gentoo auto-resync : 17:09:2023 - 23:04:24

3 files changed, 36 insertions, 40 deletions

diff --git a/www-apps/tt-rss/files/permissions-r1 b/www-apps/tt-rss/files/permissions-r1
index e50b4406646d..0ca420e97beb 100644
--- a/www-apps/tt-rss/files/permissions-r1
+++ b/www-apps/tt-rss/files/permissions-r1
@@ -3,22 +3,27 @@
 cd "${MY_INSTALLDIR}"
 
 if [[ $1 = install ]]; then
+	# Ensure database credentials are secure.
+	[[ -e config.php ]] || touch config.php
+	chown --no-dereference "${VHOST_SERVER_UID}":ttrssd config.php
+	chmod 00440 config.php
+
 	# We need to lock down cache/ for the operations below to be
 	# safe. The permissions match the webapp-config defaults but these
 	# can be changed and existing installations may also differ.
 	chown root:root cache/
 	chmod 00755 cache/
 
-	chgrp --no-dereference ttrssd feed-icons/ lock/ cache/*/
-	chmod g+ws feed-icons/ lock/ cache/*/
+	chgrp --no-dereference ttrssd lock/ cache/*/
+	chmod g+ws lock/ cache/*/
 
-	# Files within lock/ are exclusively written by the update daemon.
-	# feed-icons/ and cache/ holds files that are modified in place by both
-	# processes and therefore ACLs are required to ensure that the files
-	# themselves are created as group writable.
-	if ! setfacl --modify d:g::rwX feed-icons/ cache/*/; then
+	# Files within lock/ are exclusively written by the update daemon. cache/
+	# subdirectories hold files that are modified in place by both processes and
+	# therefore ACLs are required to ensure that the files themselves are
+	# created as group writable.
+	if ! setfacl --modify d:g::rwX cache/*/; then
 		echo "WARNING: ACLs are not available on this filesystem. Either enable them or set TTRSSD_USER to your PHP user in /etc/conf.d/ttrssd to avoid permission issues."
-	elif [[ -n $(find feed-icons/ cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then
-		echo "WARNING: Files that are not writable by the ttrssd group found within the cache or feed-icons directories. Either delete them or correct their permissions."
+	elif [[ -n $(find cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then
+		echo "WARNING: Files that are not writable by the ttrssd group found within the cache directory. Either delete them or correct their permissions."
 	fi
 fi
diff --git a/www-apps/tt-rss/files/tt-rss-no-chmod.patch b/www-apps/tt-rss/files/tt-rss-no-chmod.patch
index e51e66eaed22..4dd41af4bb12 100644
--- a/www-apps/tt-rss/files/tt-rss-no-chmod.patch
+++ b/www-apps/tt-rss/files/tt-rss-no-chmod.patch
@@ -1,26 +1,18 @@
-These files may be written and then updated by the web interface user or the
-update daemon user, so they need to be group writeable. We enforce this with
-ACLs rather than chmod though.
-
-diff --color -Naur a/classes/pref/feeds.php b/classes/pref/feeds.php
---- a/classes/pref/feeds.php	2022-02-18 13:44:03.000000000 +0000
-+++ b/classes/pref/feeds.php	2022-02-19 15:37:55.000723992 +0000
-@@ -490,7 +490,6 @@
-
- 				if (file_exists($new_filename)) unlink($new_filename);
- 					if (rename($tmp_file, $new_filename)) {
--						chmod($new_filename, 0644);
-
- 						$feed->set([
- 							'favicon_avg_color' => null,
-diff --color -Naur a/classes/rssutils.php b/classes/rssutils.php
---- a/classes/rssutils.php	2022-02-18 13:44:03.000000000 +0000
-+++ b/classes/rssutils.php	2022-02-19 15:37:40.393312123 +0000
-@@ -1728,7 +1728,6 @@
-
- 		fwrite($fp, $contents);
- 		fclose($fp);
--		chmod($icon_file, 0644);
- 		clearstatcache();
-
- 		return $icon_file;
+diff --git a/plugins/cache_starred_images/init.php b/plugins/cache_starred_images/init.php
+index 208eafde9..05b5a1a93 100755
+--- a/plugins/cache_starred_images/init.php
++++ b/plugins/cache_starred_images/init.php
+@@ -24,11 +24,8 @@ class Cache_Starred_Images extends Plugin {
+ 		$this->cache = DiskCache::instance("starred-images");
+ 		$this->cache_status = DiskCache::instance("starred-images.status-files");
+ 
+-		if ($this->cache->make_dir())
+-			chmod($this->cache->get_dir(), 0777);
+-
+-		if ($this->cache_status->make_dir())
+-			chmod($this->cache_status->get_dir(), 0777);
++		$this->cache->make_dir();
++		$this->cache_status->make_dir();
+ 
+ 		if (!$this->cache->exists(".no-auto-expiry"))
+ 			$this->cache->put(".no-auto-expiry", "");
diff --git a/www-apps/tt-rss/files/ttrssd.confd-r2 b/www-apps/tt-rss/files/ttrssd.confd-r2
index b169b548bb9a..7546d096d08b 100644
--- a/www-apps/tt-rss/files/ttrssd.confd-r2
+++ b/www-apps/tt-rss/files/ttrssd.confd-r2
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2023 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 # Space-separated paths of TT-RSS instances that you want to start the
@@ -24,10 +24,9 @@ LOG_DIR="/var/log/ttrssd"
 # User to run the update daemon as. You should not run this as
 # root. If ACLs are unavailable on the filesystem used by the TT-RSS
 # instances then choosing the same user that serves the PHP web
-# interface is recommended to avoid permission issues. You *must* add
-# this user to the ttrssd group. If the PHP user is not the same as
-# the web server user (e.g. apache or nginx) then this user must be
-# added to the ttrssd group too.
+# interface is recommended to avoid permission issues. Either way, you
+# *must* add these users to the ttrssd group unless everything is
+# running as the web server user (e.g. apache or nginx).
 #
 # Default:
 #  TTRSSD_USER="ttrssd"