diff --git a/README.md b/README.md index 2d55628..420d841 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Tiny Tiny RSS is a free and open source web-based news feed (RSS/Atom) reader an - flexible article filtering -**Shipped version:** 20231202~ynh1 +**Shipped version:** 20231202~ynh2 **Demo:** https://srv.tt-rss.org/tt-rss/ diff --git a/README_fr.md b/README_fr.md index 460492a..eb07ca1 100644 --- a/README_fr.md +++ b/README_fr.md @@ -28,7 +28,7 @@ Tiny Tiny RSS est un lecteur et agrégateur de flux de nouvelles (RSS/Atom) bas - filtrage flexible des articles -**Version incluse :** 20231202~ynh1 +**Version incluse :** 20231202~ynh2 **Démo :** https://srv.tt-rss.org/tt-rss/ diff --git a/conf/config.php b/conf/config.php index 9c15695..62098ea 100644 --- a/conf/config.php +++ b/conf/config.php @@ -134,7 +134,7 @@ // ********************************* putenv('TTRSS_SMTP_FROM_NAME=Tiny Tiny RSS'); - putenv('TTRSS_SMTP_FROM_ADDRESS=noreply@your.domain.dom'); + putenv('TTRSS_SMTP_FROM_ADDRESS=noreply@__DOMAIN__'); // Name, address and subject for sending outgoing mail. This applies // to password reset notifications, digest emails and any other mail. @@ -145,8 +145,8 @@ // Hostname:port combination to send outgoing mail (i.e. localhost:25). // Blank - use system MTA. - putenv('TTRSS_SMTP_LOGIN='); - putenv('TTRSS_SMTP_PASSWORD='); + putenv('TTRSS_SMTP_LOGIN=__APP__'); + putenv('TTRSS_SMTP_PASSWORD=__MAIL_PWD__'); // These two options enable SMTP authentication when sending // outgoing mail. Only used with SMTP_SERVER. @@ -168,7 +168,7 @@ // if you experience weird errors and tt-rss failing to start, blank pages // after login, or content encoding errors, disable it. - putenv('TTRSS_PLUGINS=auth_internal, note, data_migration'); + putenv('TTRSS_PLUGINS=auth_internal, note'); // Comma-separated list of plugins to load automatically for all users. // System plugins have to be specified here. Please enable at least one // authentication plugin here (auth_*). diff --git a/conf/migration b/conf/migration deleted file mode 100644 index 15e836d..0000000 --- a/conf/migration +++ /dev/null @@ -1,30 +0,0 @@ -# OPML import/export (including filters and some settings). Must be done before data_migration plugin if you want to keep feed categories - -# on the original machine -sudo mkdir /var/www/tt-rss/export -sudo chown -R www-data:www-data /var/www/tt-rss/export/ -sudo -u www-data php /var/www/tt-rss/update.php --opml-export "MYUSERNAME /var/www/tt-rss/export/export-2020-08-07.opml" # export feeds OPML -# on a client -rsync -avP my.original.machine.org:/var/www/tt-rss/export/export-2020-08-07.opml ./ # download opml export -# login to the new tt-rss instance from a browser, go to Preferences > Feeds, import OPML file - -# migrate all articles from mysql to postgresql -# on the original machine -git clone https://git.tt-rss.org/fox/ttrss-data-migration -sudo chown -R root:www-data ttrss-data-migration/ -sudo mv ttrss-data-migration/ /var/www/tt-rss/plugins.local/data_migration -sudo nano /var/www/tt-rss/config.php # enable data_migration in the PLUGINS array -sudo -u www-data php /var/www/tt-rss/update.php --data_user MYUSERNAME --data_export /var/www/tt-rss/export/export-2020-08-07.zip # export articles to database-agnostic format - -# on the target machine -git clone https://git.tt-rss.org/fox/ttrss-data-migration -sudo chown -R root:www-data ttrss-data-migration/ -sudo mv ttrss-data-migration/ /var/www/rss.example.org/plugins.local/data_migration -sudo nano /var/www/rss.example.org/config.php # enable data_migration in the PLUGINS array -rsync -avP my.original.machine.org:/var/www/tt-rss/export/export-2020-08-07.zip ./ -sudo mkdir /var/www/rss.example.org/export -sudo mv export-2020-08-07.zip /var/www/rss.example.org/export -sudo chown -R root:www-data /var/www/rss.example.org/export -sudo chmod -R g+rX /var/www/rss.example.org/export/ -sudo -u www-data php /var/www/rss.example.org/update.php --data_user MYUSERNAME --data_import /var/www/rss.example.org/export/export-2020-08-07.zip # it can take a while -sudo rm -r /var/www/rss.example.org/export/ # cleanup \ No newline at end of file diff --git a/conf/systemd.service b/conf/systemd.service index 341d325..a37e9d1 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,5 +10,40 @@ ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/update_daemon2.php Restart=always RestartSec=10 + +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 244f141..542a5fc 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Tiny Tiny RSS" description.en = "News feed (RSS/Atom) reader and aggregator" description.fr = "Lecteur de flux d’actualité utilisant les protocoles RSS et Atom" -version = "20231202~ynh1" +version = "20231202~ynh2" maintainers = [] @@ -47,6 +47,7 @@ ram.runtime = "50M" sha256 = "72ec560bd5ad7bac4789d7af0e5c2d7c1c394e9c540d46d5421ecae219d8f875" [resources.system_user] + allow_email = true [resources.install_dir] diff --git a/scripts/change_url b/scripts/change_url index 2bccdeb..fb1351f 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -34,7 +34,7 @@ ynh_script_progression --message="Updating a configuration file..." --weight=1 domain_path="https://${new_domain}${new_path}" domain="$new_domain" -ynh_add_config --template="../conf/config.php" --destination="$install_dir/config.php" +ynh_add_config --template="config.php" --destination="$install_dir/config.php" chmod 400 "$install_dir/config.php" chown $app "$install_dir/config.php" diff --git a/scripts/install b/scripts/install index 0066e6c..9303b62 100644 --- a/scripts/install +++ b/scripts/install @@ -16,7 +16,6 @@ ynh_script_progression --message="Setting up source files..." --weight=7 # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" -#ynh_setup_source --dest_dir="$install_dir/plugins.local/data_migration" --source_id="data_migration" echo "$(ynh_app_upstream_version)" > "$install_dir/version_static.txt" chmod -R o-rwx "$install_dir" @@ -47,7 +46,7 @@ ynh_script_progression --message="Adding a configuration file..." --weight=1 domain_path=https://$domain$path -ynh_add_config --template="../conf/config.php" --destination="$install_dir/config.php" +ynh_add_config --template="config.php" --destination="$install_dir/config.php" chmod 400 "$install_dir/config.php" chown $app "$install_dir/config.php" diff --git a/scripts/upgrade b/scripts/upgrade index 9df6460..0797a0c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -43,7 +43,6 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" - #ynh_setup_source --dest_dir="$install_dir/plugins.local/data_migration" --source_id="data_migration" echo "$(ynh_app_upstream_version)" > "$install_dir/version_static.txt" fi @@ -77,7 +76,7 @@ then ynh_script_progression --message="Updating a configuration file..." --weight=2 domain_path=https://$domain$path - ynh_add_config --template="../conf/config.php" --destination="$install_dir/config.php" + ynh_add_config --template="config.php" --destination="$install_dir/config.php" ynh_script_progression --message="Upgrading the database..." --weight=2