From f7f7e4c65d3e105f02d4c140a8e5c0f46ba38621 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Thu, 23 Jun 2022 09:44:03 +0200 Subject: [PATCH 1/6] 1.5.3 --- conf/amd64.src | 4 ++-- conf/arm64.src | 4 ++-- conf/armhf.src | 4 ++-- manifest.json | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/conf/amd64.src b/conf/amd64.src index 1e5cc28..44f44d8 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.2/shiori_1.5.2_Linux_x86_64.tar.gz -SOURCE_SUM=f58973ecd77ee24074b31955ddac2a3518e305dba369943de7e4a267899cc136 +SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_x86_64.tar.gz +SOURCE_SUM=0f54fc8af09c7228c2221f04432ed1c53414df9f9c9e613cf2a3219e9047b3f1 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm64.src b/conf/arm64.src index 55707b7..fe7f020 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.2/shiori_1.5.2_Linux_aarch64.tar.gz -SOURCE_SUM=0143dfd12336a804c4cdcb845b7b7c62315ea4770775c6e3a7092e38ac769dda +SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_aarch64.tar.gz +SOURCE_SUM=15ffbfee5afe467b4cbd2b0a05a07a9bfceb1a26fc9ad62e1684746c2ca221a4 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/armhf.src b/conf/armhf.src index f757ce1..4300150 100644 --- a/conf/armhf.src +++ b/conf/armhf.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.2/shiori_1.5.2_Linux_armv7.tar.gz -SOURCE_SUM=71482bc63850d9b74a4c18b72548f58f8c7e04dbfd95695058cc8da99f5f2bdf +SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_armv7.tar.gz +SOURCE_SUM=0558d168a844b24851af013805ffd20411f2067cad211b610587a405f86af166 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index fdd82c5..060d52c 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Simple bookmark manager", "fr": "Gestionnaire de liens simple" }, - "version": "1.5.2~ynh2", + "version": "1.5.3~ynh1", "url": "https://github.com/go-shiori/shiori", "upstream": { "license": "MIT", From 3ffb32f78ea869f6f174b07122fd1b776eb1a828 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 23 Jun 2022 07:44:10 +0000 Subject: [PATCH 2/6] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 910eee9..603d6b9 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Shiori is a simple bookmarks manager written in Go language. Intended as a simpl [Shiori Web Extension](https://github.com/go-shiori/shiori-web-ext) is a simple extension for managing bookmarks using Shiori. This extension is intended to integrate Shiori with your favorite web browser. This way, you can save and remove bookmarks in Shiori without switching from your current page. -**Shipped version:** 1.5.2~ynh2 +**Shipped version:** 1.5.3~ynh1 **Demo:** https://demo.example.com diff --git a/README_fr.md b/README_fr.md index d5924eb..79483a9 100644 --- a/README_fr.md +++ b/README_fr.md @@ -30,7 +30,7 @@ Shiori is a simple bookmarks manager written in Go language. Intended as a simpl [Shiori Web Extension](https://github.com/go-shiori/shiori-web-ext) is a simple extension for managing bookmarks using Shiori. This extension is intended to integrate Shiori with your favorite web browser. This way, you can save and remove bookmarks in Shiori without switching from your current page. -**Version incluse :** 1.5.2~ynh2 +**Version incluse :** 1.5.3~ynh1 **Démo :** https://demo.example.com From adb5c804113ec8c6c1bb9bba6b38daa069c796c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Thu, 23 Jun 2022 09:47:27 +0200 Subject: [PATCH 3/6] Cleaning up --- conf/systemd.service | 30 ++++++++++++++++++++++++++++++ scripts/restore | 3 ++- scripts/upgrade | 1 - 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index ae18c37..b6cc2dd 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,35 @@ ExecStart=__FINALPATH__/shiori serve --port __PORT__ --webroot __PATH__ Restart=always Environment="SHIORI_DIR=__DATADIR__" +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/scripts/restore b/scripts/restore index 61c4223..9c610cb 100755 --- a/scripts/restore +++ b/scripts/restore @@ -34,7 +34,8 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -test ! -d $final_path || ynh_die --message="There is already a directory: $final_path" +test ! -d $final_path + || ynh_die --message="There is already a directory: $final_path" #================================================= # STANDARD RESTORATION STEPS diff --git a/scripts/upgrade b/scripts/upgrade index 4953279..d1a336b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -21,7 +21,6 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) port=$(ynh_app_setting_get --app=$app --key=port) final_path=$(ynh_app_setting_get --app=$app --key=final_path) datadir=$(ynh_app_setting_get --app=$app --key=datadir) -architecture=$YNH_ARCH #================================================= # CHECK VERSION From 712b5898b1bdae6176b090ae92a2bf7dfd823764 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 24 Jun 2022 00:04:35 +0200 Subject: [PATCH 4/6] Fix --- conf/amd64.src | 2 +- conf/arm64.src | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/amd64.src b/conf/amd64.src index 44f44d8..c5445a6 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_x86_64.tar.gz -SOURCE_SUM=0f54fc8af09c7228c2221f04432ed1c53414df9f9c9e613cf2a3219e9047b3f1 +SOURCE_SUM=967f3984f8b7e1d27a829eacfa6121aaef24c040c5819df07ee2ba4dd5817522 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm64.src b/conf/arm64.src index fe7f020..d7f6302 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,5 +1,5 @@ SOURCE_URL=https://github.com/go-shiori/shiori/releases/download/v1.5.3/shiori_1.5.3_Linux_aarch64.tar.gz -SOURCE_SUM=15ffbfee5afe467b4cbd2b0a05a07a9bfceb1a26fc9ad62e1684746c2ca221a4 +SOURCE_SUM=869da34d1a6ecf20eb16c36f1ab631572098d556c84d4d3d084cee8d58e21df2 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false From 84e89b9ccfef7ae5bb21f39efda0ebb627e51de6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 24 Jun 2022 08:48:08 +0200 Subject: [PATCH 5/6] Update restore --- scripts/restore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/restore b/scripts/restore index 9c610cb..254b924 100755 --- a/scripts/restore +++ b/scripts/restore @@ -34,8 +34,8 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -test ! -d $final_path - || ynh_die --message="There is already a directory: $final_path" +test ! -d $final_path \ + || ynh_die --message="There is already a directory: $final_path " #================================================= # STANDARD RESTORATION STEPS From 460e97adcb7ef49f026d523c63c6f7bfb134c073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 24 Jun 2022 08:48:19 +0200 Subject: [PATCH 6/6] Update restore --- scripts/restore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/restore b/scripts/restore index 254b924..eafc2d7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -35,7 +35,7 @@ datadir=$(ynh_app_setting_get --app=$app --key=datadir) ynh_script_progression --message="Validating restoration parameters..." --weight=1 test ! -d $final_path \ - || ynh_die --message="There is already a directory: $final_path " + || ynh_die --message="There is already a directory: $final_path" #================================================= # STANDARD RESTORATION STEPS