From 174938cbe0571f01688241d65a1eb99145305244 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Tue, 7 Sep 2021 14:43:15 +0200 Subject: [PATCH 1/3] Version 10.11.0 --- check_process | 2 +- manifest.json | 4 ++-- scripts/_common.sh | 19 +++++++++++++------ 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/check_process b/check_process index 424f7b1..4c8ec49 100644 --- a/check_process +++ b/check_process @@ -13,7 +13,7 @@ setup_private=1 setup_public=1 upgrade=1 - upgrade=1 from_commit=bc1a48f956ec737b7a9cf141a9d9437a5b636f10 + upgrade=1 from_commit=0bdac48b6ee51cbfd687a1e3a693f105f79185b6 backup_restore=1 multi_instance=0 port_already_use=1 diff --git a/manifest.json b/manifest.json index 9efe529..d1855cf 100644 --- a/manifest.json +++ b/manifest.json @@ -6,10 +6,10 @@ "en": "A DLNA, UPnP and HTTP(S) Media Server", "fr": "Un Serveur Multimedia DLNA, UPnP et HTTP(S)" }, - "version": "10.10.1~ynh1", + "version": "10.11.0~ynh1", "url": "www.universalmediaserver.com", "upstream": { - "version": "10.10.1", + "version": "10.11.0", "license": "GPL-2.0-or-later", "website": "www.universalmediaserver.com", "admindoc": "https://github.com/UniversalMediaServer/UniversalMediaServer/wiki", diff --git a/scripts/_common.sh b/scripts/_common.sh index f8a8e02..176d91e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,24 +8,31 @@ pkg_dependencies="mediainfo dcraw p7zip" mach=`uname -m` + +sha256_arm64=365f475fbf6bfa1707059c58f04d8bd278ac198687ed079cdf9558ce907f99e8 +sha256_armel=b2a2183fa1c8fb7fd21b26350de99e4111443be1418eaf1245b46d893fa1dda4 +sha256_armhf=f3058462c4134bee62616c46b0642396ca61a393f2f1238052d1dc2af156234c +sha256_x86_64=a6d5fd04bbece4f8f5ecfb62e6d7cdb5b03f58d13fb1428d7568b8f97389d129 +sha256_x86=8b9dd457ff8c86c15f6ca06335c7c62c750547911ed740195c9447e9d3e84888 + case "$mach" in "armv6l" ) mach="armel" - sha256=5f8c48404c5f9ec0e33ba1db25a26ec0bbcbac80ae971b586289873940d9bce0 + sha256=$sha256_armel #for some reason, jre is not in the tarball pkg_dependencies="$pkg_dependencies openjdk-8-jre" ;; "armv7l" ) if [ $(dpkg --print-architecture) = "armhf" ]; then mach="armhf" - sha256=aac79bcdc8d84250ec7f91a0b8752c9b1e7f6b9a4a1935bdbd0f5c01cacf7d09 + sha256=$sha256_armhf pkg_dependencies="$pkg_dependencies openjdk-8-jre" else mach="armel" - sha256=5f8c48404c5f9ec0e33ba1db25a26ec0bbcbac80ae971b586289873940d9bce0 + sha256=$sha256_armel pkg_dependencies="$pkg_dependencies openjdk-8-jre" fi ;; "armv8l" ) mach="arm64" - sha256=177460262ec4d1dfb8b28f44b4f91d79d519ca7a4afe2a6e6ed6c0d1a821a240 ;; + sha256=$sha256_arm64 ;; "x86_64" ) mach="x86_64" - sha256=471b7bf68aaae7c68836b6e503ee0748cfba7b4cd01f23e408be559172dda45a ;; + sha256=$sha256_x86_64 ;; * ) mach="x86" - sha256=309d61fe65cbca5b7f6fca7eff4b7a14a13f177a0912798c38f5c80dd833c7d9 ;; + sha256=$sha256_x86 ;; esac From ee7c9f68ec8fe77b779d0566ada6930d0f876882 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Tue, 7 Sep 2021 12:43:24 +0000 Subject: [PATCH 2/3] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 047b0a8..95b0b52 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in A DLNA, UPnP and HTTP(S) Media Server -**Shipped version:** 10.10.1 +**Shipped version:** 10.11.0 diff --git a/README_fr.md b/README_fr.md index ec2a1e0..d59d34f 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Un Serveur Multimedia DLNA, UPnP et HTTP(S) -**Version incluse :** 10.10.1 +**Version incluse :** 10.11.0 From 4f6f045085f2d56eecccf18c28ee7632d3234b3b Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Wed, 8 Sep 2021 10:47:50 +0200 Subject: [PATCH 3/3] Fix --- .../ISSUE_TEMPLATE.md | 4 +-- .github/PULL_REQUEST_TEMPLATE.md | 16 ++++++++++ check_process | 4 +-- conf/nginx.conf | 1 - conf/systemd.service | 30 +++++++++++++++++++ pull_request_template.md | 16 ---------- scripts/backup | 1 - scripts/change_url | 12 -------- scripts/install | 4 --- scripts/restore | 5 ---- scripts/upgrade | 7 ----- 11 files changed, 50 insertions(+), 50 deletions(-) rename issue_template.md => .github/ISSUE_TEMPLATE.md (94%) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md delete mode 100644 pull_request_template.md diff --git a/issue_template.md b/.github/ISSUE_TEMPLATE.md similarity index 94% rename from issue_template.md rename to .github/ISSUE_TEMPLATE.md index f10131e..2729a6b 100644 --- a/issue_template.md +++ b/.github/ISSUE_TEMPLATE.md @@ -8,7 +8,7 @@ about: When creating a bug report, please use the following template to provide 1. *Read this whole template first.* 2. *Determine if you are on the right place:* - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!* - - *Otherwise, the issue may be due to ums itself. Refer to its documentation or repository for help.* + - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.* - *When in doubt, post here and we will figure it out together.* 3. *Delete the italic comments as you write over them below, and remove this guide.* --- @@ -31,7 +31,7 @@ about: When creating a bug report, please use the following template to provide - *If you performed a command from the CLI, the command itself is enough. For example:* ```sh - sudo yunohost app install ums + sudo yunohost app install the_app ``` - *If you used the webadmin, please perform the equivalent command from the CLI first.* - *If the error occurs in your browser, explain what you did:* diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..ef70e18 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ +## Problem + +- *Description of why you made this PR* + +## Solution + +- *And how do you fix that problem* + +## PR Status + +- [ ] Code finished and ready to be reviewed/tested +- [ ] The fix/enhancement were manually tested (if applicable) + +## Automatic tests + +Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ *after creating the PR*, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization) diff --git a/check_process b/check_process index 4c8ec49..fad2e24 100644 --- a/check_process +++ b/check_process @@ -1,7 +1,7 @@ ;; Test complet ; Manifest - domain="domain.tld" (DOMAIN) - is_public=1 (PUBLIC|public=1|private=0) + domain="domain.tld" + is_public=1 name=MyUMS interface=eth0 ; Checks diff --git a/conf/nginx.conf b/conf/nginx.conf index c48210b..1b15548 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -18,7 +18,6 @@ location __PATH__/ { rewrite ^ https://$server_name$request_uri? permanent; } - # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; } diff --git a/conf/systemd.service b/conf/systemd.service index d2242a0..7c3df4b 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -11,5 +11,35 @@ ExecStart=__FINALPATH__/UMS.sh headless StandardOutput=append:/var/log/__APP__/__APP__.log StandardError=inherit +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/pull_request_template.md b/pull_request_template.md deleted file mode 100644 index 6c28fc5..0000000 --- a/pull_request_template.md +++ /dev/null @@ -1,16 +0,0 @@ -## Problem -- *Description of why you made this PR* - -## Solution -- *And how do you fix that problem* - -## PR Status -- [ ] Code finished. -- [ ] Tested with Package_check. -- [ ] Fix or enhancement tested. -- [ ] Upgrade from last version tested. -- [ ] Can be reviewed and tested. - -## Package_check results ---- -* An automatic package_check will be launch at https://ci-apps-dev.yunohost.org/, when you add a specific comment to your Pull Request: "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!"* diff --git a/scripts/backup b/scripts/backup index 5f1664b..b9558d8 100755 --- a/scripts/backup +++ b/scripts/backup @@ -24,7 +24,6 @@ ynh_abort_if_errors ynh_print_warn --message="This script will only backup the app, no media will be saved" ynh_print_warn --message="To save your media, please use a backup tool such as borg" - #================================================= # LOAD SETTINGS #================================================= diff --git a/scripts/change_url b/scripts/change_url index 37417a1..12a5611 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -22,7 +22,6 @@ new_path=$YNH_APP_NEW_PATH app=$YNH_APP_INSTANCE_NAME - #================================================= # LOAD SETTINGS #================================================= @@ -32,11 +31,6 @@ ynh_script_progression --message="Loading installation settings..." --weight=1 final_path=$(ynh_app_setting_get --app=$app --key=final_path) port_web=$(ynh_app_setting_get --app=$app --key=port_web) -# Add settings here as needed by your application -#db_name=$(ynh_app_setting_get --app=$app --key=db_name) -#db_user=$db_name -#db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd) - #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -108,12 +102,6 @@ then ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" fi -#================================================= -# SPECIFIC MODIFICATIONS -#================================================= -# ... -#================================================= - #================================================= # GENERIC FINALISATION #================================================= diff --git a/scripts/install b/scripts/install index 70096b5..ecb56bf 100755 --- a/scripts/install +++ b/scripts/install @@ -32,7 +32,6 @@ interface=$YNH_APP_ARG_INTERFACE #upstream_version=$YNH_APP_MANIFEST_VERSION upstream_version=$(ynh_app_upstream_version) - app=$YNH_APP_INSTANCE_NAME #================================================= @@ -97,7 +96,6 @@ ynh_script_progression --message="Setting up Multimedia directory..." --weight=9 ynh_multimedia_build_main_dir ynh_multimedia_addaccess $app - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -119,7 +117,6 @@ chmod -R o-rwx "$final_path" chown -R root:$app "$final_path" chown root:$app "$final_path/UMS.sh" - #================================================= # NGINX CONFIGURATION #================================================= @@ -138,7 +135,6 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config - #================================================= # ADD A CONFIGURATION #================================================= diff --git a/scripts/restore b/scripts/restore index ba86f94..40ecfa4 100755 --- a/scripts/restore +++ b/scripts/restore @@ -34,15 +34,11 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) port_web=$(ynh_app_setting_get --app=$app --key=port_web) port_rend=$(ynh_app_setting_get --app=$app --key=port_rend) - - #================================================= # CHECK IF THE APP CAN BE RESTORED #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " @@ -91,7 +87,6 @@ chmod -R o-rwx "$final_path" chown -R root:$app "$final_path" chown root:$app "$final_path/UMS.sh" - #================================================= # RESTORE FAIL2BAN CONFIGURATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 867f1ef..9f7e915 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -27,12 +27,6 @@ upstream_version=$(ynh_app_upstream_version) # CHECK VERSION #================================================= -### This helper will compare the version of the currently installed app and the version of the upstream package. -### $upgrade_type can have 2 different values -### - UPGRADE_APP if the upstream app version has changed -### - UPGRADE_PACKAGE if only the YunoHost package has changed -### ynh_check_app_version_changed will stop the upgrade if the app is up to date. -### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do. upgrade_type=$(ynh_check_app_version_changed) #================================================= @@ -115,7 +109,6 @@ then yunohost firewall disallow TCP $port_web 2>&1 fi - #================================================= # SETUP SYSTEMD #=================================================