diff options
author | James Le Cuirot <chewi@gentoo.org> | 2023-09-17 22:31:03 +0100 |
---|---|---|
committer | James Le Cuirot <chewi@gentoo.org> | 2023-09-17 22:32:48 +0100 |
commit | 291c589208abc5bb0b304c80d1316347747731e5 (patch) | |
tree | 4e52328a556dd71687c6b405a50d8f7fbee49bfd /www-apps/tt-rss | |
parent | sys-libs/glibc: keyword 2.37-r5 (diff) | |
download | gentoo-291c589208abc5bb0b304c80d1316347747731e5.tar.gz gentoo-291c589208abc5bb0b304c80d1316347747731e5.tar.bz2 gentoo-291c589208abc5bb0b304c80d1316347747731e5.zip |
www-apps/tt-rss: Bump snapshot to 20230901, PHP 8.2, improve permissions
You are now instructed to always add the PHP user the ttrssd group, unless
everything is to run as the web server user. This was necessary before, but my
earlier wording was ambiguous, if not entirely wrong.
The config.php file permissions are now also locked down to secure the database
credentials. It was previously world-readable.
Signed-off-by: James Le Cuirot <chewi@gentoo.org>
Diffstat (limited to 'www-apps/tt-rss')
-rw-r--r-- | www-apps/tt-rss/Manifest | 2 | ||||
-rw-r--r-- | www-apps/tt-rss/files/permissions-r1 | 23 | ||||
-rw-r--r-- | www-apps/tt-rss/files/tt-rss-no-chmod.patch | 44 | ||||
-rw-r--r-- | www-apps/tt-rss/files/ttrssd.confd-r2 | 9 | ||||
-rw-r--r-- | www-apps/tt-rss/tt-rss-20230901.ebuild (renamed from www-apps/tt-rss/tt-rss-20220218.ebuild) | 14 | ||||
-rw-r--r-- | www-apps/tt-rss/tt-rss-99999999.ebuild | 16 |
6 files changed, 54 insertions, 54 deletions
diff --git a/www-apps/tt-rss/Manifest b/www-apps/tt-rss/Manifest index e407e317a278..da200b684ec8 100644 --- a/www-apps/tt-rss/Manifest +++ b/www-apps/tt-rss/Manifest @@ -1 +1 @@ -DIST tt-rss-20220218.tar.gz 9916433 BLAKE2B 318969b6e5156842079bf68c4ea614e5e60e21d8caa46b1a78f2cef051904da30e5091838f6e10f6f610d8ee39c7922137aeb60b7cd5004cabc1d2cdf65edfa8 SHA512 38a81dd737462724bc52ca3915350c175abe548cd566a4f9a5e1d5efda9287d0666e9348e5b13dd20549360501de5b0bfb659292fb650f7a60fdab8b63cf8202 +DIST tt-rss-20230901.tar.xz 5368876 BLAKE2B af7dc8c7003f9bd83f656a1596458302eb29b7f27428e38e9cbc7fdeb0b920079622b577e5e578069d8475c265061efeb23648da621ad66263370a748512d49c SHA512 02111c89a3dc8fbf94be38d87fa90770eaaa644672aeeb7c1ece3ac7137c5a4f2f0f4412319bd887305f365fc7da9bfe3f644495a5655e8a351ecdae97a04d35 diff --git a/www-apps/tt-rss/files/permissions-r1 b/www-apps/tt-rss/files/permissions-r1 index e50b4406646d..0ca420e97beb 100644 --- a/www-apps/tt-rss/files/permissions-r1 +++ b/www-apps/tt-rss/files/permissions-r1 @@ -3,22 +3,27 @@ cd "${MY_INSTALLDIR}" if [[ $1 = install ]]; then + # Ensure database credentials are secure. + [[ -e config.php ]] || touch config.php + chown --no-dereference "${VHOST_SERVER_UID}":ttrssd config.php + chmod 00440 config.php + # We need to lock down cache/ for the operations below to be # safe. The permissions match the webapp-config defaults but these # can be changed and existing installations may also differ. chown root:root cache/ chmod 00755 cache/ - chgrp --no-dereference ttrssd feed-icons/ lock/ cache/*/ - chmod g+ws feed-icons/ lock/ cache/*/ + chgrp --no-dereference ttrssd lock/ cache/*/ + chmod g+ws lock/ cache/*/ - # Files within lock/ are exclusively written by the update daemon. - # feed-icons/ and cache/ holds files that are modified in place by both - # processes and therefore ACLs are required to ensure that the files - # themselves are created as group writable. - if ! setfacl --modify d:g::rwX feed-icons/ cache/*/; then + # Files within lock/ are exclusively written by the update daemon. cache/ + # subdirectories hold files that are modified in place by both processes and + # therefore ACLs are required to ensure that the files themselves are + # created as group writable. + if ! setfacl --modify d:g::rwX cache/*/; then echo "WARNING: ACLs are not available on this filesystem. Either enable them or set TTRSSD_USER to your PHP user in /etc/conf.d/ttrssd to avoid permission issues." - elif [[ -n $(find feed-icons/ cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then - echo "WARNING: Files that are not writable by the ttrssd group found within the cache or feed-icons directories. Either delete them or correct their permissions." + elif [[ -n $(find cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then + echo "WARNING: Files that are not writable by the ttrssd group found within the cache directory. Either delete them or correct their permissions." fi fi diff --git a/www-apps/tt-rss/files/tt-rss-no-chmod.patch b/www-apps/tt-rss/files/tt-rss-no-chmod.patch index e51e66eaed22..4dd41af4bb12 100644 --- a/www-apps/tt-rss/files/tt-rss-no-chmod.patch +++ b/www-apps/tt-rss/files/tt-rss-no-chmod.patch @@ -1,26 +1,18 @@ -These files may be written and then updated by the web interface user or the -update daemon user, so they need to be group writeable. We enforce this with -ACLs rather than chmod though. - -diff --color -Naur a/classes/pref/feeds.php b/classes/pref/feeds.php ---- a/classes/pref/feeds.php 2022-02-18 13:44:03.000000000 +0000 -+++ b/classes/pref/feeds.php 2022-02-19 15:37:55.000723992 +0000 -@@ -490,7 +490,6 @@ - - if (file_exists($new_filename)) unlink($new_filename); - if (rename($tmp_file, $new_filename)) { -- chmod($new_filename, 0644); - - $feed->set([ - 'favicon_avg_color' => null, -diff --color -Naur a/classes/rssutils.php b/classes/rssutils.php ---- a/classes/rssutils.php 2022-02-18 13:44:03.000000000 +0000 -+++ b/classes/rssutils.php 2022-02-19 15:37:40.393312123 +0000 -@@ -1728,7 +1728,6 @@ - - fwrite($fp, $contents); - fclose($fp); -- chmod($icon_file, 0644); - clearstatcache(); - - return $icon_file; +diff --git a/plugins/cache_starred_images/init.php b/plugins/cache_starred_images/init.php +index 208eafde9..05b5a1a93 100755 +--- a/plugins/cache_starred_images/init.php ++++ b/plugins/cache_starred_images/init.php +@@ -24,11 +24,8 @@ class Cache_Starred_Images extends Plugin { + $this->cache = DiskCache::instance("starred-images"); + $this->cache_status = DiskCache::instance("starred-images.status-files"); + +- if ($this->cache->make_dir()) +- chmod($this->cache->get_dir(), 0777); +- +- if ($this->cache_status->make_dir()) +- chmod($this->cache_status->get_dir(), 0777); ++ $this->cache->make_dir(); ++ $this->cache_status->make_dir(); + + if (!$this->cache->exists(".no-auto-expiry")) + $this->cache->put(".no-auto-expiry", ""); diff --git a/www-apps/tt-rss/files/ttrssd.confd-r2 b/www-apps/tt-rss/files/ttrssd.confd-r2 index b169b548bb9a..7546d096d08b 100644 --- a/www-apps/tt-rss/files/ttrssd.confd-r2 +++ b/www-apps/tt-rss/files/ttrssd.confd-r2 @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2023 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # Space-separated paths of TT-RSS instances that you want to start the @@ -24,10 +24,9 @@ LOG_DIR="/var/log/ttrssd" # User to run the update daemon as. You should not run this as # root. If ACLs are unavailable on the filesystem used by the TT-RSS # instances then choosing the same user that serves the PHP web -# interface is recommended to avoid permission issues. You *must* add -# this user to the ttrssd group. If the PHP user is not the same as -# the web server user (e.g. apache or nginx) then this user must be -# added to the ttrssd group too. +# interface is recommended to avoid permission issues. Either way, you +# *must* add these users to the ttrssd group unless everything is +# running as the web server user (e.g. apache or nginx). # # Default: # TTRSSD_USER="ttrssd" diff --git a/www-apps/tt-rss/tt-rss-20220218.ebuild b/www-apps/tt-rss/tt-rss-20230901.ebuild index 720630a250db..284e1f60ac70 100644 --- a/www-apps/tt-rss/tt-rss-20220218.ebuild +++ b/www-apps/tt-rss/tt-rss-20230901.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -7,13 +7,13 @@ inherit webapp DESCRIPTION="Tiny Tiny RSS - A web-based news feed (RSS/Atom) aggregator using AJAX" HOMEPAGE="https://tt-rss.org/" -SRC_URI="https://dev.gentoo.org/~chewi/distfiles/${P}.tar.gz" # Upstream git frontend blocks wget? +SRC_URI="https://dev.gentoo.org/~chewi/distfiles/${P}.tar.xz" LICENSE="GPL-3" KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" IUSE="+acl daemon gd +mysqli postgres" REQUIRED_USE="|| ( mysqli postgres )" -PHP_SLOTS="8.0 7.4" +PHP_SLOTS="8.2" PHP_USE="gd?,mysqli?,postgres?,curl,fileinfo,intl,json(+),pdo,unicode,xml" php_rdepend() { @@ -62,12 +62,12 @@ src_install() { insinto "${MY_HTDOCSDIR}" doins -r * - # When updating, grep the plugins directory for additional CACHE_DIR - # instances as they cannot be created later due to permissions. - dodir "${MY_HTDOCSDIR}"/cache/starred-images + # When updating, grep the code for additional DiskCache::instances as they + # cannot be created later due to permissions. + keepdir "${MY_HTDOCSDIR}"/cache/{feed-icons,starred-images} local dir - for dir in "${ED}${MY_HTDOCSDIR}"/{cache/*,feed-icons,lock}/; do + for dir in "${ED}${MY_HTDOCSDIR}"/{cache/*,lock}/; do webapp_serverowned "${dir#${ED}}" done diff --git a/www-apps/tt-rss/tt-rss-99999999.ebuild b/www-apps/tt-rss/tt-rss-99999999.ebuild index a821a1e6edb9..668d1007ed48 100644 --- a/www-apps/tt-rss/tt-rss-99999999.ebuild +++ b/www-apps/tt-rss/tt-rss-99999999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="${PV}" # Single live slot. IUSE="+acl daemon gd +mysqli postgres" REQUIRED_USE="|| ( mysqli postgres )" -PHP_SLOTS="8.1 8.0 7.4" +PHP_SLOTS="8.2" PHP_USE="gd?,mysqli?,postgres?,curl,fileinfo,intl,json(+),pdo,unicode,xml" php_rdepend() { @@ -50,18 +50,22 @@ DEPEND=" need_httpd_cgi # From webapp.eclass +PATCHES=( + "${FILESDIR}"/${PN}-no-chmod.patch +) + src_install() { webapp_src_preinst insinto "${MY_HTDOCSDIR}" doins -r * - # When updating, grep the plugins directory for additional CACHE_DIR - # instances as they cannot be created later due to permissions. - dodir "${MY_HTDOCSDIR}"/cache/starred-images + # When updating, grep the code for additional DiskCache::instances as they + # cannot be created later due to permissions. + keepdir "${MY_HTDOCSDIR}"/cache/{feed-icons,starred-images} local dir - for dir in "${ED}${MY_HTDOCSDIR}"/{cache/*,feed-icons,lock}/; do + for dir in "${ED}${MY_HTDOCSDIR}"/{cache/*,lock}/; do webapp_serverowned "${dir#${ED}}" done |