From 76b2a65e7496f7e95bcca85937fd0f1842834c4d Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 30 Jul 2023 12:26:43 +0200 Subject: [PATCH] Fix Pict-RS by loosening systemd restrictions, add exiftools dependency --- conf/pict-rs.service | 44 ++++++++++++++++++++++---------------------- manifest.toml | 2 +- scripts/install | 2 +- scripts/upgrade | 2 +- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/conf/pict-rs.service b/conf/pict-rs.service index 90785ba..3ab017b 100644 --- a/conf/pict-rs.service +++ b/conf/pict-rs.service @@ -16,31 +16,31 @@ StandardError=inherit # Depending on specificities of your service/app, you may need to tweak these # .. but this should be a good baseline # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed -ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +#NoNewPrivileges=yes +#PrivateTmp=yes +#PrivateDevices=yes +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +#RestrictNamespaces=yes +#RestrictRealtime=yes +#DevicePolicy=closed +#ProtectSystem=full +#ProtectControlGroups=yes +#ProtectKernelModules=yes +#ProtectKernelTunables=yes +#LockPersonality=yes +#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html -CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD -CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE -CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT -CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK -CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM -CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG -CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +#CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +#CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +#CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +#CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +#CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +#CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +#CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +#CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +#CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index becd4f4..a336fd6 100644 --- a/manifest.toml +++ b/manifest.toml @@ -82,7 +82,7 @@ ram.runtime = "50M" inbox.protected = true [resources.apt] - packages = "postgresql espeak libfuse2" + packages = "postgresql espeak libfuse2 libimage-exiftool-perl" extras.yarn.repo = "deb https://dl.yarnpkg.com/debian/ stable main" extras.yarn.key = "https://dl.yarnpkg.com/debian/pubkey.gpg" extras.yarn.packages = "yarn" diff --git a/scripts/install b/scripts/install index 90b8e56..3868d3b 100755 --- a/scripts/install +++ b/scripts/install @@ -90,7 +90,7 @@ chmod -R o-rwx "$install_dir" chown -R $app:$app "$install_dir" # (Dirty) Install ImageMagick -# Requires libfuse2 apt dependency +# Requires 'libfuse2' and 'libimage-exiftool-perl' apt dependencies wget https://imagemagick.org/archive/binaries/magick -o "$install_dir/pict-rs/magick" -q chmod 750 "$install_dir/pict-rs/magick" chown $app:$app "$install_dir/pict-rs/magick" diff --git a/scripts/upgrade b/scripts/upgrade index 6defb62..587d930 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -129,7 +129,7 @@ then ynh_secure_remove --file="$install_dir/build-pict-rs" # (Dirty) Install ImageMagick - # Requires libfuse2 apt dependency + # Requires 'libfuse2' and 'libimage-exiftool-perl' apt dependencies wget https://imagemagick.org/archive/binaries/magick -o "$install_dir/pict-rs/magick" -q chmod 750 "$install_dir/pict-rs/magick" chown $app:$app "$install_dir/pict-rs/magick"