From 3bb32dc1e4a166e7c80520338c6c1fc484046924 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 3 May 2023 19:59:28 +0000 Subject: [PATCH 01/22] Init app_shell --- share/actionsmap.yml | 6 ++++++ src/app.py | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/share/actionsmap.yml b/share/actionsmap.yml index 58787790c..e1de66bc8 100644 --- a/share/actionsmap.yml +++ b/share/actionsmap.yml @@ -954,6 +954,12 @@ app: help: Delete the key action: store_true + ### app_shell() + shell: + action_help: Open an interactive shell with the app environment already loaded + arguments: + app: + help: App ID ### app_register_url() register-url: diff --git a/src/app.py b/src/app.py index 2eb201a81..0db33a373 100644 --- a/src/app.py +++ b/src/app.py @@ -1645,6 +1645,26 @@ def app_setting(app, key, value=None, delete=False): _set_app_settings(app, app_settings) +def app_shell(app): + """ + Open an interactive shell with the app environment already loaded + + Keyword argument: + app -- App ID + + """ + app_settings = _get_app_settings(app) or {} + + #TODO init a env_dict + #TODO load the app's environment, parsed from: + #TODO - its settings (phpversion, ...) + #TODO - its service configuration (PATH, NodeJS production mode...) + #TODO this one could be performed in Bash, directly after initiating the subprocess: + #TODO - "Environment" clause: `systemctl show $app.service -p "Environment" --value` + #TODO - Source "EnvironmentFile" clauses + #TODO + #TODO find out how to open an interactive Bash shell from Python + def app_register_url(app, domain, path): """ Book/register a web path for a given app From d27e9a9eea9907f0482e2bfee6fe13bbdda02654 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 9 May 2023 21:29:52 +0000 Subject: [PATCH 02/22] Add ynh_load_app_environment helper --- helpers/apps | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/app.py | 11 ++-------- 2 files changed, 60 insertions(+), 9 deletions(-) diff --git a/helpers/apps b/helpers/apps index 85b74de15..c5fe6cdad 100644 --- a/helpers/apps +++ b/helpers/apps @@ -111,3 +111,61 @@ ynh_remove_apps() { done fi } + +# Load an app environment in the current Bash shell +# +# usage: ynh_install_apps --app="app" +# | arg: -a, --app= - the app ID +# +# Requires YunoHost version 11.0.* or higher. +ynh_load_app_environment() { + # Declare an array to define the options of this helper. + local legacy_args=a + local -A args_array=([a]=app=) + local app + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + + # Retrieve the list of installed apps + local installed_apps_list=($(yunohost app list --output-as json --quiet | jq -r .apps[].id)) + + # Force Bash to be used to run this helper + if [ $0 != "bash" ] + then + ynh_print_err --message="Please use Bash as shell" + exit 1 + fi + + # Make sure the app is installed + if [[ " ${installed_apps_list[*]} " != *" ${app} "* ]] + then + ynh_print_err --message="$app is not in the apps list" + exit 1 + fi + + # Make sure the app has an install_dir setting + install_dir="$(yunohost app setting $app install_dir)" + if [ -z "$install_dir" ] + then + ynh_print_err --message="$app has no install_dir setting (does it use packaging format >=2?)" + exit 1 + fi + + # Load the Environment variables from the app's service + env_var=`systemctl show $app.service -p "Environment" --value` + [ -n "$env_var" ] && export $env_var; + export HOME=$install_dir; + + # Source the EnvironmentFiles from the app's service + env_files=(`systemctl show $app.service -p "EnvironmentFiles" --value`) + if [ ${#env_files[*]} -gt 0 ] + then + for file in ${env_files[*]} + do + [[ $file = /* ]] && source $file + done + fi + + # Open the app shell + su -s /bin/bash $app +} diff --git a/src/app.py b/src/app.py index 0db33a373..2b602f351 100644 --- a/src/app.py +++ b/src/app.py @@ -1655,15 +1655,8 @@ def app_shell(app): """ app_settings = _get_app_settings(app) or {} - #TODO init a env_dict - #TODO load the app's environment, parsed from: - #TODO - its settings (phpversion, ...) - #TODO - its service configuration (PATH, NodeJS production mode...) - #TODO this one could be performed in Bash, directly after initiating the subprocess: - #TODO - "Environment" clause: `systemctl show $app.service -p "Environment" --value` - #TODO - Source "EnvironmentFile" clauses - #TODO - #TODO find out how to open an interactive Bash shell from Python + #TODO Find out how to open an interactive Bash shell from Python + #TODO run `ynh_load_app_environment --app=$app` helper in there def app_register_url(app, domain, path): """ From 68a4f2b4bc6f36caca5203f6bd80d4400c5ae571 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 18 May 2023 16:10:21 +0000 Subject: [PATCH 03/22] Improve ynh_load_environment helper --- helpers/apps | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/helpers/apps b/helpers/apps index c5fe6cdad..bb60fea59 100644 --- a/helpers/apps +++ b/helpers/apps @@ -126,9 +126,6 @@ ynh_load_app_environment() { # Manage arguments with getopts ynh_handle_getopts_args "$@" - # Retrieve the list of installed apps - local installed_apps_list=($(yunohost app list --output-as json --quiet | jq -r .apps[].id)) - # Force Bash to be used to run this helper if [ $0 != "bash" ] then @@ -137,14 +134,21 @@ ynh_load_app_environment() { fi # Make sure the app is installed + local installed_apps_list=($(yunohost app list --output-as json --quiet | jq -r .apps[].id)) if [[ " ${installed_apps_list[*]} " != *" ${app} "* ]] then ynh_print_err --message="$app is not in the apps list" exit 1 fi + # Make sure the app is installed + if ! id -u "$app" &>/dev/null; then + ynh_print_err --message="There is no \"$app\" system user" + exit 1 + fi + # Make sure the app has an install_dir setting - install_dir="$(yunohost app setting $app install_dir)" + local install_dir="$(yunohost app setting $app install_dir)" if [ -z "$install_dir" ] then ynh_print_err --message="$app has no install_dir setting (does it use packaging format >=2?)" @@ -152,18 +156,21 @@ ynh_load_app_environment() { fi # Load the Environment variables from the app's service - env_var=`systemctl show $app.service -p "Environment" --value` + local env_var=`systemctl show $app.service -p "Environment" --value` [ -n "$env_var" ] && export $env_var; export HOME=$install_dir; # Source the EnvironmentFiles from the app's service - env_files=(`systemctl show $app.service -p "EnvironmentFiles" --value`) + local env_files=(`systemctl show $app.service -p "EnvironmentFiles" --value`) if [ ${#env_files[*]} -gt 0 ] then + # set -/+a enables and disables new variables being automatically exported. Needed when using `source`. + set -a for file in ${env_files[*]} do [[ $file = /* ]] && source $file done + set +a fi # Open the app shell From 425670bcfb380135d3df96007eb43b4cf624bfb6 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 18 May 2023 16:14:30 +0000 Subject: [PATCH 04/22] Remove useless var declaration in app_shell function --- src/app.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/app.py b/src/app.py index 2b602f351..a9bfad1a9 100644 --- a/src/app.py +++ b/src/app.py @@ -1653,7 +1653,6 @@ def app_shell(app): app -- App ID """ - app_settings = _get_app_settings(app) or {} #TODO Find out how to open an interactive Bash shell from Python #TODO run `ynh_load_app_environment --app=$app` helper in there From 072dabaf7099082f9280c87a9345065725f468c9 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 18 May 2023 16:45:17 +0000 Subject: [PATCH 05/22] Fix Bash detection for ynh_load_app_environment --- helpers/apps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/apps b/helpers/apps index bb60fea59..b9cc03b58 100644 --- a/helpers/apps +++ b/helpers/apps @@ -127,7 +127,7 @@ ynh_load_app_environment() { ynh_handle_getopts_args "$@" # Force Bash to be used to run this helper - if [ $0 != "bash" ] + if [[ ! $0 =~ \/?bash$ ]] then ynh_print_err --message="Please use Bash as shell" exit 1 From 2b65913b8966d17318d6e2403575b170fee4ed09 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 18 May 2023 19:35:56 +0000 Subject: [PATCH 06/22] Launch app shell --- src/app.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/app.py b/src/app.py index a9bfad1a9..6b523d574 100644 --- a/src/app.py +++ b/src/app.py @@ -1653,9 +1653,7 @@ def app_shell(app): app -- App ID """ - - #TODO Find out how to open an interactive Bash shell from Python - #TODO run `ynh_load_app_environment --app=$app` helper in there + subprocess.run(['/bin/bash', '-c', 'source /usr/share/yunohost/helpers && ynh_load_app_environment '+app]) def app_register_url(app, domain, path): """ From 21c7c41812535da1597b492239790118da2d8ce9 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 23:08:53 +0200 Subject: [PATCH 07/22] Extend ynh_load_app_environment usage examples Co-authored-by: Florent --- helpers/apps | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/helpers/apps b/helpers/apps index b9cc03b58..d807a4d87 100644 --- a/helpers/apps +++ b/helpers/apps @@ -117,6 +117,10 @@ ynh_remove_apps() { # usage: ynh_install_apps --app="app" # | arg: -a, --app= - the app ID # +# examples: +# ynh_load_app_environment --app="APP" <<< 'echo "$USER"' +# ynh_load_app_environment --app="APP" < /tmp/some_script.bash +# # Requires YunoHost version 11.0.* or higher. ynh_load_app_environment() { # Declare an array to define the options of this helper. From cc167cd92c60b70c75c89da7e18d35b767aafa1e Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 21:11:32 +0000 Subject: [PATCH 08/22] Rename ynh_load_app_environment into ynh_spawn_app_shell Co-authored-by: Florent --- helpers/apps | 8 ++++---- src/app.py | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/helpers/apps b/helpers/apps index d807a4d87..fb5ac25b0 100644 --- a/helpers/apps +++ b/helpers/apps @@ -118,11 +118,11 @@ ynh_remove_apps() { # | arg: -a, --app= - the app ID # # examples: -# ynh_load_app_environment --app="APP" <<< 'echo "$USER"' -# ynh_load_app_environment --app="APP" < /tmp/some_script.bash -# +# ynh_spawn_app_shell --app="APP" <<< 'echo "$USER"' +# ynh_spawn_app_shell --app="APP" < /tmp/some_script.bash +# # Requires YunoHost version 11.0.* or higher. -ynh_load_app_environment() { +ynh_spawn_app_shell() { # Declare an array to define the options of this helper. local legacy_args=a local -A args_array=([a]=app=) diff --git a/src/app.py b/src/app.py index 6b523d574..04340b1ba 100644 --- a/src/app.py +++ b/src/app.py @@ -1653,7 +1653,7 @@ def app_shell(app): app -- App ID """ - subprocess.run(['/bin/bash', '-c', 'source /usr/share/yunohost/helpers && ynh_load_app_environment '+app]) + subprocess.run(['/bin/bash', '-c', 'source /usr/share/yunohost/helpers && ynh_spawn_app_shell '+app]) def app_register_url(app, domain, path): """ From 4b4ce9aef63ba4408fdc87d0e13a6a3b1a3d9220 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 23:13:52 +0200 Subject: [PATCH 09/22] Default to WorkingDirectory then install_dir for ynh_spawn_app_shell Co-authored-by: Tagada <36127788+Tagadda@users.noreply.github.com> --- helpers/apps | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/helpers/apps b/helpers/apps index fb5ac25b0..feda02f5e 100644 --- a/helpers/apps +++ b/helpers/apps @@ -178,5 +178,12 @@ ynh_spawn_app_shell() { fi # Open the app shell + local env_dir = $(systemctl show $app.service -p "WorkingDirectory" --value) + if [[ $env_dir = "" ]]; + then + env_dir = $install_dir + fi + + cd $env_dir su -s /bin/bash $app } From ed1b5e567bc18f27031676cf62e98ec83d9a6d8e Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 21:55:20 +0000 Subject: [PATCH 10/22] Force php to its intended version in ynh_spawn_app_shell --- helpers/apps | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/helpers/apps b/helpers/apps index feda02f5e..23889ef43 100644 --- a/helpers/apps +++ b/helpers/apps @@ -164,6 +164,14 @@ ynh_spawn_app_shell() { [ -n "$env_var" ] && export $env_var; export HOME=$install_dir; + # Force `php` to its intended version + local phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) + if [ -n "$phpversion" ] + then + eval "php() { php${phpversion} \"\$@\"; }" + export -f php + fi + # Source the EnvironmentFiles from the app's service local env_files=(`systemctl show $app.service -p "EnvironmentFiles" --value`) if [ ${#env_files[*]} -gt 0 ] From a47e491869673574ac8233a179bd75622c29d5ee Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 22:08:51 +0000 Subject: [PATCH 11/22] Cleanup ynh_spawn_app_shell --- helpers/apps | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/helpers/apps b/helpers/apps index 23889ef43..1f3fb5430 100644 --- a/helpers/apps +++ b/helpers/apps @@ -152,7 +152,7 @@ ynh_spawn_app_shell() { fi # Make sure the app has an install_dir setting - local install_dir="$(yunohost app setting $app install_dir)" + local install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) if [ -z "$install_dir" ] then ynh_print_err --message="$app has no install_dir setting (does it use packaging format >=2?)" @@ -185,13 +185,11 @@ ynh_spawn_app_shell() { set +a fi - # Open the app shell + # cd into the WorkingDirectory set in the service, or default to the install_dir local env_dir = $(systemctl show $app.service -p "WorkingDirectory" --value) - if [[ $env_dir = "" ]]; - then - env_dir = $install_dir - fi - + [ -z $env_dir ] && env_dir=$install_dir; cd $env_dir + + # Spawn the app shell su -s /bin/bash $app } From 5fa58f19ce264f52e9d3a6d18f8cbd7ce0b2e358 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 22:19:10 +0000 Subject: [PATCH 12/22] Offer apps to set service name for ynh_spawn_app_shell --- helpers/apps | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/helpers/apps b/helpers/apps index 1f3fb5430..aafcfa7e2 100644 --- a/helpers/apps +++ b/helpers/apps @@ -159,8 +159,12 @@ ynh_spawn_app_shell() { exit 1 fi + # Load the app's service name, or default to $app + local service=$(ynh_app_setting_get --app=$app --key=service) + [ -z "$service" ] && service=$app; + # Load the Environment variables from the app's service - local env_var=`systemctl show $app.service -p "Environment" --value` + local env_var=`systemctl show $service.service -p "Environment" --value` [ -n "$env_var" ] && export $env_var; export HOME=$install_dir; @@ -173,7 +177,7 @@ ynh_spawn_app_shell() { fi # Source the EnvironmentFiles from the app's service - local env_files=(`systemctl show $app.service -p "EnvironmentFiles" --value`) + local env_files=(`systemctl show $service.service -p "EnvironmentFiles" --value`) if [ ${#env_files[*]} -gt 0 ] then # set -/+a enables and disables new variables being automatically exported. Needed when using `source`. @@ -186,7 +190,7 @@ ynh_spawn_app_shell() { fi # cd into the WorkingDirectory set in the service, or default to the install_dir - local env_dir = $(systemctl show $app.service -p "WorkingDirectory" --value) + local env_dir = $(systemctl show $service.service -p "WorkingDirectory" --value) [ -z $env_dir ] && env_dir=$install_dir; cd $env_dir From cacd43e147e444ede67c3c1754d45fadd56ade54 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 22:21:35 +0000 Subject: [PATCH 13/22] Fix error in ynh_spawn_app_shell --- helpers/apps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/apps b/helpers/apps index aafcfa7e2..198aa15d9 100644 --- a/helpers/apps +++ b/helpers/apps @@ -190,7 +190,7 @@ ynh_spawn_app_shell() { fi # cd into the WorkingDirectory set in the service, or default to the install_dir - local env_dir = $(systemctl show $service.service -p "WorkingDirectory" --value) + local env_dir=$(systemctl show $service.service -p "WorkingDirectory" --value) [ -z $env_dir ] && env_dir=$install_dir; cd $env_dir From bb9db08e2902c8734ae547a43f02fec0445783ce Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 24 May 2023 22:32:51 +0000 Subject: [PATCH 14/22] Improve ynh_spawn_app_shell documentation --- helpers/apps | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/helpers/apps b/helpers/apps index 198aa15d9..9c46346fe 100644 --- a/helpers/apps +++ b/helpers/apps @@ -112,16 +112,19 @@ ynh_remove_apps() { fi } -# Load an app environment in the current Bash shell +# Spawn a Bash shell with the app environment loaded # -# usage: ynh_install_apps --app="app" +# usage: ynh_spawn_app_shell --app="app" # | arg: -a, --app= - the app ID # # examples: # ynh_spawn_app_shell --app="APP" <<< 'echo "$USER"' # ynh_spawn_app_shell --app="APP" < /tmp/some_script.bash # -# Requires YunoHost version 11.0.* or higher. +# Requires YunoHost version 11.0.* or higher, and that the app relies on packaging v2 or higher. +# The spawned shell will have environment variables loaded and environment files sourced +# from the app's service configuration file (defaults to $app.service, overridable by the packager with `service` setting). +# If the app relies on a specific PHP version, then `php` will be aliased that version. ynh_spawn_app_shell() { # Declare an array to define the options of this helper. local legacy_args=a From 1300585eda965691a078db909a289b9dfef26828 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 25 May 2023 09:48:55 +0200 Subject: [PATCH 15/22] Improve ynh_spawn_app_shell comments Co-authored-by: Florent --- helpers/apps | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/apps b/helpers/apps index 9c46346fe..b81e8be99 100644 --- a/helpers/apps +++ b/helpers/apps @@ -148,7 +148,7 @@ ynh_spawn_app_shell() { exit 1 fi - # Make sure the app is installed + # Make sure the app has its own user if ! id -u "$app" &>/dev/null; then ynh_print_err --message="There is no \"$app\" system user" exit 1 From 1552944fdd64bd57c4c2f75a53b563f5db0ca7f1 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 26 May 2023 20:41:40 +0200 Subject: [PATCH 16/22] apps: fix auto-catalog update cron job which was broken because --apps doesnt exist anymore --- hooks/conf_regen/01-yunohost | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hooks/conf_regen/01-yunohost b/hooks/conf_regen/01-yunohost index d0e6fb783..1bef26a8b 100755 --- a/hooks/conf_regen/01-yunohost +++ b/hooks/conf_regen/01-yunohost @@ -97,7 +97,7 @@ EOF # Cron job that upgrade the app list everyday cat >$pending_dir/etc/cron.daily/yunohost-fetch-apps-catalog < /dev/null) & +sleep \$((RANDOM%3600)); yunohost tools update apps > /dev/null EOF # Cron job that renew lets encrypt certificates if there's any that needs renewal From daf51e94bdb3c77787e1169549d4ef6ec8da1af6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 26 May 2023 21:06:01 +0200 Subject: [PATCH 17/22] regeconf: fix security issue where apps' system conf would be owned by the app, which can enable priviledge escalation --- helpers/utils | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/helpers/utils b/helpers/utils index 489c5c261..52d7c734f 100644 --- a/helpers/utils +++ b/helpers/utils @@ -1071,8 +1071,10 @@ _ynh_apply_default_permissions() { fi fi - # Crons should be owned by root otherwise they probably don't run - if echo "$target" | grep -q '^/etc/cron' + # Crons should be owned by root + # Also we don't want systemd conf, nginx conf or others stuff to be owned by the app, + # otherwise they could self-edit their own systemd conf and escalate privilege + if echo "$target" | grep -q '^/etc/cron\|/etc/php\|/etc/nginx/conf.d\|/etc/fail2ban\|/etc/systemd/system' then chmod 400 $target chown root:root $target From e649c092a3e4b5cb110a5b3f33dbfe9f4ca3f9d3 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 26 May 2023 21:44:39 +0200 Subject: [PATCH 18/22] regenconf: force systemd, nginx, php and fail2ban conf to be owned by root --- hooks/conf_regen/01-yunohost | 9 +++++++++ hooks/conf_regen/15-nginx | 6 ++++++ hooks/conf_regen/52-fail2ban | 6 ++++++ 3 files changed, 21 insertions(+) diff --git a/hooks/conf_regen/01-yunohost b/hooks/conf_regen/01-yunohost index 1bef26a8b..0d6876cf4 100755 --- a/hooks/conf_regen/01-yunohost +++ b/hooks/conf_regen/01-yunohost @@ -181,6 +181,15 @@ do_post_regen() { # NB: x permission for 'others' is important for ssl-cert (and maybe mdns), otherwise slapd will fail to start because can't access the certs chmod 755 /etc/yunohost + chown root:root /etc/systemd/system/*.service + chmod 644 /etc/systemd/system/*.service + + if ls -l /etc/php/*/fpm/pool.d/*.conf + then + chown root:root /etc/php/*/fpm/pool.d/*.conf + chmod 644 /etc/php/*/fpm/pool.d/*.conf + fi + # Certs # We do this with find because there could be a lot of them... chown -R root:ssl-cert /etc/yunohost/certs diff --git a/hooks/conf_regen/15-nginx b/hooks/conf_regen/15-nginx index 28d9e90fb..9eabcd8b7 100755 --- a/hooks/conf_regen/15-nginx +++ b/hooks/conf_regen/15-nginx @@ -144,6 +144,12 @@ do_pre_regen() { do_post_regen() { regen_conf_files=$1 + if ls -l /etc/nginx/conf.d/*.d/*.conf + then + chown root:root /etc/nginx/conf.d/*.d/*.conf + chmod 644 /etc/nginx/conf.d/*.d/*.conf + fi + [ -z "$regen_conf_files" ] && exit 0 # create NGINX conf directories for domains diff --git a/hooks/conf_regen/52-fail2ban b/hooks/conf_regen/52-fail2ban index d463892c7..db3cf0da7 100755 --- a/hooks/conf_regen/52-fail2ban +++ b/hooks/conf_regen/52-fail2ban @@ -24,6 +24,12 @@ do_pre_regen() { do_post_regen() { regen_conf_files=$1 + if ls -l /etc/fail2ban/jail.d/*.conf + then + chown root:root /etc/fail2ban/jail.d/*.conf + chmod 644 /etc/fail2ban/jail.d/*.conf + fi + [[ -z "$regen_conf_files" ]] \ || systemctl reload fail2ban } From db7ab2a98b276c23dbc2cf67c6e92e116536f36f Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 30 May 2023 11:18:54 +0000 Subject: [PATCH 19/22] Homogeneize command subtitutions in ynh_spawn_app_shell --- helpers/apps | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helpers/apps b/helpers/apps index b81e8be99..4b64ecdbb 100644 --- a/helpers/apps +++ b/helpers/apps @@ -167,7 +167,7 @@ ynh_spawn_app_shell() { [ -z "$service" ] && service=$app; # Load the Environment variables from the app's service - local env_var=`systemctl show $service.service -p "Environment" --value` + local env_var=$(systemctl show $service.service -p "Environment" --value) [ -n "$env_var" ] && export $env_var; export HOME=$install_dir; @@ -180,7 +180,7 @@ ynh_spawn_app_shell() { fi # Source the EnvironmentFiles from the app's service - local env_files=(`systemctl show $service.service -p "EnvironmentFiles" --value`) + local env_files=($(systemctl show $service.service -p "EnvironmentFiles" --value)) if [ ${#env_files[*]} -gt 0 ] then # set -/+a enables and disables new variables being automatically exported. Needed when using `source`. From f3faac87f83dd9deebed02b7700ed3f23308f7c7 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 30 May 2023 11:27:33 +0000 Subject: [PATCH 20/22] Improve comments of ynh_spawn_app_shell --- helpers/apps | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/helpers/apps b/helpers/apps index 4b64ecdbb..4b253ff90 100644 --- a/helpers/apps +++ b/helpers/apps @@ -166,12 +166,15 @@ ynh_spawn_app_shell() { local service=$(ynh_app_setting_get --app=$app --key=service) [ -z "$service" ] && service=$app; + # Export HOME variable + export HOME=$install_dir; + # Load the Environment variables from the app's service local env_var=$(systemctl show $service.service -p "Environment" --value) [ -n "$env_var" ] && export $env_var; - export HOME=$install_dir; # Force `php` to its intended version + # We use `eval`+`export` since `alias` is not propagated to subshells, even with `export` local phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) if [ -n "$phpversion" ] then From fee5375dc47e3890930e82db63d5c98aea2b9a39 Mon Sep 17 00:00:00 2001 From: Tagada <36127788+Tagadda@users.noreply.github.com> Date: Sun, 4 Jun 2023 23:50:23 +0200 Subject: [PATCH 21/22] more verbose logs for user_group _update fix YunoHost/issues#2193 --- locales/en.json | 4 ++++ src/user.py | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/locales/en.json b/locales/en.json index 4dcb00ee6..bfc564afd 100644 --- a/locales/en.json +++ b/locales/en.json @@ -467,13 +467,17 @@ "group_creation_failed": "Could not create the group '{group}': {error}", "group_deleted": "Group '{group}' deleted", "group_deletion_failed": "Could not delete the group '{group}': {error}", + "group_mailalias_add": "The email alias '{mail}' will be added to the group '{group}'", + "group_mailalias_remove": "The email alias '{mail}' will be removed from the group '{group}'", "group_no_change": "Nothing to change for group '{group}'", "group_unknown": "The group '{group}' is unknown", "group_update_aliases": "Updating aliases for group '{group}'", "group_update_failed": "Could not update the group '{group}': {error}", "group_updated": "Group '{group}' updated", + "group_user_add": "The user '{user}' will be added to the group '{group}'", "group_user_already_in_group": "User {user} is already in group {group}", "group_user_not_in_group": "User {user} is not in group {group}", + "group_user_remove": "The user '{user}' will be removed from the group '{group}'", "hook_exec_failed": "Could not run script: {path}", "hook_exec_not_terminated": "Script did not finish properly: {path}", "hook_json_return_error": "Could not read return from hook {path}. Error: {msg}. Raw content: {raw_content}", diff --git a/src/user.py b/src/user.py index f17a60942..3f453f69e 100644 --- a/src/user.py +++ b/src/user.py @@ -1189,6 +1189,7 @@ def user_group_update( ) else: operation_logger.related_to.append(("user", user)) + logger.info(m18n.n("group_user_add", group=groupname, user=user)) new_group_members += users_to_add @@ -1202,6 +1203,7 @@ def user_group_update( ) else: operation_logger.related_to.append(("user", user)) + logger.info(m18n.n("group_user_remove", group=groupname, user=user)) # Remove users_to_remove from new_group_members # Kinda like a new_group_members -= users_to_remove @@ -1237,6 +1239,7 @@ def user_group_update( "mail_domain_unknown", domain=mail[mail.find("@") + 1 :] ) new_group_mail.append(mail) + logger.info(m18n.n("group_mailalias_add", group=groupname, mail=mail)) if remove_mailalias: from yunohost.domain import _get_maindomain @@ -1256,6 +1259,7 @@ def user_group_update( ) if mail in new_group_mail: new_group_mail.remove(mail) + logger.info(m18n.n("group_mailalias_remove", group=groupname, mail=mail)) else: raise YunohostValidationError("mail_alias_remove_failed", mail=mail) From d42c99835a67ad614c0b6ff5595e42c36e9067fd Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 9 Jun 2023 22:30:32 +0200 Subject: [PATCH 22/22] nginx: use /var/www/.well-known folder for ynh diagnosis and acme challenge, because /tmp/ could be manipulated by user to serve maliciously crafted files --- conf/nginx/plain/acme-challenge.conf.inc | 2 +- conf/nginx/server.tpl.conf | 2 +- src/certificate.py | 4 ++-- src/diagnosers/21-web.py | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/conf/nginx/plain/acme-challenge.conf.inc b/conf/nginx/plain/acme-challenge.conf.inc index 35c4b80c2..859aa6817 100644 --- a/conf/nginx/plain/acme-challenge.conf.inc +++ b/conf/nginx/plain/acme-challenge.conf.inc @@ -1,6 +1,6 @@ location ^~ '/.well-known/acme-challenge/' { default_type "text/plain"; - alias /tmp/acme-challenge-public/; + alias /var/www/.well-known/acme-challenge-public/; gzip off; } diff --git a/conf/nginx/server.tpl.conf b/conf/nginx/server.tpl.conf index d3ff77714..16b5c46c2 100644 --- a/conf/nginx/server.tpl.conf +++ b/conf/nginx/server.tpl.conf @@ -13,7 +13,7 @@ server { include /etc/nginx/conf.d/acme-challenge.conf.inc; location ^~ '/.well-known/ynh-diagnosis/' { - alias /tmp/.well-known/ynh-diagnosis/; + alias /var/www/.well-known/ynh-diagnosis/; } {% if mail_enabled == "True" %} diff --git a/src/certificate.py b/src/certificate.py index 52e0d8c1b..76d3f32b7 100644 --- a/src/certificate.py +++ b/src/certificate.py @@ -41,8 +41,8 @@ from yunohost.log import OperationLogger logger = getActionLogger("yunohost.certmanager") CERT_FOLDER = "/etc/yunohost/certs/" -TMP_FOLDER = "/tmp/acme-challenge-private/" -WEBROOT_FOLDER = "/tmp/acme-challenge-public/" +TMP_FOLDER = "/var/www/.well-known/acme-challenge-private/" +WEBROOT_FOLDER = "/var/www/.well-known/acme-challenge-public/" SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem" ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem" diff --git a/src/diagnosers/21-web.py b/src/diagnosers/21-web.py index 2050cd658..ce6de4b17 100644 --- a/src/diagnosers/21-web.py +++ b/src/diagnosers/21-web.py @@ -60,9 +60,9 @@ class MyDiagnoser(Diagnoser): domains_to_check.append(domain) self.nonce = "".join(random.choice("0123456789abcedf") for i in range(16)) - rm("/tmp/.well-known/ynh-diagnosis/", recursive=True, force=True) - mkdir("/tmp/.well-known/ynh-diagnosis/", parents=True) - os.system("touch /tmp/.well-known/ynh-diagnosis/%s" % self.nonce) + rm("/var/www/.well-known/ynh-diagnosis/", recursive=True, force=True) + mkdir("/var/www/.well-known/ynh-diagnosis/", parents=True) + os.system("touch /var/www/.well-known/ynh-diagnosis/%s" % self.nonce) if not domains_to_check: return