[gentoo-commits] repo/gentoo:master commit in: www-apps/tt-rss/files/, www-apps/tt-rss/
commit: 291c589208abc5bb0b304c80d1316347747731e5 Author: James Le Cuirot gentoo org> AuthorDate: Sun Sep 17 21:31:03 2023 + Commit: James Le Cuirot gentoo org> CommitDate: Sun Sep 17 21:32:48 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=291c5892 www-apps/tt-rss: Bump snapshot to 20230901, PHP 8.2, improve permissions You are now instructed to always add the PHP user the ttrssd group, unless everything is to run as the web server user. This was necessary before, but my earlier wording was ambiguous, if not entirely wrong. The config.php file permissions are now also locked down to secure the database credentials. It was previously world-readable. Signed-off-by: James Le Cuirot gentoo.org> www-apps/tt-rss/Manifest | 2 +- www-apps/tt-rss/files/permissions-r1 | 23 ++- www-apps/tt-rss/files/tt-rss-no-chmod.patch| 44 +- www-apps/tt-rss/files/ttrssd.confd-r2 | 9 ++--- ...-rss-20220218.ebuild => tt-rss-20230901.ebuild} | 14 +++ www-apps/tt-rss/tt-rss-.ebuild | 16 +--- 6 files changed, 54 insertions(+), 54 deletions(-) diff --git a/www-apps/tt-rss/Manifest b/www-apps/tt-rss/Manifest index e407e317a278..da200b684ec8 100644 --- a/www-apps/tt-rss/Manifest +++ b/www-apps/tt-rss/Manifest @@ -1 +1 @@ -DIST tt-rss-20220218.tar.gz 9916433 BLAKE2B 318969b6e5156842079bf68c4ea614e5e60e21d8caa46b1a78f2cef051904da30e5091838f6e10f6f610d8ee39c7922137aeb60b7cd5004cabc1d2cdf65edfa8 SHA512 38a81dd737462724bc52ca3915350c175abe548cd566a4f9a5e1d5efda9287d0666e9348e5b13dd20549360501de5b0bfb659292fb650f7a60fdab8b63cf8202 +DIST tt-rss-20230901.tar.xz 5368876 BLAKE2B af7dc8c7003f9bd83f656a1596458302eb29b7f27428e38e9cbc7fdeb0b920079622b577e5e578069d8475c265061efeb23648da621ad66263370a748512d49c SHA512 02111c89a3dc8fbf94be38d87fa90770eaaa644672aeeb7c1ece3ac7137c5a4f2f0f4412319bd887305f365fc7da9bfe3f644495a5655e8a351ecdae97a04d35 diff --git a/www-apps/tt-rss/files/permissions-r1 b/www-apps/tt-rss/files/permissions-r1 index e50b4406646d..0ca420e97beb 100644 --- a/www-apps/tt-rss/files/permissions-r1 +++ b/www-apps/tt-rss/files/permissions-r1 @@ -3,22 +3,27 @@ cd "${MY_INSTALLDIR}" if [[ $1 = install ]]; then + # Ensure database credentials are secure. + [[ -e config.php ]] || touch config.php + chown --no-dereference "${VHOST_SERVER_UID}":ttrssd config.php + chmod 00440 config.php + # We need to lock down cache/ for the operations below to be # safe. The permissions match the webapp-config defaults but these # can be changed and existing installations may also differ. chown root:root cache/ chmod 00755 cache/ - chgrp --no-dereference ttrssd feed-icons/ lock/ cache/*/ - chmod g+ws feed-icons/ lock/ cache/*/ + chgrp --no-dereference ttrssd lock/ cache/*/ + chmod g+ws lock/ cache/*/ - # Files within lock/ are exclusively written by the update daemon. - # feed-icons/ and cache/ holds files that are modified in place by both - # processes and therefore ACLs are required to ensure that the files - # themselves are created as group writable. - if ! setfacl --modify d:g::rwX feed-icons/ cache/*/; then + # Files within lock/ are exclusively written by the update daemon. cache/ + # subdirectories hold files that are modified in place by both processes and + # therefore ACLs are required to ensure that the files themselves are + # created as group writable. + if ! setfacl --modify d:g::rwX cache/*/; then echo "WARNING: ACLs are not available on this filesystem. Either enable them or set TTRSSD_USER to your PHP user in /etc/conf.d/ttrssd to avoid permission issues." - elif [[ -n $(find feed-icons/ cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then - echo "WARNING: Files that are not writable by the ttrssd group found within the cache or feed-icons directories. Either delete them or correct their permissions." + elif [[ -n $(find cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then + echo "WARNING: Files that are not writable by the ttrssd group found within the cache directory. Either delete them or correct their permissions." fi fi diff --git a/www-apps/tt-rss/files/tt-rss-no-chmod.patch b/www-apps/tt-rss/files/tt-rss-no-chmod.patch index e51e66eaed22..4dd41af4bb12 100644 --- a/www-apps/tt-rss/files/tt-rss-no-chmod.patch +++ b/www-apps/tt-rss/files/tt-rss-no-chmod.patch @@ -1,26 +1,18 @@ -These files may be written and then updated by the web interface user or the -update daemon user, so they need to be group writeable. We enforce this with -ACLs rather than chmod though. - -diff --color -Naur a/classes/pref/feeds.php
[gentoo-commits] repo/gentoo:master commit in: www-apps/tt-rss/files/, www-apps/tt-rss/
commit: 62e7ee4bf96b14a426a9b05738b00f84bbcb979d Author: James Le Cuirot gentoo org> AuthorDate: Wed Jun 22 21:49:50 2022 + Commit: James Le Cuirot gentoo org> CommitDate: Wed Jun 22 21:49:50 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62e7ee4b www-apps/tt-rss: Update no-chmod patch for Thanks to ppn for the patch. Closes: https://bugs.gentoo.org/853139 Signed-off-by: James Le Cuirot gentoo.org> www-apps/tt-rss/files/tt-rss-no-chmod-r2.patch | 26 ++ www-apps/tt-rss/tt-rss-.ebuild | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/www-apps/tt-rss/files/tt-rss-no-chmod-r2.patch b/www-apps/tt-rss/files/tt-rss-no-chmod-r2.patch new file mode 100644 index ..05de80b127c5 --- /dev/null +++ b/www-apps/tt-rss/files/tt-rss-no-chmod-r2.patch @@ -0,0 +1,26 @@ +These files may be written and then updated by the web interface user or the +update daemon user, so they need to be group writeable. We enforce this with +ACLs rather than chmod though. + +diff -Naur a/classes/pref/feeds.php b/classes/pref/feeds.php +--- a/classes/pref/feeds.php 2022-02-18 13:44:03.0 + b/classes/pref/feeds.php 2022-02-19 15:37:55.000723992 + +@@ -490,7 +490,6 @@ + + if (file_exists($new_filename)) unlink($new_filename); + if (rename($tmp_file, $new_filename)) { +- chmod($new_filename, 0644); + + $feed->set([ + 'favicon_avg_color' => null, +diff -Naur a/classes/rssutils.php b/classes/rssutils.php +--- a/classes/rssutils.php 2022-06-20 09:37:43.205998915 + b/classes/rssutils.php 2022-06-20 09:38:01.002279039 + +@@ -1758,7 +1758,6 @@ + + fwrite($fp, $contents); + fclose($fp); +- chmod($icon_file, 0644); + clearstatcache(); + + return $icon_file; diff --git a/www-apps/tt-rss/tt-rss-.ebuild b/www-apps/tt-rss/tt-rss-.ebuild index e91fad7a3c67..89e1ba0ce816 100644 --- a/www-apps/tt-rss/tt-rss-.ebuild +++ b/www-apps/tt-rss/tt-rss-.ebuild @@ -51,7 +51,7 @@ DEPEND=" need_httpd_cgi # From webapp.eclass PATCHES=( - "${FILESDIR}"/${PN}-no-chmod.patch + "${FILESDIR}"/${PN}-no-chmod-r2.patch ) src_install() {