diff --git a/README.md b/README.md index 910eee9..603d6b9 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Shiori is a simple bookmarks manager written in Go language. Intended as a simpl [Shiori Web Extension](https://github.com/go-shiori/shiori-web-ext) is a simple extension for managing bookmarks using Shiori. This extension is intended to integrate Shiori with your favorite web browser. This way, you can save and remove bookmarks in Shiori without switching from your current page. -**Shipped version:** 1.5.2~ynh2 +**Shipped version:** 1.5.3~ynh1 **Demo:** https://demo.example.com diff --git a/README_fr.md b/README_fr.md index d5924eb..79483a9 100644 --- a/README_fr.md +++ b/README_fr.md @@ -30,7 +30,7 @@ Shiori is a simple bookmarks manager written in Go language. Intended as a simpl [Shiori Web Extension](https://github.com/go-shiori/shiori-web-ext) is a simple extension for managing bookmarks using Shiori. This extension is intended to integrate Shiori with your favorite web browser. This way, you can save and remove bookmarks in Shiori without switching from your current page. -**Version incluse :** 1.5.2~ynh2 +**Version incluse :** 1.5.3~ynh1 **Démo :** https://demo.example.com diff --git a/conf/amd64.src b/conf/amd64.src index 1e5cc28..c5445a6 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.2/shiori_1.5.2_Linux_x86_64.tar.gz -SOURCE_SUM=f58973ecd77ee24074b31955ddac2a3518e305dba369943de7e4a267899cc136 +SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_x86_64.tar.gz +SOURCE_SUM=967f3984f8b7e1d27a829eacfa6121aaef24c040c5819df07ee2ba4dd5817522 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm64.src b/conf/arm64.src index 55707b7..d7f6302 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.2/shiori_1.5.2_Linux_aarch64.tar.gz -SOURCE_SUM=0143dfd12336a804c4cdcb845b7b7c62315ea4770775c6e3a7092e38ac769dda +SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_aarch64.tar.gz +SOURCE_SUM=869da34d1a6ecf20eb16c36f1ab631572098d556c84d4d3d084cee8d58e21df2 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/armhf.src b/conf/armhf.src index f757ce1..4300150 100644 --- a/conf/armhf.src +++ b/conf/armhf.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.2/shiori_1.5.2_Linux_armv7.tar.gz -SOURCE_SUM=71482bc63850d9b74a4c18b72548f58f8c7e04dbfd95695058cc8da99f5f2bdf +SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_armv7.tar.gz +SOURCE_SUM=0558d168a844b24851af013805ffd20411f2067cad211b610587a405f86af166 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/systemd.service b/conf/systemd.service index ae18c37..b6cc2dd 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,35 @@ ExecStart=__FINALPATH__/shiori serve --port __PORT__ --webroot __PATH__ Restart=always Environment="SHIORI_DIR=__DATADIR__" +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index fdd82c5..060d52c 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Simple bookmark manager", "fr": "Gestionnaire de liens simple" }, - "version": "1.5.2~ynh2", + "version": "1.5.3~ynh1", "url": "https://github.com/go-shiori/shiori", "upstream": { "license": "MIT", diff --git a/scripts/restore b/scripts/restore index 61c4223..eafc2d7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -34,7 +34,8 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -test ! -d $final_path || ynh_die --message="There is already a directory: $final_path" +test ! -d $final_path \ + || ynh_die --message="There is already a directory: $final_path" #================================================= # STANDARD RESTORATION STEPS diff --git a/scripts/upgrade b/scripts/upgrade index 4953279..d1a336b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -21,7 +21,6 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) port=$(ynh_app_setting_get --app=$app --key=port) final_path=$(ynh_app_setting_get --app=$app --key=final_path) datadir=$(ynh_app_setting_get --app=$app --key=datadir) -architecture=$YNH_ARCH #================================================= # CHECK VERSION