diff --git a/check_process b/check_process index 5ae8b13..2358f21 100644 --- a/check_process +++ b/check_process @@ -18,9 +18,12 @@ setup_public=1 upgrade=1 upgrade=1 from_commit=cc07f5da79498ef948c31a99f6ace9ad0a5b9ec1 + upgrade=1 from_commit=2fc174c57586df38506a07195decb08eed02f55f backup_restore=1 multi_instance=0 change_url=0 ;;; Upgrade options ; commit=cc07f5da79498ef948c31a99f6ace9ad0a5b9ec1 name=Before group permission support + ; commit=2fc174c57586df38506a07195decb08eed02f55f + name=Before refactoring diff --git a/conf/nginx.conf b/conf/nginx.conf index 6230e22..9ee8171 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,7 +1,6 @@ # SOGo Proxying #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location ^~ __PATH__/ { - proxy_pass http://127.0.0.1:__PORT__; proxy_redirect http://127.0.0.1:__PORT__/SOGo/ /SOGo; # forward user's IP address diff --git a/conf/systemd.service b/conf/systemd.service index 8079db1..221a0a9 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,5 +12,35 @@ ExecStart=/opt/yunohost/__APP__/sbin/sogod -WOWorkersCount ${PREFORK} -WOPidFile PIDFile=/run/__APP__/sogo.pid User=__APP__ +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..f03d178 --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1 @@ +SOGo is an opensource groupware solution which has Webmail, a global address book and Calender and Contacts which can be synced via caldav or cardav. diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md new file mode 100644 index 0000000..e69de29 diff --git a/manifest.json b/manifest.json index 1c49bbb..55c1aee 100644 --- a/manifest.json +++ b/manifest.json @@ -4,7 +4,7 @@ "packaging_format": 1, "description": { "en": "Opensource groupware for E-Mail, Contacts and Calender", - "fr": "Groupware opensource pour les e-mail, contacts et calendrier" + "fr": "Groupware opensource pour les e-mail, contacts et calendrier" }, "version": "5.0.1~ynh1", "url": "https://sogo.nu/", diff --git a/scripts/upgrade b/scripts/upgrade index 41270b3..868b683 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -73,6 +73,16 @@ if ynh_legacy_permissions_exists; then ynh_app_setting_delete --app=$app --key=is_public fi +# Manage migrations +ynh_script_progression --message="Migrating database if needed..." + +if ynh_compare_current_package_version --comparison le --version 4.0.0~ynh0; then + ynh_replace_string --match_string __APP__ --replace_string $app --target_file migrations/3.2-4.0.sh + ynh_replace_string --match_string __DBUSER__ --replace_string $db_user --target_file migrations/3.2-4.0.sh + ynh_replace_string --match_string __DBPASS__ --replace_string $db_pwd --target_file migrations/3.2-4.0.sh + bash migrations/3.2-4.0.sh +fi + if ! ynh_permission_exists --permission="sync_client"; then # Create the required permissions ynh_permission_create --permission="sync_client" --allowed='visitors' --auth_header=false\