From 31844749267c2eb898109e3ee8b307f69828978d Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Wed, 17 Aug 2022 21:13:24 -0400 Subject: [PATCH 01/10] harden systemd --- conf/systemd.service | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index a5fcd31..8d32c06 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,6 +1,7 @@ [Unit] Description=Listmonk: newsletter and mailing list manager Documentation=https://listmonk.app/docs/ +After=network.target [Service] Type=simple @@ -10,5 +11,35 @@ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/listmonk Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From 3c766d9ee6f1130682d590c3d9641063b85b3903 Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Wed, 17 Aug 2022 21:14:43 -0400 Subject: [PATCH 02/10] bump version --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index 9541a8d..de3a384 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Newsletter and mailing list manager", "fr": "Manager de newsletter et mailing list" }, - "version": "2.2.0~ynh1", + "version": "2.2.0~ynh2", "url": "https://listmonk.app/", "upstream": { "license": "AGPL-3.0-only", From ab4d570b9c04bbfc8f11240d4a9af86c50c739af Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 18 Aug 2022 01:14:50 +0000 Subject: [PATCH 03/10] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 90785e8..153590b 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Shipped version:** 2.2.0~ynh1 +**Shipped version:** 2.2.0~ynh2 **Demo:** https://demo.listmonk.app/ diff --git a/README_fr.md b/README_fr.md index bc2eb8b..2a90c7b 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Version incluse :** 2.2.0~ynh1 +**Version incluse :** 2.2.0~ynh2 **Démo :** https://demo.listmonk.app/ From d460436f75e5c5e2523670beb6b49da8ac5d0047 Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Tue, 27 Dec 2022 15:23:32 -0500 Subject: [PATCH 04/10] bump version --- conf/amd64.src | 4 ++-- conf/app.src | 4 ++-- manifest.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf/amd64.src b/conf/amd64.src index 13d7501..ae67069 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.2.0/listmonk_2.2.0_linux_amd64.tar.gz -SOURCE_SUM=c2bdccd073d768d2b8dfbfad6469c5b41cf39b44a20c263cbaebf15876463709 +SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.3.0/listmonk_2.3.0_linux_amd64.tar.gz +SOURCE_SUM=4ad9ff7a04e13c9f8609c705e4850046ae8a3c9a03b0c4ac04e3c1d1c8fe8b7a SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/app.src b/conf/app.src index af92853..0d741d0 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.2.0.tar.gz -SOURCE_SUM=e3f1cc89972cafaab78cda38be54ab3fc115fd7846e2e7dae1b19fff002e1c77 +SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.3.0.tar.gz +SOURCE_SUM=54cab80ca16dbf58ce40b7fc1ae88a9f8ed4c9d9a54387a77b1a90cb4dba3404 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/manifest.json b/manifest.json index de3a384..5d696a3 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Newsletter and mailing list manager", "fr": "Manager de newsletter et mailing list" }, - "version": "2.2.0~ynh2", + "version": "2.3.0~ynh1", "url": "https://listmonk.app/", "upstream": { "license": "AGPL-3.0-only", From a7a0c85ab42c1cd6b57745b33ccb8b1ee1e9d231 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Tue, 27 Dec 2022 20:23:43 +0000 Subject: [PATCH 05/10] Auto-update README --- README.md | 3 +-- README_fr.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 153590b..3864c67 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Shipped version:** 2.2.0~ynh2 - +**Shipped version:** 2.3.0~ynh1 **Demo:** https://demo.listmonk.app/ diff --git a/README_fr.md b/README_fr.md index 2a90c7b..2e884fe 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,8 +18,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Version incluse :** 2.2.0~ynh2 - +**Version incluse :** 2.3.0~ynh1 **Démo :** https://demo.listmonk.app/ From f0773968d1a7e5fb762544e8e79ba1da39dc27bd Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Tue, 27 Dec 2022 17:11:31 -0500 Subject: [PATCH 06/10] remove admin/pwd --- conf/config.toml | 4 ++-- scripts/install | 8 ++++---- scripts/upgrade | 21 +++++++++++++++------ 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/conf/config.toml b/conf/config.toml index 566e417..5ca5112 100644 --- a/conf/config.toml +++ b/conf/config.toml @@ -9,8 +9,8 @@ address = "127.0.0.1:__PORT__" # be replaced with a better multi-user, role-based authentication system. # IMPORTANT: Leave both values empty to disable authentication on admin # only where an external authentication is already setup. -admin_username = "__ADMIN__" -admin_password = "__PASSWORD__" +admin_username = "" +admin_password = "" # Database. [db] diff --git a/scripts/install b/scripts/install index 28325fa..81d5a7b 100755 --- a/scripts/install +++ b/scripts/install @@ -28,8 +28,8 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url="/" is_public=$YNH_APP_ARG_IS_PUBLIC -admin=$YNH_APP_ARG_ADMIN -password=$YNH_APP_ARG_PASSWORD +admin="" +password="" app=$YNH_APP_INSTANCE_NAME @@ -209,12 +209,12 @@ then fi # Only the admin can access the admin panel of the app (if the app has an admin panel) -ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false +ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false # Everyone can access the API part # We don't want to display the tile in the SSO so we put --show_tile="false" # And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true" -ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true" +ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" #================================================= # RELOAD NGINX diff --git a/scripts/upgrade b/scripts/upgrade index 8f4f7e7..7fc45db 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -70,14 +70,23 @@ fi if ! ynh_permission_exists --permission="admin"; then # Create the required permissions - ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false + ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false fi # Create a permission if needed if ! ynh_permission_exists --permission="api"; then - ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true" + ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" fi +if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh1 + ynh_permission_delete --permission="admin" + ynh_permission_delete --permission="api" + + ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false + ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" +then + + #================================================= # CREATE DEDICATED USER #================================================= @@ -144,12 +153,12 @@ ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies #================================================= # UPDATE A CONFIG FILE #================================================= -# ynh_script_progression --message="Updating a configuration file..." --time --weight=1 +ynh_script_progression --message="Updating a configuration file..." --time --weight=1 -# ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml" +ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml" -# chmod 400 "$final_path/config.toml" -# chown $app:$app "$final_path/config.toml" +chmod 400 "$final_path/config.toml" +chown $app:$app "$final_path/config.toml" #================================================= # DATABASE CONFIGURATION From 0b50e6619faa2f3321117aca958aad15bac73949 Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Tue, 27 Dec 2022 17:11:43 -0500 Subject: [PATCH 07/10] autocreate uploads --- conf/systemd.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 8d32c06..ad31981 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,6 +1,7 @@ [Unit] Description=Listmonk: newsletter and mailing list manager Documentation=https://listmonk.app/docs/ +ConditionPathExists=__FINALPATH__/config.toml After=network.target [Service] @@ -8,6 +9,8 @@ Type=simple User=__APP__ Group=__APP__ WorkingDirectory=__FINALPATH__/ +ExecStartPre=/usr/bin/mkdir -p "__FINALPATH__/uploads" +ExecStartPre=__FINALPATH__/listmonk --config __FINALPATH__/config.toml --upgrade --yes ExecStart=__FINALPATH__/listmonk Restart=always From a9eceac6f1ca46f0613985c0d51c334c15968b66 Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Tue, 27 Dec 2022 17:14:34 -0500 Subject: [PATCH 08/10] autocreate uploads --- manifest.json | 10 +--------- scripts/upgrade | 7 ++++--- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/manifest.json b/manifest.json index 5d696a3..b976221 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Newsletter and mailing list manager", "fr": "Manager de newsletter et mailing list" }, - "version": "2.3.0~ynh1", + "version": "2.3.0~ynh2", "url": "https://listmonk.app/", "upstream": { "license": "AGPL-3.0-only", @@ -38,14 +38,6 @@ "name": "is_public", "type": "boolean", "default": true - }, - { - "name": "admin", - "type": "user" - }, - { - "name": "password", - "type": "password" } ] } diff --git a/scripts/upgrade b/scripts/upgrade index 7fc45db..13cd1d1 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -79,6 +79,8 @@ if ! ynh_permission_exists --permission="api"; then fi if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh1 + mkdir -p "$final_path/uploads" + ynh_permission_delete --permission="admin" ynh_permission_delete --permission="api" @@ -102,11 +104,10 @@ ynh_system_user_create --username=$app --home_dir="$final_path" if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=5 - # Download, check integrity, uncompress and patch the source from app.src if [ $YNH_ARCH == "armhf" ] || [ $YNH_ARCH == "arm64" ] then - ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml" + ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml uploads" # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version # Install Yarn @@ -126,7 +127,7 @@ then ynh_remove_nodejs ynh_secure_remove --file="$final_path/build" else - ynh_setup_source --dest_dir="$final_path" --source_id=$YNH_ARCH --keep="$final_path/config.toml" + ynh_setup_source --dest_dir="$final_path" --source_id=$YNH_ARCH --keep="$final_path/config.toml uploads" fi fi From 4935e6044e1bd343061508e0efd46013df9ddc3e Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Tue, 27 Dec 2022 22:15:28 +0000 Subject: [PATCH 09/10] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3864c67..b082b20 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Shipped version:** 2.3.0~ynh1 +**Shipped version:** 2.3.0~ynh2 **Demo:** https://demo.listmonk.app/ diff --git a/README_fr.md b/README_fr.md index 2e884fe..f4f2b34 100644 --- a/README_fr.md +++ b/README_fr.md @@ -18,7 +18,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL (⩾ v9.4) database as its data store. -**Version incluse :** 2.3.0~ynh1 +**Version incluse :** 2.3.0~ynh2 **Démo :** https://demo.listmonk.app/ From 316e6bc5e02b1195d748d101afa5e84c5e45b335 Mon Sep 17 00:00:00 2001 From: navanchauhan Date: Tue, 27 Dec 2022 17:22:26 -0500 Subject: [PATCH 10/10] fix if-fi --- scripts/upgrade | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 13cd1d1..e031eb6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -79,6 +79,7 @@ if ! ynh_permission_exists --permission="api"; then fi if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh1 +then mkdir -p "$final_path/uploads" ynh_permission_delete --permission="admin" @@ -86,7 +87,7 @@ if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh1 ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true" -then +fi #=================================================