From abe590e1388a6f4250a7ec5d679e58398023f7a2 Mon Sep 17 00:00:00 2001 From: Dante Date: Thu, 2 Mar 2023 15:10:04 +0000 Subject: [PATCH] Improve systemd security, fix encryption wrong value and remove local option --- conf/systemd.service | 12 ++++++++++++ manifest.json | 4 ++-- scripts/install | 8 ++++++-- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index c16a18b..0bcb2dc 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -33,5 +33,17 @@ SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index 3289c2a..3b340b2 100644 --- a/manifest.json +++ b/manifest.json @@ -105,8 +105,8 @@ }, "example": "@johndoe:server.name or server.name or *", "help": { - "en": "A remote or local user (@johndoe:server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized.\nGive the Matrix server_name, not the full domain/URL.\nIt is also possible to specify multiple values by separating them with comma. Example: @johndoe:server.name,domain.tld,matrix.org", - "fr": "Un compte local ou distant (@johndoe:server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*).\nDonner le nom du serveur Matrix, pas le domaine/URL complet\nIl est également possible de spécifier plusieurs valeurs en les séparant par une virgule. Exemple : @johndoe:server.name,domain.tld,matrix.org" + "en": "A remote or local user (@johndoe:server.name),the local server (server.name), a remote server (matrix.org), or all remote/local servers (*) can be authorized.\nGive the Matrix server_name, not the full domain/URL.\nIt is also possible to specify multiple values by separating them with comma. Example: @johndoe:server.name,domain.tld,matrix.org", + "fr": "Un compte local ou distant (@johndoe:server.name), le serveur local (server.name), un serveur distant (matrix.org), ou tous les serveurs remote/local (*).\nDonner le nom du serveur Matrix, pas le domaine/URL complet\nIl est également possible de spécifier plusieurs valeurs en les séparant par une virgule. Exemple : @johndoe:server.name,domain.tld,matrix.org" } } ] diff --git a/scripts/install b/scripts/install index d81bb5c..951125a 100755 --- a/scripts/install +++ b/scripts/install @@ -44,9 +44,13 @@ server_name=$(ynh_app_setting_get --app $synapse_instance --key server_name) domain=$(ynh_app_setting_get --app $synapse_instance --key domain) synapse_db_name="matrix_$synapse_instance" -if [ "$listuser" == "local" ] +# This is needed to convert the value from the manifest to a valid value for the config.yaml file. +# Without this the install script will throw a warning. +if [ "$encryption" -eq "1" ] then - listuser="$server_name" + encryption="true" +else + encryption="false" fi #=================================================