Environment="NODE_ENV=production" ExecStart=__YNH_NODE__ index.js run Restart=always +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 79f298e..69ee970 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Publishing, memberships, subscriptions and newsletters platform", "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters" }, - "version": "4.17.1~ynh1", + "version": "4.20.1~ynh1", "url": "https://ghost.org/", "upstream": { "license": "MIT", diff --git a/scripts/install b/scripts/install index 964ff73..b95208f 100644 --- a/scripts/install +++ b/scripts/install @@ -129,16 +129,16 @@ chown $app:$app "$final_path/config.production.json" #============================================== # BUILD GHOST #============================================== -ynh_script_progression --message="Building $app... (this will take some time and resources!)" +ynh_script_progression --message="Building Ghost... (this will take some time and resources!)" pushd "$final_path" ynh_use_nodejs - ynh_exec_warn_less yarn install --non-interactive --silent - ynh_exec_warn_less yarn global add knex-migrator - ynh_exec_warn_less NODE_ENV=production knex-migrator init - ynh_exec_warn_less yarn global add grunt-cli ember-cli - ynh_exec_warn_less NODE_ENV=production grunt symlink - ynh_exec_warn_less NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force popd #================================================= @@ -170,7 +170,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ ynh_script_progression --message="Starting a systemd service..." # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action="start" #================================================= # SETUP SSOWAT diff --git a/scripts/restore b/scripts/restore index 36fcda4..84008fc 100755 --- a/scripts/restore +++ b/scripts/restore @@ -122,7 +122,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ #================================================= ynh_script_progression --message="Starting a systemd service..." -ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action=start #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 1f54707..725465f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -70,7 +70,7 @@ fi #================================================= ynh_script_progression --message="Stopping a systemd service..." -ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action=stop #================================================= # CREATE DEDICATED USER @@ -117,6 +117,10 @@ then ynh_secure_remove --file="$tmpdir" fi +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= @@ -155,15 +159,15 @@ chown $app:$app "$final_path/config.production.json" if [ "$upgrade_type" == "UPGRADE_APP" ] then - ynh_script_progression --message="Building $app... (this will take some time and resources!)" + ynh_script_progression --message="Building Ghost... (this will take some time and resources!)" pushd "$final_path" - ynh_exec_warn_less yarn install - ynh_exec_warn_less yarn global add knex-migrator - ynh_exec_warn_less NODE_ENV=production knex-migrator init - ynh_exec_warn_less yarn global add grunt - ynh_exec_warn_less NODE_ENV=production grunt symlink - ynh_exec_warn_less NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force popd fi @@ -197,7 +201,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ #================================================= ynh_script_progression --message="Starting a systemd service..." -ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action=start #================================================= # RELOAD NGINX