Merge branch 'dev' into bookworm

conf/nginx/plain/acme-challenge.conf.inc

@@ -1,6 +1,6 @@
 location ^~ '/.well-known/acme-challenge/'
 {
         default_type "text/plain";
-        alias /tmp/acme-challenge-public/;
+        alias /var/www/.well-known/acme-challenge-public/;
         gzip off;
 }

conf/nginx/server.tpl.conf

@@ -13,7 +13,7 @@ server {
     include /etc/nginx/conf.d/acme-challenge.conf.inc;
 
     location ^~ '/.well-known/ynh-diagnosis/' {
-        alias /tmp/.well-known/ynh-diagnosis/;
+        alias /var/www/.well-known/ynh-diagnosis/;
     }
 
     {% if mail_enabled == "True" %}

helpers/apps

@@ -111,3 +111,95 @@ ynh_remove_apps() {
 		done
 	fi
 }
+
+# Spawn a Bash shell with the app environment loaded
+#
+# usage: ynh_spawn_app_shell --app="app"
+#     | arg: -a, --app=     - the app ID
+#
+# examples:
+#   ynh_spawn_app_shell --app="APP" <<< 'echo "$USER"'
+#   ynh_spawn_app_shell --app="APP" < /tmp/some_script.bash
+#
+# Requires YunoHost version 11.0.* or higher, and that the app relies on packaging v2 or higher.
+# The spawned shell will have environment variables loaded and environment files sourced
+# from the app's service configuration file (defaults to $app.service, overridable by the packager with `service` setting).
+# If the app relies on a specific PHP version, then `php` will be aliased that version.
+ynh_spawn_app_shell() {
+        # Declare an array to define the options of this helper.
+        local legacy_args=a
+        local -A args_array=([a]=app=)
+        local app
+        # Manage arguments with getopts
+        ynh_handle_getopts_args "$@"
+
+        # Force Bash to be used to run this helper
+        if [[ ! $0 =~ \/?bash$ ]]
+        then
+            ynh_print_err --message="Please use Bash as shell"
+            exit 1
+        fi
+
+        # Make sure the app is installed
+        local installed_apps_list=($(yunohost app list --output-as json --quiet | jq -r .apps[].id))
+        if [[ " ${installed_apps_list[*]} " != *" ${app} "* ]]
+        then
+            ynh_print_err --message="$app is not in the apps list"
+            exit 1
+        fi
+
+        # Make sure the app has its own user
+        if ! id -u "$app" &>/dev/null; then
+            ynh_print_err --message="There is no \"$app\" system user"
+            exit 1
+        fi
+
+        # Make sure the app has an install_dir setting
+        local install_dir=$(ynh_app_setting_get --app=$app --key=install_dir)
+        if [ -z "$install_dir" ]
+        then
+            ynh_print_err --message="$app has no install_dir setting (does it use packaging format >=2?)"
+            exit 1
+        fi
+
+        # Load the app's service name, or default to $app
+        local service=$(ynh_app_setting_get --app=$app --key=service)
+        [ -z "$service" ] && service=$app;
+
+        # Export HOME variable
+        export HOME=$install_dir;
+
+        # Load the Environment variables from the app's service
+        local env_var=$(systemctl show $service.service -p "Environment" --value)
+        [ -n "$env_var" ] && export $env_var;
+
+        # Force `php` to its intended version
+        # We use `eval`+`export` since `alias` is not propagated to subshells, even with `export`
+        local phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
+        if [ -n "$phpversion" ]
+        then
+            eval "php() { php${phpversion} \"\$@\"; }"
+            export -f php
+        fi
+
+        # Source the EnvironmentFiles from the app's service
+        local env_files=($(systemctl show $service.service -p "EnvironmentFiles" --value))
+        if [ ${#env_files[*]} -gt 0 ]
+        then
+            # set -/+a enables and disables new variables being automatically exported. Needed when using `source`.
+            set -a
+            for file in ${env_files[*]}
+            do
+                [[ $file = /* ]] && source $file
+            done
+            set +a
+        fi
+
+        # cd into the WorkingDirectory set in the service, or default to the install_dir
+        local env_dir=$(systemctl show $service.service -p "WorkingDirectory" --value)
+        [ -z $env_dir ] && env_dir=$install_dir;
+        cd $env_dir
+
+        # Spawn the app shell
+        su -s /bin/bash $app
+}

helpers/utils

@@ -1071,8 +1071,10 @@ _ynh_apply_default_permissions() {
         fi
     fi
 
-    # Crons should be owned by root otherwise they probably don't run
-    if echo "$target" | grep -q '^/etc/cron'
+    # Crons should be owned by root
+    # Also we don't want systemd conf, nginx conf or others stuff to be owned by the app,
+    # otherwise they could self-edit their own systemd conf and escalate privilege
+    if echo "$target" | grep -q '^/etc/cron\|/etc/php\|/etc/nginx/conf.d\|/etc/fail2ban\|/etc/systemd/system'
     then
         chmod 400 $target
         chown root:root $target

hooks/conf_regen/01-yunohost

@@ -97,7 +97,7 @@ EOF
     # Cron job that upgrade the app list everyday
     cat >$pending_dir/etc/cron.daily/yunohost-fetch-apps-catalog <<EOF
 #!/bin/bash
-(sleep \$((RANDOM%3600)); yunohost tools update --apps > /dev/null) &
+sleep \$((RANDOM%3600)); yunohost tools update apps > /dev/null
 EOF
 
     # Cron job that renew lets encrypt certificates if there's any that needs renewal
@@ -181,6 +181,15 @@ do_post_regen() {
     # NB: x permission for 'others' is important for ssl-cert (and maybe mdns), otherwise slapd will fail to start because can't access the certs
     chmod 755 /etc/yunohost
 
+    chown root:root /etc/systemd/system/*.service
+    chmod 644 /etc/systemd/system/*.service
+
+    if ls -l /etc/php/*/fpm/pool.d/*.conf
+    then
+        chown root:root /etc/php/*/fpm/pool.d/*.conf
+        chmod 644 /etc/php/*/fpm/pool.d/*.conf
+    fi
+
     # Certs
     # We do this with find because there could be a lot of them...
     chown -R root:ssl-cert /etc/yunohost/certs

hooks/conf_regen/15-nginx

@@ -144,6 +144,12 @@ do_pre_regen() {
 do_post_regen() {
     regen_conf_files=$1
 
+    if ls -l /etc/nginx/conf.d/*.d/*.conf
+    then
+        chown root:root /etc/nginx/conf.d/*.d/*.conf
+        chmod 644 /etc/nginx/conf.d/*.d/*.conf
+    fi
+
     [ -z "$regen_conf_files" ] && exit 0
 
     # create NGINX conf directories for domains

hooks/conf_regen/52-fail2ban

@@ -24,6 +24,12 @@ do_pre_regen() {
 do_post_regen() {
     regen_conf_files=$1
 
+    if ls -l /etc/fail2ban/jail.d/*.conf
+    then
+        chown root:root /etc/fail2ban/jail.d/*.conf
+        chmod 644 /etc/fail2ban/jail.d/*.conf
+    fi
+
     [[ -z "$regen_conf_files" ]] \
         || systemctl reload fail2ban
 }

locales/en.json

@@ -467,13 +467,17 @@
     "group_creation_failed": "Could not create the group '{group}': {error}",
     "group_deleted": "Group '{group}' deleted",
     "group_deletion_failed": "Could not delete the group '{group}': {error}",
+    "group_mailalias_add": "The email alias '{mail}' will be added to the group '{group}'",
+    "group_mailalias_remove": "The email alias '{mail}' will be removed from the group '{group}'",
     "group_no_change": "Nothing to change for group '{group}'",
     "group_unknown": "The group '{group}' is unknown",
     "group_update_aliases": "Updating aliases for group '{group}'",
     "group_update_failed": "Could not update the group '{group}': {error}",
     "group_updated": "Group '{group}' updated",
+    "group_user_add": "The user '{user}' will be added to the group '{group}'",
     "group_user_already_in_group": "User {user} is already in group {group}",
     "group_user_not_in_group": "User {user} is not in group {group}",
+    "group_user_remove": "The user '{user}' will be removed from the group '{group}'",
     "hook_exec_failed": "Could not run script: {path}",
     "hook_exec_not_terminated": "Script did not finish properly: {path}",
     "hook_json_return_error": "Could not read return from hook {path}. Error: {msg}. Raw content: {raw_content}",

share/actionsmap.yml

@@ -954,6 +954,12 @@ app:
                     help: Delete the key
                     action: store_true
 
+        ### app_shell()
+        shell:
+            action_help: Open an interactive shell with the app environment already loaded
+            arguments:
+                app:
+                    help: App ID
 
         ### app_register_url()
         register-url:

src/app.py

@@ -1645,6 +1645,16 @@ def app_setting(app, key, value=None, delete=False):
     _set_app_settings(app, app_settings)
 
 
+def app_shell(app):
+    """
+    Open an interactive shell with the app environment already loaded
+
+    Keyword argument:
+        app -- App ID
+
+    """
+    subprocess.run(['/bin/bash', '-c', 'source /usr/share/yunohost/helpers && ynh_spawn_app_shell '+app])
+
 def app_register_url(app, domain, path):
     """
     Book/register a web path for a given app

src/certificate.py

@@ -41,8 +41,8 @@ from yunohost.log import OperationLogger
 logger = getActionLogger("yunohost.certmanager")
 
 CERT_FOLDER = "/etc/yunohost/certs/"
-TMP_FOLDER = "/tmp/acme-challenge-private/"
-WEBROOT_FOLDER = "/tmp/acme-challenge-public/"
+TMP_FOLDER = "/var/www/.well-known/acme-challenge-private/"
+WEBROOT_FOLDER = "/var/www/.well-known/acme-challenge-public/"
 
 SELF_CA_FILE = "/etc/ssl/certs/ca-yunohost_crt.pem"
 ACCOUNT_KEY_FILE = "/etc/yunohost/letsencrypt_account.pem"

src/diagnosers/21-web.py

@@ -60,9 +60,9 @@ class MyDiagnoser(Diagnoser):
                 domains_to_check.append(domain)
 
         self.nonce = "".join(random.choice("0123456789abcedf") for i in range(16))
-        rm("/tmp/.well-known/ynh-diagnosis/", recursive=True, force=True)
-        mkdir("/tmp/.well-known/ynh-diagnosis/", parents=True)
-        os.system("touch /tmp/.well-known/ynh-diagnosis/%s" % self.nonce)
+        rm("/var/www/.well-known/ynh-diagnosis/", recursive=True, force=True)
+        mkdir("/var/www/.well-known/ynh-diagnosis/", parents=True)
+        os.system("touch /var/www/.well-known/ynh-diagnosis/%s" % self.nonce)
 
         if not domains_to_check:
             return

src/user.py

@@ -1189,6 +1189,7 @@ def user_group_update(
                 )
             else:
                 operation_logger.related_to.append(("user", user))
+                logger.info(m18n.n("group_user_add", group=groupname, user=user))
 
         new_group_members += users_to_add
 
@@ -1202,6 +1203,7 @@ def user_group_update(
                 )
             else:
                 operation_logger.related_to.append(("user", user))
+                logger.info(m18n.n("group_user_remove", group=groupname, user=user))
 
         # Remove users_to_remove from new_group_members
         # Kinda like a new_group_members -= users_to_remove
@@ -1237,6 +1239,7 @@ def user_group_update(
                     "mail_domain_unknown", domain=mail[mail.find("@") + 1 :]
                 )
             new_group_mail.append(mail)
+            logger.info(m18n.n("group_mailalias_add", group=groupname, mail=mail))
 
     if remove_mailalias:
         from yunohost.domain import _get_maindomain
@@ -1256,6 +1259,7 @@ def user_group_update(
                 )
             if mail in new_group_mail:
                 new_group_mail.remove(mail)
+                logger.info(m18n.n("group_mailalias_remove", group=groupname, mail=mail))
             else:
                 raise YunohostValidationError("mail_alias_remove_failed", mail=mail)