Date: Sunday, December 16, 2018 @ 18:17:51 Author: archange Revision: 416455
upgpkg: couchdb 2.3.0-1 Upstream update + systemd service hardening Modified: couchdb/trunk/PKGBUILD couchdb/trunk/couchdb.service -----------------+ PKGBUILD | 12 ++++++------ couchdb.service | 22 +++++++++++++++++++--- 2 files changed, 25 insertions(+), 9 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-12-16 15:51:42 UTC (rev 416454) +++ PKGBUILD 2018-12-16 18:17:51 UTC (rev 416455) @@ -4,14 +4,14 @@ # Contributor: Michael Fellinger <[email protected]> pkgname=couchdb -pkgver=2.2.0 -pkgrel=3 +pkgver=2.3.0 +pkgrel=1 pkgdesc="A document-oriented database that can be queried and indexed in a MapReduce fashion using JSON" arch=('x86_64') url="https://couchdb.apache.org"; license=('APACHE') depends=('icu' 'js185' 'zlib') -makedepends=('erlang-nox-20') +makedepends=('erlang-nox') install=${pkgname}.install backup=('etc/couchdb/local.ini' 'etc/couchdb/vm.args') @@ -20,9 +20,9 @@ 'couchdb.sysusers' 'couchdb.tmpfiles' 'datadirs.ini') -sha256sums=('0e3ceb8aab73af8e54a2e2c949f362495b1c938455a15e9a4e294901c6c67985' +sha256sums=('0b3868d042b158d9fd2f504804abd93cd22681c033952f832ce846672c31f352' 'SKIP' - 'e2976dbdd2fb63fe8d09bee0d9c9a97e8785533d9c323276b4030354cb6d8957' + 'aa487af362f1ff64333763615513a58cf710c41077413a364a2c60cb882f4be8' '3ed1ad2a37a068ce194b03fb72eb35285d60fa7faf2d2c2bb710703d229108a8' '0ce806cbc5e18e60b17be9fd2cdbd4c7f12cc84ca95b079efdede16ddb5f3efd' '937ca3498aab47b3f2226d027fa8a1a95de55cbb463373099e28cb9a6c7046ac') @@ -30,7 +30,7 @@ prepare() { cd apache-couchdb-${pkgver} - sed -i 's|$ROOTDIR/etc/vm.args|/etc/couchdb/vm.args|' rel/overlay/bin/couchdb + sed -i 's|$ROOTDIR/etc/vm.args|/etc/couchdb/vm.args|' rel/files/couchdb.in } build() { Modified: couchdb.service =================================================================== --- couchdb.service 2018-12-16 15:51:42 UTC (rev 416454) +++ couchdb.service 2018-12-16 18:17:51 UTC (rev 416455) @@ -5,12 +5,28 @@ User=couchdb Group=couchdb Type=simple +WorkingDirectory=~ +StateDirectory=couchdb Environment="ERL_FLAGS=-couch_ini /usr/lib/couchdb/etc/default.ini /usr/lib/couchdb/etc/datadirs.ini /etc/couchdb/local.ini" ExecStart=/usr/lib/couchdb/bin/couchdb -ProtectSystem=true +Restart=always +RestartSec=2s +CapabilityBoundingSet= +NoNewPrivileges=True +PrivateUsers=true +PrivateDevices=true +PrivateTmp=true ProtectHome=true -NoNewPrivileges=true -PrivateTmp=true +ProtectSystem=strict +ProtectControlGroups=yes +ProtectKernelTunables=true +ProtectKernelModules=yes +ReadWritePaths=/etc/couchdb/local.ini +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=@system-service [Install] WantedBy=multi-user.target
