Hello community, here is the log from the commit of package matomo for openSUSE:Factory checked in at 2019-12-24 14:30:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/matomo (Old) and /work/SRC/openSUSE:Factory/.matomo.new.6675 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "matomo" Tue Dec 24 14:30:41 2019 rev:21 rq:759114 version:3.13.0 Changes: -------- --- /work/SRC/openSUSE:Factory/matomo/matomo.changes 2019-12-21 12:35:07.751470171 +0100 +++ /work/SRC/openSUSE:Factory/.matomo.new.6675/matomo.changes 2019-12-24 14:31:06.594609601 +0100 @@ -1,0 +2,14 @@ +Mon Dec 23 22:56:28 UTC 2019 - Lars Vogdt <[email protected]> + +- (add) more secure PHP settings for: + upload_tmp_dir => "/var/cache/apache2" (upload is disabled, but this + makes Matomo's security check happy) + session.save_path => "/run/matomo_sessions/", to keep session files + secure. Added: matomo-tmpfile.conf for this +- just recommend cron and mariadb: + * mariadb can be run on another host (matomo just needs the client) + * cron script can be obsoleted by the provided systemd timer +- pre-require php, to run the commands in post +- recommend php-openssl for (php) curl requests from matomo + +------------------------------------------------------------------- New: ---- matomo-tmpfile.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ matomo.spec ++++++ --- /var/tmp/diff_new_pack.YG5u7V/_old 2019-12-24 14:31:08.502610572 +0100 +++ /var/tmp/diff_new_pack.YG5u7V/_new 2019-12-24 14:31:08.506610574 +0100 @@ -29,6 +29,7 @@ %define ap_usr nobody %define ap_grp nogroup %endif +%{!?_tmpfilesdir:%global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: matomo Version: 3.13.0 @@ -45,6 +46,7 @@ Source11: %{name}-archive.service Source12: %{name}-archive.timer Source13: %{name}.my.cnf +Source14: %{name}-tmpfile.conf Source99: %{name}.rpmlintrc BuildArch: noarch %if 0%{?suse_version} >= 1500 @@ -61,9 +63,7 @@ BuildRequires: systemd BuildRequires: unzip Requires: apache2 -Requires: cron Requires: logrotate -Requires: mariadb Requires: mod_php_any >= 5.5.9 Requires: php-ctype Requires: php-curl @@ -73,17 +73,19 @@ Requires: php-json Requires: php-mbstring Requires: php-mysql -#Requires: php-openssl Requires: php-pdo #Requires: php-sqlite Requires: php-tokenizer Requires: php-xmlreader Requires: php-xmlwriter Requires: php-zlib +Requires(pre): php %{?systemd_requires} Recommends: php-geoip +Recommends: php-openssl Recommends: apache2-mod_geoip - +Recommends: mariadb +Recommends: cron Conflicts: piwik %description @@ -157,6 +159,7 @@ install -D -m 0644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/cron.d/%{name}-archive install -D -m 0644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}-archive.service install -D -m 0644 %{SOURCE12} %{buildroot}%{_unitdir}/%{name}-archive.timer +install -D -m 0644 %{SOURCE14} %{buildroot}%{_tmpfilesdir}/%{name}.conf sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_sysconfdir}/cron.d/%{name}-archive sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_unitdir}/%{name}-archive.service # install changes for mariadb @@ -172,6 +175,7 @@ # BSC#1154324 # # # chown -R %{ap_usr}:%{ap_grp} %{ap_serverroot}/%{name} %service_add_post matomo-archive.timer matomo-archive.service apache2.service +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf if [ $1 -gt 1 ]; then # Update matomo if this is an upgrade $1 == 2 echo "matomo: Update matomo:core..." @@ -191,7 +195,6 @@ %files %defattr(-,root,root,-) -#%%doc README.SUSE CHANGELOG.md CONTRIBUTING.md LEGALNOTICE README.md SECURITY.md %dir %{_defaultdocdir}/%{name} %{_defaultdocdir}/%{name}/* %config(noreplace) %{ap_sysconfdir}/conf.d/%{name}.conf @@ -200,10 +203,12 @@ %config(noreplace) %{_sysconfdir}/my.cnf.d/%{name}.my.cnf %{_unitdir}/%{name}-archive.service %{_unitdir}/%{name}-archive.timer +%{_tmpfilesdir}/%{name}.conf %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name} %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment %attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/*.php %attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment/*.php +%ghost %attr(0750,%{ap_usr},%{ap_grp}) /run/%{name}_sessions %defattr(644,root,root,755) %dir %{ap_serverroot}/%{name} %dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/js @@ -218,16 +223,17 @@ %attr(0644,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/js/piwik.min.js %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/console %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/cron/archive.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/log-analytics/import_logs.py +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/log-analytics/import_logs.py %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/composer/clean-xhprof.sh %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/composer/build-xhprof.sh #%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/plugins/TestRunner/scripts/on_instance_launch.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/package.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/lessify -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/plessc -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/pear/archive_tar/sync-php4 -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/szymach/c-pchart/coverage.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/tecnickcom/tcpdf/tools/tcpdf_addfont.php +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/package.sh +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/lessify +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/plessc +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/pear/archive_tar/sync-php4 +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/szymach/c-pchart/coverage.sh +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/tecnickcom/tcpdf/tools/tcpdf_addfont.php +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/twig/twig/drupal_test.sh %{ap_serverroot}/%{name}/* %changelog ++++++ matomo-tmpfile.conf ++++++ # setting PHP's session.save_path to this directory d /run/matomo_sessions 0750 wwwrun www - ++++++ matomo.conf ++++++ --- /var/tmp/diff_new_pack.YG5u7V/_old 2019-12-24 14:31:08.686610665 +0100 +++ /var/tmp/diff_new_pack.YG5u7V/_new 2019-12-24 14:31:08.686610665 +0100 @@ -75,11 +75,13 @@ <IfModule mod_php7.c> # improved security - php_admin_value open_basedir "__matomo_web__:__matomo_conf__:__matomo_log__:/tmp:/usr/bin" + php_admin_value open_basedir "__matomo_web__:__matomo_conf__:__matomo_log__:/tmp:/usr/bin:/var/cache/apache2:/run/matomo_sessions" php_admin_flag display_startup_errors Off php_admin_flag display_errors Off php_admin_flag file_uploads Off php_admin_flag allow_url_fopen Off + php_admin_value upload_tmp_dir "/var/cache/apache2" + php_admin_value session.save_path "/run/matomo_sessions/" php_admin_value disable_functions "posix_setpgid,exec,ftp_login,mysql_pconnect,apache_setenv,popen,posix_getpwuid,posix_setsid,passthru,escapeshellcmd,ini_alter,ftp_raw,ftp_nb_fput,ini_restore,shell_exec,ftp_get,proc_get_status,highlight_file,proc_close,proc_terminate,syslog,ftp_connect,posix_uname,ini_get_all,proc_open,posix_kill,escapeshellarg,ftp_rawlist,posix_setuid,openlog,php_uname,system,ftp_exec,posix_mkfifo,proc_nice,ftp_put" php_admin_value memory_limit "1024M" php_admin_value max_execution_time 120
