From 15ec2b1e9bc3906390fe8df28057647bcefaf6cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Sat, 31 Aug 2024 16:17:26 +0200 Subject: [PATCH 1/3] Update install --- scripts/install | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/install b/scripts/install index 8730de9..d1d43df 100755 --- a/scripts/install +++ b/scripts/install @@ -3,6 +3,9 @@ source _common.sh source /usr/share/yunohost/helpers +key=$(ynh_string_random --length=45 | base64) +ynh_app_setting_set --app=$app --key=key --value=$key + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 5e11d71df77ac6d1ae6bf3e57899859d06de0c19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Sat, 31 Aug 2024 16:18:59 +0200 Subject: [PATCH 2/3] Update systemd.service --- conf/systemd.service | 1 + 1 file changed, 1 insertion(+) diff --git a/conf/systemd.service b/conf/systemd.service index 1141906..79b8ac6 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -11,6 +11,7 @@ WorkingDirectory=__INSTALL_DIR__/ ExecStart=__INSTALL_DIR__/shiori server --port __PORT__ --webroot __PATH__ Restart=always Environment="SHIORI_DIR=__DATA_DIR__" +Environment="SHIORI_HTTP_SECRET_KEY=__KEY__" [Install] WantedBy=multi-user.target From 00b13c81c7bb60c635f2a4254bccf85c9f67fa74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Sat, 31 Aug 2024 16:24:49 +0200 Subject: [PATCH 3/3] Update systemd.service --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 79b8ac6..80366ba 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -13,5 +13,39 @@ Restart=always Environment="SHIORI_DIR=__DATA_DIR__" Environment="SHIORI_HTTP_SECRET_KEY=__KEY__" +### Depending on specificities of your service/app, you may need to tweak these +### .. but this should be a good baseline +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target