From 5b8bf094ed4c84809c5d96ca3a514d34a4e162db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Tue, 23 May 2023 16:39:02 +0200 Subject: [PATCH] fix --- conf/xftp.systemd.service | 50 +++++++++++++++++++++++++++++++++++++++ scripts/backup | 1 + scripts/install | 5 ++++ scripts/remove | 1 + scripts/restore | 4 ++++ scripts/upgrade | 6 +++++ 6 files changed, 67 insertions(+) create mode 100644 conf/xftp.systemd.service diff --git a/conf/xftp.systemd.service b/conf/xftp.systemd.service new file mode 100644 index 0000000..d7c20dc --- /dev/null +++ b/conf/xftp.systemd.service @@ -0,0 +1,50 @@ +[Unit] +Description=SimpleX: Messaging Protocol Server +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +WorkingDirectory=__INSTALL_DIR__/ +ExecStart=__INSTALL_DIR__/xftp-server start +Restart=always +RestartSec=3 +KillSignal=SIGINT + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/backup b/scripts/backup index 3adb9d7..9fae3cc 100755 --- a/scripts/backup +++ b/scripts/backup @@ -28,6 +28,7 @@ ynh_backup --src_path="/etc/opt/simplex" #================================================= ynh_backup --src_path="/etc/systemd/system/$app.service" +ynh_backup --src_path="/etc/systemd/system/xftp.service" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 7b1847c..6052636 100755 --- a/scripts/install +++ b/scripts/install @@ -16,10 +16,12 @@ ynh_script_progression --message="Setting up source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" +ynh_setup_source --dest_dir="$install_dir" --source_id="xftp" chmod -R o-rwx "$install_dir" chown -R $app:$app "$install_dir" chmod +x $install_dir/smp-server +chmod +x $install_dir/xftp-server #================================================= # SPECIFIC SETUP @@ -29,6 +31,7 @@ pushd "$install_dir" public_ip4="$(curl -s ip.yunohost.org)" || true ynh_app_setting_set --app=$app --key=public_ip4 --value=$public_ip4 ./smp-server init --no-password --ip $public_ip4 -y + ./ftp-server init -l -p /srv/xftp "$@" popd fingerprint=$(cat /etc/opt/simplex/fingerprint) @@ -43,6 +46,7 @@ ynh_script_progression --message="Adding system configurations related to $app.. # Create a dedicated systemd config ynh_add_systemd_config +ynh_add_systemd_config --service=xftp --template=../conf/xftp.systemd.service yunohost service add $app --description="Messaging platform" --log="/var/log/$app/$app.log" --needs_exposed_ports="$port" @@ -53,6 +57,7 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="xftp" --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index 33d032c..629dea0 100755 --- a/scripts/remove +++ b/scripts/remove @@ -20,6 +20,7 @@ if ynh_exec_warn_less yunohost service status $app >/dev/null then ynh_script_progression --message="Removing $app service integration..." --weight=1 yunohost service remove $app + yunohost service remove xftp fi #================================================= diff --git a/scripts/restore b/scripts/restore index 6eb851b..033bc7d 100755 --- a/scripts/restore +++ b/scripts/restore @@ -32,8 +32,11 @@ chown -R $app:$app "/etc/opt/simplex" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +ynh_restore_file --origin_path="/etc/systemd/system/xftp.service" +systemctl enable xftp.service --quiet yunohost service add $app --description="Messaging platform" --log="/var/log/$app/$app.log" --needs_exposed_ports="$port" +yunohost service add xftp --description="Messaging platform" --log="/var/log/$app/$app.log" --needs_exposed_ports="$port" #================================================= # START SYSTEMD SERVICE @@ -41,6 +44,7 @@ yunohost service add $app --description="Messaging platform" --log="/var/log/$ap ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=xftp --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT diff --git a/scripts/upgrade b/scripts/upgrade index 5de770f..67bf7fa 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -32,6 +32,7 @@ ynh_app_setting_set --app=$app --key=fingerprint --value=$fingerprint ynh_script_progression --message="Stopping a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=xftp --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -43,11 +44,13 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" + ynh_setup_source --dest_dir="$install_dir" --source_id="xftp" fi chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" chmod +x $install_dir/smp-server +chmod +x $install_dir/xftp-server #================================================= # REAPPLY SYSTEM CONFIGURATIONS @@ -56,8 +59,10 @@ ynh_script_progression --message="Upgrading system configurations related to $ap # Create a dedicated systemd config ynh_add_systemd_config +ynh_add_systemd_config --service=xftp --template=../conf/xftp.systemd.service yunohost service add $app --description="Messaging platform" --log="/var/log/$app/$app.log" --needs_exposed_ports="$port" +yunohost service add xftp --description="Messaging platform" --log="/var/log/$app/$app.log" --needs_exposed_ports="$port" #================================================= # START SYSTEMD SERVICE @@ -65,6 +70,7 @@ yunohost service add $app --description="Messaging platform" --log="/var/log/$ap ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name=xftp --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT