diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-09-17 23:04:25 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-09-17 23:04:25 +0100 |
commit | 89553b6b47f66268074b385593005eacd7b65ccf (patch) | |
tree | 9a30d631672a8bf34be7151e3d7bebf73663c191 /www-apps/tt-rss/files | |
parent | c9e9e39938097bf29063c271195ad0d7d7bd02a9 (diff) |
gentoo auto-resync : 17:09:2023 - 23:04:24
Diffstat (limited to 'www-apps/tt-rss/files')
-rw-r--r-- | www-apps/tt-rss/files/permissions-r1 | 23 | ||||
-rw-r--r-- | www-apps/tt-rss/files/tt-rss-no-chmod.patch | 44 | ||||
-rw-r--r-- | www-apps/tt-rss/files/ttrssd.confd-r2 | 9 |
3 files changed, 36 insertions, 40 deletions
diff --git a/www-apps/tt-rss/files/permissions-r1 b/www-apps/tt-rss/files/permissions-r1 index e50b4406646d..0ca420e97beb 100644 --- a/www-apps/tt-rss/files/permissions-r1 +++ b/www-apps/tt-rss/files/permissions-r1 @@ -3,22 +3,27 @@ cd "${MY_INSTALLDIR}" if [[ $1 = install ]]; then + # Ensure database credentials are secure. + [[ -e config.php ]] || touch config.php + chown --no-dereference "${VHOST_SERVER_UID}":ttrssd config.php + chmod 00440 config.php + # We need to lock down cache/ for the operations below to be # safe. The permissions match the webapp-config defaults but these # can be changed and existing installations may also differ. chown root:root cache/ chmod 00755 cache/ - chgrp --no-dereference ttrssd feed-icons/ lock/ cache/*/ - chmod g+ws feed-icons/ lock/ cache/*/ + chgrp --no-dereference ttrssd lock/ cache/*/ + chmod g+ws lock/ cache/*/ - # Files within lock/ are exclusively written by the update daemon. - # feed-icons/ and cache/ holds files that are modified in place by both - # processes and therefore ACLs are required to ensure that the files - # themselves are created as group writable. - if ! setfacl --modify d:g::rwX feed-icons/ cache/*/; then + # Files within lock/ are exclusively written by the update daemon. cache/ + # subdirectories hold files that are modified in place by both processes and + # therefore ACLs are required to ensure that the files themselves are + # created as group writable. + if ! setfacl --modify d:g::rwX cache/*/; then echo "WARNING: ACLs are not available on this filesystem. Either enable them or set TTRSSD_USER to your PHP user in /etc/conf.d/ttrssd to avoid permission issues." - elif [[ -n $(find feed-icons/ cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then - echo "WARNING: Files that are not writable by the ttrssd group found within the cache or feed-icons directories. Either delete them or correct their permissions." + elif [[ -n $(find cache/ -type f ! -name ".*" ! -name index.html ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then + echo "WARNING: Files that are not writable by the ttrssd group found within the cache directory. Either delete them or correct their permissions." fi fi diff --git a/www-apps/tt-rss/files/tt-rss-no-chmod.patch b/www-apps/tt-rss/files/tt-rss-no-chmod.patch index e51e66eaed22..4dd41af4bb12 100644 --- a/www-apps/tt-rss/files/tt-rss-no-chmod.patch +++ b/www-apps/tt-rss/files/tt-rss-no-chmod.patch @@ -1,26 +1,18 @@ -These files may be written and then updated by the web interface user or the -update daemon user, so they need to be group writeable. We enforce this with -ACLs rather than chmod though. - -diff --color -Naur a/classes/pref/feeds.php b/classes/pref/feeds.php ---- a/classes/pref/feeds.php 2022-02-18 13:44:03.000000000 +0000 -+++ b/classes/pref/feeds.php 2022-02-19 15:37:55.000723992 +0000 -@@ -490,7 +490,6 @@ - - if (file_exists($new_filename)) unlink($new_filename); - if (rename($tmp_file, $new_filename)) { -- chmod($new_filename, 0644); - - $feed->set([ - 'favicon_avg_color' => null, -diff --color -Naur a/classes/rssutils.php b/classes/rssutils.php ---- a/classes/rssutils.php 2022-02-18 13:44:03.000000000 +0000 -+++ b/classes/rssutils.php 2022-02-19 15:37:40.393312123 +0000 -@@ -1728,7 +1728,6 @@ - - fwrite($fp, $contents); - fclose($fp); -- chmod($icon_file, 0644); - clearstatcache(); - - return $icon_file; +diff --git a/plugins/cache_starred_images/init.php b/plugins/cache_starred_images/init.php +index 208eafde9..05b5a1a93 100755 +--- a/plugins/cache_starred_images/init.php ++++ b/plugins/cache_starred_images/init.php +@@ -24,11 +24,8 @@ class Cache_Starred_Images extends Plugin { + $this->cache = DiskCache::instance("starred-images"); + $this->cache_status = DiskCache::instance("starred-images.status-files"); + +- if ($this->cache->make_dir()) +- chmod($this->cache->get_dir(), 0777); +- +- if ($this->cache_status->make_dir()) +- chmod($this->cache_status->get_dir(), 0777); ++ $this->cache->make_dir(); ++ $this->cache_status->make_dir(); + + if (!$this->cache->exists(".no-auto-expiry")) + $this->cache->put(".no-auto-expiry", ""); diff --git a/www-apps/tt-rss/files/ttrssd.confd-r2 b/www-apps/tt-rss/files/ttrssd.confd-r2 index b169b548bb9a..7546d096d08b 100644 --- a/www-apps/tt-rss/files/ttrssd.confd-r2 +++ b/www-apps/tt-rss/files/ttrssd.confd-r2 @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2023 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # Space-separated paths of TT-RSS instances that you want to start the @@ -24,10 +24,9 @@ LOG_DIR="/var/log/ttrssd" # User to run the update daemon as. You should not run this as # root. If ACLs are unavailable on the filesystem used by the TT-RSS # instances then choosing the same user that serves the PHP web -# interface is recommended to avoid permission issues. You *must* add -# this user to the ttrssd group. If the PHP user is not the same as -# the web server user (e.g. apache or nginx) then this user must be -# added to the ttrssd group too. +# interface is recommended to avoid permission issues. Either way, you +# *must* add these users to the ttrssd group unless everything is +# running as the web server user (e.g. apache or nginx). # # Default: # TTRSSD_USER="ttrssd" |