From 97c4bbaa525b6b75b38620b11e24a27644d56d4c Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 6 Oct 2021 00:19:49 +0200 Subject: [PATCH] Appease linter --- conf/systemd.service | 34 ++++++++++++++++++++++++++++++++-- manifest.json | 16 +++++++++------- scripts/_common.sh | 17 +---------------- scripts/install | 1 - scripts/restore | 2 -- scripts/upgrade | 5 ++++- 6 files changed, 46 insertions(+), 29 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index fc89f0e..ed26158 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -4,11 +4,41 @@ After=network.target [Service] Type=simple -User=ztncui -Group=ztncui +User=__APP__ +Group=__APP__ Environment="__YNH_NODE_LOAD_PATH__" WorkingDirectory=__FINALPATH__/src/ ExecStart=__YNH_NPM__ start +StandardOutput=append:/var/log/__APP__/__APP__.log +StandardError=inherit + +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target diff --git a/manifest.json b/manifest.json index df9d23d..68c37fe 100644 --- a/manifest.json +++ b/manifest.json @@ -8,13 +8,18 @@ }, "version": "20210310~ynh1", "url": "https://key-networks.com/ztncui", + "upstream": { + "license": "GPL-3.0-only", + "website": "https://key-networks.com/ztncui/", + "code": "https://github.com/key-networks/ztncui" + }, "license": "GPL-3.0-only", "maintainer": { "name": "tituspijean", "email": "tituspijean@outlook.com" }, "requirements": { - "yunohost": ">= 4.1.2" + "yunohost": ">= 4.1.7" }, "services": [], "multi_instance": false, @@ -34,8 +39,7 @@ "help": { "en": "Ztncui can only be installed at the root of a domain.", "fr": "Ztncui ne peut être installée qu'à la racine d'un domaine." - }, - "example": "zt.example.com" + } }, { "name": "is_public", @@ -48,8 +52,7 @@ }, { "name": "admin", - "type": "user", - "example": "johndoe" + "type": "user" }, { "name": "password", @@ -57,8 +60,7 @@ "help": { "en": "It will always be asked by Ztncui, in addition to your YunoHost credentials if set to private.", "fr": "Il sera toujours demandé par Ztncui, en plus des identifiants YunoHost si l'app est privée." - }, - "example": "Choose a password" + } } ] } diff --git a/scripts/_common.sh b/scripts/_common.sh index 7002da4..01dc4fc 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,7 +4,7 @@ # COMMON VARIABLES #================================================= -nodejs_version=12 +nodejs_version=14 # dependencies used by the app pkg_dependencies="g++" @@ -17,21 +17,6 @@ pkg_dependencies="g++" # EXPERIMENTAL HELPERS #================================================= -#!/bin/bash - -# Execute a command as another user -# usage: exec_as USER COMMAND [ARG ...] -ynh_exec_as() { - local USER=$1 - shift 1 - - if [[ $USER = $(whoami) ]]; then - eval "$@" - else - sudo -u "$USER" "$@" - fi -} - #================================================= # FUTURE OFFICIAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index c7fba70..b66acc6 100644 --- a/scripts/install +++ b/scripts/install @@ -171,7 +171,6 @@ chown -R $app: $final_path #================================================= ynh_script_progression --message="Configuring log rotation..." --weight=1 - # Use logrotate to manage application logfile(s) ynh_use_logrotate diff --git a/scripts/restore b/scripts/restore index 410f372..e702b98 100644 --- a/scripts/restore +++ b/scripts/restore @@ -37,8 +37,6 @@ nodejs_version=$(ynh_app_setting_get --app=$app --key=nodejs_version) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " diff --git a/scripts/upgrade b/scripts/upgrade index c56f86f..258b057 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -114,7 +114,10 @@ ynh_script_progression --message="Upgrading dependencies..." --weight=2 ynh_install_app_dependencies $pkg_dependencies -ynh_install_nodejs --nodejs_version=$nodejs_version +if [ $nodejs_version != $(ynh_app_setting_get --app=$app --key=nodejs_version) ]; then + ynh_remove_nodejs + ynh_install_nodejs --nodejs_version=$nodejs_version +fi #================================================= # CREATE DEDICATED USER