From 4b7aa322f4f4f8f4f9197053dc30a8996916944b Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sat, 23 Oct 2021 06:18:44 +0000 Subject: [PATCH 1/7] Upgrade to v4.20.1 --- conf/admin.src | 4 ++-- conf/app.src | 4 ++-- manifest.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf/admin.src b/conf/admin.src index 616504a..13362ea 100644 --- a/conf/admin.src +++ b/conf/admin.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.17.1.zip -SOURCE_SUM=1f6631834bddd99a302734060a966b59fd69e924e14f560e9367428b1013a056 +SOURCE_URL=https://github.com/TryGhost/Admin/archive/refs/tags/v4.20.1.zip +SOURCE_SUM=be297eda8d618759de25abe7fed5c6d11345623e0e8b27f537566036d88945fa SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index 3dc8cd8..a7e7935 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.17.1/Ghost-4.17.1.zip -SOURCE_SUM=71b8ae299a7f985e45ff60a583ad3d858450330d19b631b9fa1ca6bc0ee53032 +SOURCE_URL=https://github.com/TryGhost/Ghost/releases/download/v4.20.1/Ghost-4.20.1.zip +SOURCE_SUM=12d9850826676d7a402e12843f0832396cc302a3a9081c270250bdd6f1b55aa0 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index 79f298e..69ee970 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Publishing, memberships, subscriptions and newsletters platform", "fr": "Plateforme d'édition, d'adhésions, d'abonnements et de newsletters" }, - "version": "4.17.1~ynh1", + "version": "4.20.1~ynh1", "url": "https://ghost.org/", "upstream": { "license": "MIT", From 19072c02ac44695b24d9c48d87d0a865766d8b0b Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Sat, 23 Oct 2021 06:18:52 +0000 Subject: [PATCH 2/7] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7736e49..8cb8950 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Publishing, memberships, subscriptions and newsletters platform -**Shipped version:** 4.17.1~ynh1 +**Shipped version:** 4.20.1~ynh1 diff --git a/README_fr.md b/README_fr.md index 032fa09..673ee60 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Plateforme d'édition, d'adhésions, d'abonnements et de newsletters -**Version incluse :** 4.17.1~ynh1 +**Version incluse :** 4.20.1~ynh1 From a6f38d51c1b8c9b8c77c258e394cb458a4320b1b Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sat, 23 Oct 2021 20:14:15 +0200 Subject: [PATCH 3/7] Build as $app user --- scripts/install | 12 ++++++------ scripts/upgrade | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/scripts/install b/scripts/install index 964ff73..f3c54c6 100644 --- a/scripts/install +++ b/scripts/install @@ -133,12 +133,12 @@ ynh_script_progression --message="Building $app... (this will take some time and pushd "$final_path" ynh_use_nodejs - ynh_exec_warn_less yarn install --non-interactive --silent - ynh_exec_warn_less yarn global add knex-migrator - ynh_exec_warn_less NODE_ENV=production knex-migrator init - ynh_exec_warn_less yarn global add grunt-cli ember-cli - ynh_exec_warn_less NODE_ENV=production grunt symlink - ynh_exec_warn_less NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive --silent + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force popd #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 1f54707..149d381 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -158,12 +158,12 @@ then ynh_script_progression --message="Building $app... (this will take some time and resources!)" pushd "$final_path" - ynh_exec_warn_less yarn install - ynh_exec_warn_less yarn global add knex-migrator - ynh_exec_warn_less NODE_ENV=production knex-migrator init - ynh_exec_warn_less yarn global add grunt - ynh_exec_warn_less NODE_ENV=production grunt symlink - ynh_exec_warn_less NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force popd fi From 1bb284916579c26ef0ba977c8e6b1e40fabafe92 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 24 Oct 2021 12:09:49 +0200 Subject: [PATCH 4/7] Remove log monitoring In production mode, the log file name is hard to guess... --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/install b/scripts/install index f3c54c6..046b9b8 100644 --- a/scripts/install +++ b/scripts/install @@ -170,7 +170,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ ynh_script_progression --message="Starting a systemd service..." # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action="start" #================================================= # SETUP SSOWAT diff --git a/scripts/restore b/scripts/restore index 36fcda4..84008fc 100755 --- a/scripts/restore +++ b/scripts/restore @@ -122,7 +122,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ #================================================= ynh_script_progression --message="Starting a systemd service..." -ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action=start #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 149d381..0a66011 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -70,7 +70,7 @@ fi #================================================= ynh_script_progression --message="Stopping a systemd service..." -ynh_systemd_action --service_name=$app --action=stop --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=$app --action=stop #================================================= # CREATE DEDICATED USER @@ -197,7 +197,7 @@ yunohost service add $app --description="$app daemon for Ghost" --log="/var/log/ #================================================= ynh_script_progression --message="Starting a systemd service..." -ynh_systemd_action --service_name=$app --action=start --log_path=systemd --line_match="Ghost boot" +ynh_systemd_action --service_name=$app --action=start #================================================= # RELOAD NGINX From 2ac2192c731c8b90081b2aa455c726bffc7c774e Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 24 Oct 2021 18:09:43 +0200 Subject: [PATCH 5/7] Fix building steps --- scripts/install | 14 +++++++------- scripts/upgrade | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/scripts/install b/scripts/install index 046b9b8..b95208f 100644 --- a/scripts/install +++ b/scripts/install @@ -129,16 +129,16 @@ chown $app:$app "$final_path/config.production.json" #============================================== # BUILD GHOST #============================================== -ynh_script_progression --message="Building $app... (this will take some time and resources!)" +ynh_script_progression --message="Building Ghost... (this will take some time and resources!)" pushd "$final_path" ynh_use_nodejs - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive --silent - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt-cli ember-cli - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force popd #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 0a66011..3e0561c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -155,15 +155,15 @@ chown $app:$app "$final_path/config.production.json" if [ "$upgrade_type" == "UPGRADE_APP" ] then - ynh_script_progression --message="Building $app... (this will take some time and resources!)" + ynh_script_progression --message="Building Ghost... (this will take some time and resources!)" pushd "$final_path" - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add knex-migrator - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production knex-migrator init - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn global add grunt - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt symlink - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production grunt init --force + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --non-interactive + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add knex-migrator + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/knex-migrator init + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn add grunt-cli ember-cli + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt symlink + ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH NODE_ENV=production $final_path/node_modules/.bin/grunt init --force popd fi From 9eb7dd6470112cf881d3148f2f1919cbc4f93b85 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Mon, 25 Oct 2021 18:06:11 +0200 Subject: [PATCH 6/7] Harden service security --- conf/systemd.service | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 42265a6..fcd502c 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,33 @@ Environment="NODE_ENV=production" ExecStart=__YNH_NODE__ index.js run Restart=always +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From afe60a0227bc7ebbaf652f425e3506bb25487846 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Mon, 25 Oct 2021 18:06:50 +0200 Subject: [PATCH 7/7] Enforce file ownership in upgrade --- scripts/upgrade | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 3e0561c..725465f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -117,6 +117,10 @@ then ynh_secure_remove --file="$tmpdir" fi +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #=================================================