From a22e478d36bd0c51b8712b6e37f33471eddd0799 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 31 May 2021 19:38:29 +0200 Subject: [PATCH 1/2] No is_public anymore, use ynh_permission_has_user --permission=main --user=visitors --- scripts/upgrade | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 7f3e463..315e1c5 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -168,7 +168,9 @@ popd # UPDATE A CONFIG FILE #================================================= ynh_script_progression --message="Updating a configuration file..." -if [ $is_public -eq 1 ]; then + +if ynh_permission_has_user --permission=main --user=visitors +then announce="true" else announce="fase" From f9d63a31eb8792e139fc0ad35229ec8ffa38d48a Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Wed, 8 Sep 2021 10:20:13 +0200 Subject: [PATCH 2/2] Update systemd.service --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 8bb9f42..de343ff 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,5 +10,35 @@ User=__APP__ Group=__APP__ ExecStart=__FINALPATH__/bin/minetestserver --config /home/yunohost.app/__APP__/.minetest/minetest.conf --logfile /var/log/__APP__/__APP__.log +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target