From 16bc23468962b39e25cf8007a0b5c76f32c98bef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Sat, 23 Mar 2024 21:13:25 +0100 Subject: [PATCH 1/4] Some cleanups in scripts (phpversion is useless) --- manifest.toml | 4 +++- scripts/install | 4 ++-- scripts/upgrade | 11 ++++++----- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/manifest.toml b/manifest.toml index 51c9161..fd95728 100644 --- a/manifest.toml +++ b/manifest.toml @@ -23,8 +23,10 @@ cpe = "cpe:2.3:a:movim:movim" yunohost = ">= 11.2" architectures = "all" multi_instance = false + ldap = false -sso = false +sso = true + disk = "50M" ram.build = "100M" ram.runtime = "50M" diff --git a/scripts/install b/scripts/install index e2d0707..5811cdd 100644 --- a/scripts/install +++ b/scripts/install @@ -56,9 +56,9 @@ chown "$app:$app" "$install_dir/config/db.inc.php" ynh_script_progression --message="Building Movim..." # Install composer -ynh_exec_warn_less ynh_install_composer --phpversion="$phpversion" --workdir="$install_dir" +ynh_install_composer -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="movim:migrate" +ynh_exec_warn_less ynh_composer_exec --commands="movim:migrate" ynh_exec_as "$app" "php$phpversion" "$install_dir/daemon.php" config --username="$admin" --password="$password" --quiet #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 3db1413..066795f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -66,10 +66,11 @@ chown "$app:$app" "$install_dir/config/db.inc.php" #================================================= ynh_script_progression --message="Building Movim..." -ynh_exec_warn_less ynh_install_composer --phpversion="$phpversion" --workdir="$install_dir" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="config --global discard-changes true --quiet" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="update --no-interaction --quiet" -ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$install_dir" --commands="movim:migrate --quiet" +ynh_exec_warn_less ynh_install_composer + +ynh_exec_warn_less ynh_composer_exec --commands="config --global discard-changes true --quiet" +ynh_exec_warn_less ynh_composer_exec --commands="update --no-interaction --quiet" +ynh_exec_warn_less ynh_composer_exec --commands="movim:migrate --quiet" #================================================= # REAPPLY SYSTEM CONFIGURATIONS @@ -77,7 +78,7 @@ ynh_exec_warn_less ynh_composer_exec --phpversion="$phpversion" --workdir="$inst ynh_script_progression --message="Upgrading system configurations related to $app..." --weight=1 # Create a dedicated PHP-FPM config -ynh_add_fpm_config --phpversion="$phpversion" --usage="$fpm_usage" --footprint="$fpm_footprint" +ynh_add_fpm_config --usage="$fpm_usage" --footprint="$fpm_footprint" # Create a dedicated NGINX config ynh_add_nginx_config From 1c621021e451b5c78f2a59e8c5a8e71476ce3a76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Sat, 23 Mar 2024 21:20:49 +0100 Subject: [PATCH 2/4] Add postgresql as a systemd dependency --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 7403f00..4816ef4 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,6 +1,6 @@ [Unit] Description=Movim: responsive web-based XMPP client -After=nginx.service network.target local-fs.target postgresql.service +After=nginx.service network.target local-fs.target [Service] Type=simple From 285b27c6919697b8a476d73d8d3eb142bd958dc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Sat, 23 Mar 2024 21:21:05 +0100 Subject: [PATCH 3/4] Add systemd service security sandboxing --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 4816ef4..8e6662d 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,5 +16,35 @@ PIDFile=/run/movim.pid Restart=on-failure RestartSec=10 +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From b89bdab3a0572aa7393e6dccdef3aebdc86e7ccf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= Date: Sat, 23 Mar 2024 22:32:22 +0100 Subject: [PATCH 4/4] Fix typo --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 066795f..b41fa4f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -54,7 +54,7 @@ chown -R "$app:www-data" "$install_dir" #================================================= # UPDATE A CONFIG FILE #================================================= -ynh_script_progression --message="Updating $ap's configuration file..." +ynh_script_progression --message="Updating $app's configuration file..." ynh_add_config --template="db.example.inc.php" --destination="$install_dir/config/db.inc.php"