From 6d2d0204e00184a14d528fd06f9b705bfaa217b8 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Wed, 8 Aug 2018 23:28:10 +0200 Subject: [PATCH 01/11] Improve file permissions --- README.md | 3 +-- manifest.json | 2 +- scripts/install | 6 +++++- scripts/upgrade | 11 +++++++++-- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index d44239c..0cf1343 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,6 @@ Kresus is an open-source libre self-hosted personal finance manager. It allows y * to be added: * [ ] Email support - * [ ] Restrict more file access ($app is owner of everything, we should limit it more) * [ ] Add user who will access the app (by default every one has access to the installed app) * [ ] Email admin about installation with ynh_send_readme_to_admin helper @@ -24,4 +23,4 @@ Kresus is an open-source libre self-hosted personal finance manager. It allows y * Report a bug about this package: https://github.com/YunoHost-Apps/kresus_ynh * Report a bug about Kresus itself: https://framagit.org/kresusapp/kresus * Kresus website: https://kresus.org - * YunoHost website: https://yunohost.org/ + * YunoHost website: https://yunohost.org diff --git a/manifest.json b/manifest.json index 8944e6c..c380122 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "requirements": { "yunohost": ">= 2.7.14" }, - "version": "0.13.2~ynh2", + "version": "0.13.2~ynh3", "multi_instance": true, "services": [ "nginx" diff --git a/scripts/install b/scripts/install index 204de79..476baa1 100644 --- a/scripts/install +++ b/scripts/install @@ -152,7 +152,11 @@ ynh_add_systemd_config #================================================= # Set permissions to app files -chown -R $app: $final_path +chown -R "$app":"$app" "$final_path/data/" +chmod -R 750 "$final_path/data/" + +# Set permissions to config file +chown "$app" "$final_path/config.ini" chmod 600 "$final_path/config.ini" #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index bc1f861..539918a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -162,8 +162,15 @@ ynh_add_systemd_config # SECURE FILES AND DIRECTORIES #================================================= -# Set right permissions for curl installation -chown -R $app: $final_path +# Reset permissions +chown -R root:root "$final_path" + +# Set permissions to app files +chown -R "$app":"$app" "$final_path/data/" +chmod -R 750 "$final_path/data/" + +# Set permissions to config file +chown "$app" "$final_path/config.ini" chmod 600 "$final_path/config.ini" #================================================= From 94678ab633ed1ee2dac23ce677d08150542ec9bd Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Wed, 8 Aug 2018 23:35:41 +0200 Subject: [PATCH 02/11] Send email to admin to inform about installation and/or install --- README.md | 1 - scripts/_common.sh | 61 ++++++++++++++++++++++++++++++++++++++++++++++ scripts/install | 17 +++++++++++++ scripts/upgrade | 19 +++++++++++++++ 4 files changed, 97 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0cf1343..7930042 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,6 @@ Kresus is an open-source libre self-hosted personal finance manager. It allows y * to be added: * [ ] Email support * [ ] Add user who will access the app (by default every one has access to the installed app) - * [ ] Email admin about installation with ynh_send_readme_to_admin helper ## Links diff --git a/scripts/_common.sh b/scripts/_common.sh index c7e475c..c92fb21 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -164,3 +164,64 @@ EOF chmod +x "/etc/cron.daily/node_update" } + +# Send an email to inform the administrator +# +# usage: ynh_send_readme_to_admin app_message [recipients] +# | arg: app_message - The message to send to the administrator. +# | arg: recipients - The recipients of this email. Use spaces to separate multiples recipients. - default: root +# example: "root admin@domain" +# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you +# example: "root admin@domain user1 user2" +ynh_send_readme_to_admin() { + local app_message="${1:-...No specific information...}" + local recipients="${2:-root}" + + # Retrieve the email of users + find_mails () { + local list_mails="$1" + local mail + local recipients=" " + # Read each mail in argument + for mail in $list_mails + do + # Keep root or a real email address as it is + if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@" + then + recipients="$recipients $mail" + else + # But replace an user name without a domain after by its email + if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null) + then + recipients="$recipients $mail" + fi + fi + done + echo "$recipients" + } + recipients=$(find_mails "$recipients") + + local mail_subject="☁️🆈🅽🅷☁️: \`$app\` was just installed!" + + local mail_message="This is an automated message from your beloved YunoHost server. + +Specific information for the application $app. + +$app_message + +--- +Automatic diagnosis data from YunoHost + +$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')" + + # Define binary to use for mail command + if [ -e /usr/bin/bsd-mailx ] + then + local mail_bin=/usr/bin/bsd-mailx + else + local mail_bin=/usr/bin/mail.mailutils + fi + + # Send the email to the recipients + echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients" +} diff --git a/scripts/install b/scripts/install index 476baa1..1d92f19 100644 --- a/scripts/install +++ b/scripts/install @@ -165,3 +165,20 @@ chmod 600 "$final_path/config.ini" service "$app" start service nginx reload + +#================================================= +# SEND README TO ADMIN +#================================================= + +message=" +Domain: $domain +Path : $path_url +Config: $final_path/config.ini + +Please remember the default behavior of YunoHost when installing a new app is: everyone has access to the app. +This may be an issue for Kresus as it is a personnal tool. Please remember to edit access rights in the YunoHost web administration panel or using command line interface. + +Are you facing an issue, want to improve this app or say thank you? +Please open a new issue in this project: https://github.com/YunoHost-Apps/kresus_ynh +" +ynh_send_readme_to_admin "$message" diff --git a/scripts/upgrade b/scripts/upgrade index 539918a..1ddc2cc 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -179,3 +179,22 @@ chmod 600 "$final_path/config.ini" service "$app" restart systemctl reload nginx + +#================================================= +# SEND README TO ADMIN +#================================================= + +message=" +Kresus was updated! + +Domain: $domain +Path : $path_url +Config: $final_path/config.ini + +Please remember the default behavior of YunoHost when installing a new app is: everyone has access to the app. +This may be an issue for Kresus as it is a personnal tool. Please remember to edit access rights in the YunoHost web administration panel or using command line interface. + +Are you facing an issue, want to improve this app or say thank you? +Please open a new issue in this project: https://github.com/YunoHost-Apps/kresus_ynh +" +ynh_send_readme_to_admin "$message" \ No newline at end of file From 0f51c6d7273680edee02b227bc1f49277cf4aaf0 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Wed, 8 Aug 2018 23:43:20 +0200 Subject: [PATCH 03/11] add information about config.ini and ynh_backup_if_checksum_is_different --- scripts/install | 3 +++ scripts/upgrade | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/scripts/install b/scripts/install index 1d92f19..c1162f2 100644 --- a/scripts/install +++ b/scripts/install @@ -178,6 +178,9 @@ Config: $final_path/config.ini Please remember the default behavior of YunoHost when installing a new app is: everyone has access to the app. This may be an issue for Kresus as it is a personnal tool. Please remember to edit access rights in the YunoHost web administration panel or using command line interface. +Note about config.ini: this package will regenerate the config file on upgrade. +If you changed it manually and upgrade Kresus, you'll find a backup in $final_path. + Are you facing an issue, want to improve this app or say thank you? Please open a new issue in this project: https://github.com/YunoHost-Apps/kresus_ynh " diff --git a/scripts/upgrade b/scripts/upgrade index 1ddc2cc..d1fad6f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -136,6 +136,8 @@ ynh_use_nodejs # CONFIGURE HASTE #================================================= +ynh_backup_if_checksum_is_different "$final_path/config.ini" + cp ../conf/config.ini "$final_path/config.ini" ynh_replace_string "__PORT__" "$port" "$final_path/config.ini" @@ -194,6 +196,9 @@ Config: $final_path/config.ini Please remember the default behavior of YunoHost when installing a new app is: everyone has access to the app. This may be an issue for Kresus as it is a personnal tool. Please remember to edit access rights in the YunoHost web administration panel or using command line interface. +Note about config.ini: this package will regenerate the config file on upgrade. +If you changed it manually and upgrade Kresus, you'll find a backup in $final_path. + Are you facing an issue, want to improve this app or say thank you? Please open a new issue in this project: https://github.com/YunoHost-Apps/kresus_ynh " From 7bfc4118f9c7a34c55316a5692ca02423a055320 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Wed, 8 Aug 2018 23:53:57 +0200 Subject: [PATCH 04/11] add log task to readme --- README.md | 1 + scripts/upgrade | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 7930042..7e28f8e 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Kresus is an open-source libre self-hosted personal finance manager. It allows y * to be added: * [ ] Email support + * [ ] Improve log file and add logrotate * [ ] Add user who will access the app (by default every one has access to the installed app) ## Links diff --git a/scripts/upgrade b/scripts/upgrade index d1fad6f..1c78c69 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -16,8 +16,6 @@ source /usr/share/yunohost/helpers # Exit if an error occurs during the execution of the script ynh_abort_if_errors -# TODO: handle "/home/ynh$app" to final_path migration - app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get $app domain) From 847e5fe1f24ca022e5e94d5197ba565c5bc2b318 Mon Sep 17 00:00:00 2001 From: "J. Fernando Lagrange" Date: Sun, 19 Aug 2018 15:21:47 +0200 Subject: [PATCH 05/11] Allow 10minutes for server to respond This get rid of most "Gateway timeout" errors. Fix #18 --- conf/nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index d3ae0b8..e9bb709 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,6 +3,11 @@ location __PATH__/ { proxy_pass http://127.0.0.1:__PORT__; proxy_set_header Host $host; proxy_redirect off; + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; From 87b73e1b3ca9b0cb694c5f2dd4cd4305aa3993cb Mon Sep 17 00:00:00 2001 From: "J. Fernando Lagrange" Date: Sun, 19 Aug 2018 15:28:32 +0200 Subject: [PATCH 06/11] Allow "big" imports Fix #19 --- conf/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index e9bb709..406079b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -8,6 +8,9 @@ location __PATH__/ { proxy_read_timeout 600; send_timeout 600; + # allow "big" imports + client_max_body_size 8M; + # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; From 39bb116c85d2e001b9061645c8705e1edcb877de Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Sun, 2 Sep 2018 15:00:32 +0200 Subject: [PATCH 07/11] Start ARM support --- scripts/install | 5 +++-- scripts/restore | 3 ++- scripts/upgrade | 5 +++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/scripts/install b/scripts/install index 204de79..26da2f2 100644 --- a/scripts/install +++ b/scripts/install @@ -57,7 +57,8 @@ ynh_app_setting_set "$app" port "$port" #================================================= ynh_install_app_dependencies dh-autoreconf \ - python-pip python-dev python-lxml python-imaging python-virtualenv + python-pip python-dev python-lxml python-imaging python-virtualenv \ + libxslt-dev libjpeg-dev libxml2-dev #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -102,7 +103,7 @@ ynh_install_nodejs 8 # Install weboob with pip #================================================= -virtualenv "${final_path}/venv" +virtualenv --system-site-packages "${final_path}/venv" ( set +o nounset source "${final_path}/venv/bin/activate" diff --git a/scripts/restore b/scripts/restore index a15f904..086e7b2 100644 --- a/scripts/restore +++ b/scripts/restore @@ -77,7 +77,8 @@ chmod 600 "$final_path/config.ini" # Define and install dependencies ynh_install_app_dependencies dh-autoreconf \ - python-pip python-dev python-lxml python-imaging python-virtualenv + python-pip python-dev python-lxml python-imaging python-virtualenv \ + libxslt-dev libjpeg-dev libxml2-dev #================================================= # INSTALL NODEJS diff --git a/scripts/upgrade b/scripts/upgrade index bc1f861..536b0e6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -68,7 +68,8 @@ path_url=$(ynh_normalize_url_path $path_url) #================================================= ynh_install_app_dependencies dh-autoreconf \ - python-pip python-dev python-lxml python-imaging python-virtualenv + python-pip python-dev python-lxml python-imaging python-virtualenv \ + libxslt-dev libjpeg-dev libxml2-dev #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -111,7 +112,7 @@ ynh_install_nodejs 8 # Install weboob with pip #================================================= -virtualenv "${final_path}/venv" +virtualenv --system-site-packages "${final_path}/venv" ( set +o nounset source "${final_path}/venv/bin/activate" From b780476d9d2fb4ed551587501f5eca18cad2bfda Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Mon, 3 Sep 2018 23:49:21 +0200 Subject: [PATCH 08/11] remove dev packages --- scripts/install | 3 +-- scripts/restore | 3 +-- scripts/upgrade | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/scripts/install b/scripts/install index c8530c1..522c066 100644 --- a/scripts/install +++ b/scripts/install @@ -57,8 +57,7 @@ ynh_app_setting_set "$app" port "$port" #================================================= ynh_install_app_dependencies dh-autoreconf \ - python-pip python-dev python-lxml python-imaging python-virtualenv \ - libxslt-dev libjpeg-dev libxml2-dev + python-pip python-dev python-lxml python-imaging python-virtualenv #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE diff --git a/scripts/restore b/scripts/restore index 086e7b2..a15f904 100644 --- a/scripts/restore +++ b/scripts/restore @@ -77,8 +77,7 @@ chmod 600 "$final_path/config.ini" # Define and install dependencies ynh_install_app_dependencies dh-autoreconf \ - python-pip python-dev python-lxml python-imaging python-virtualenv \ - libxslt-dev libjpeg-dev libxml2-dev + python-pip python-dev python-lxml python-imaging python-virtualenv #================================================= # INSTALL NODEJS diff --git a/scripts/upgrade b/scripts/upgrade index dffa9c0..d0a37d7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -66,8 +66,7 @@ path_url=$(ynh_normalize_url_path $path_url) #================================================= ynh_install_app_dependencies dh-autoreconf \ - python-pip python-dev python-lxml python-imaging python-virtualenv \ - libxslt-dev libjpeg-dev libxml2-dev + python-pip python-dev python-lxml python-imaging python-virtualenv #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE From 0ce4979d5037b111aa9698ed5552135bf0ed7165 Mon Sep 17 00:00:00 2001 From: Jibec Date: Thu, 6 Sep 2018 13:47:45 +0200 Subject: [PATCH 09/11] strenghen systemd security, thanks archlinux --- conf/systemd.service | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 3a10453..f336a02 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,6 +13,14 @@ Environment=NODE_ENV=production Environment=HOME=__NODEPATH__ ExecStart=__FINALPATH__/bin/kresus.js --config __FINALPATH__/config.ini Restart=always +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectHome=true +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelModules=yes +ReadWritePaths=__FINALPATH__/config.ini __FINALPATH__/data/ StandardOutput=syslog StandardError=syslog From 9ec4c51cac9e6f1815c71e77df17b3d6542a23d3 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Thu, 6 Sep 2018 23:11:27 +0200 Subject: [PATCH 10/11] Upgrade to 0.13.3 --- conf/app.src | 4 ++-- manifest.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/app.src b/conf/app.src index af0a8a2..e13638d 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://framagit.org/bnjbvr/kresus/-/archive/0.13.2/kresus-0.13.2.tar.bz2 -SOURCE_SUM=f5185dc12da185515df205a0a24f94c30b3fe28d3f4775d3c297779dc0503a16 +SOURCE_URL=https://framagit.org/kresusapp/kresus/-/archive/0.13.3/kresus-0.13.3.tar.bz2 +SOURCE_SUM=b1c4af2cab68dc0c02dcc625be416c1fa59105b1cbd3ec3cd93244296e047f68 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.bz2 SOURCE_IN_SUBDIR=true diff --git a/manifest.json b/manifest.json index c380122..91753a8 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "requirements": { "yunohost": ">= 2.7.14" }, - "version": "0.13.2~ynh3", + "version": "0.13.3~ynh1", "multi_instance": true, "services": [ "nginx" From 87828aa86a71e1f683e9662937d6d0c047463a18 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Holcroft Date: Mon, 17 Sep 2018 22:24:54 +0200 Subject: [PATCH 11/11] make sure only needed files are owned by app --- scripts/install | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/install b/scripts/install index 522c066..57b01c4 100644 --- a/scripts/install +++ b/scripts/install @@ -151,6 +151,9 @@ ynh_add_systemd_config # SECURE FILES AND DIRECTORIES #================================================= +# Reset permissions +chown -R root:root "$final_path" + # Set permissions to app files chown -R "$app":"$app" "$final_path/data/" chmod -R 750 "$final_path/data/"