diff options
author | James Le Cuirot <chewi@gentoo.org> | 2018-01-18 13:39:08 +0000 |
---|---|---|
committer | James Le Cuirot <chewi@gentoo.org> | 2018-01-18 13:43:48 +0000 |
commit | 9605ea072743f9a1a27eaf8437de2a41a263bdaf (patch) | |
tree | b5b417c5b75bdf8f0706e0fda00e8360395cb5d0 /www-apps | |
parent | sys-cluster/kube-controller-manager: Remove old (diff) | |
download | gentoo-9605ea072743f9a1a27eaf8437de2a41a263bdaf.tar.gz gentoo-9605ea072743f9a1a27eaf8437de2a41a263bdaf.tar.bz2 gentoo-9605ea072743f9a1a27eaf8437de2a41a263bdaf.zip |
www-apps/tt-rss: Bump to 20180105, security fix, other fixes
* Addresses unsafe use of recursive chown/chmod in the init script
whilst also dealing with poor permissions handling that may have led
to issues in the past.
* Fixes "postgresql" misspelling in the init script.
* Fixes logrotate issue using delaycompress directive.
* Allows options to be passed to the daemon.
Bug: https://bugs.gentoo.org/603518
Closes: https://bugs.gentoo.org/609044
Closes: https://bugs.gentoo.org/620878
Closes: https://bugs.gentoo.org/627048
Closes: https://bugs.gentoo.org/639918
Package-Manager: Portage-2.3.19, Repoman-2.3.6
Diffstat (limited to 'www-apps')
-rw-r--r-- | www-apps/tt-rss/Manifest | 1 | ||||
-rw-r--r-- | www-apps/tt-rss/files/permissions | 25 | ||||
-rw-r--r-- | www-apps/tt-rss/files/postinstall-en-with-daemon-r1.txt | 14 | ||||
-rw-r--r-- | www-apps/tt-rss/files/postinstall-en-with-daemon.txt | 2 | ||||
-rw-r--r-- | www-apps/tt-rss/files/postinstall-en.txt | 7 | ||||
-rw-r--r-- | www-apps/tt-rss/files/ttrssd.confd-r2 | 47 | ||||
-rw-r--r-- | www-apps/tt-rss/files/ttrssd.initd-r3 | 88 | ||||
-rw-r--r-- | www-apps/tt-rss/files/ttrssd.logrotated | 1 | ||||
-rw-r--r-- | www-apps/tt-rss/files/ttrssd.logrotated-r1 | 9 | ||||
-rw-r--r-- | www-apps/tt-rss/tt-rss-20180105.ebuild | 84 |
10 files changed, 271 insertions, 7 deletions
diff --git a/www-apps/tt-rss/Manifest b/www-apps/tt-rss/Manifest index c04edba0436a..2c45842b727d 100644 --- a/www-apps/tt-rss/Manifest +++ b/www-apps/tt-rss/Manifest @@ -1,2 +1,3 @@ DIST tt-rss-20160527.tar.bz2 2064633 BLAKE2B 406c2ff551e2ba616a8f4696d7deaf8a3f85e4f86f0b09f57507af7f4657930f11fc0aa9df467af5ad2c56657d95e12b75bae721da4d86480b06bbbc0ab72744 SHA512 8d482303868a08f4d65ef252f71f66ec3219d4f67e968a026a0302d29930cd5af45cedea81171db2ff0927497079d3bedd8fd70e4e9904f5d9987a92a6dfcb89 DIST tt-rss-20160930.tar.bz2 2072888 BLAKE2B e6ca0a72730cdf9a1106d7098e6a6bfc9bf35f545a67e9b569552644b23543b4168000afe2e5fbf5a1fd81371e72e570e270a77d5345bca5f22d79c1a86409b0 SHA512 d420e7efdf7d17e153ef0aa487a330379afe20fe9e9a6209de40b797d36e425cbcbdf2280eaf5ada8b9bef1ae37146253556ff602bbff22a9a7c311ff525d9e2 +DIST tt-rss-20180105.tar.gz 3070929 BLAKE2B 2370104c70f5381d690a29b216269c749bf1f7c6b925eb9499b741e5df3e686d95fce430a144946fd915414481280b67e6d0c881edcdd13aee0fa344dc0bec3f SHA512 86ceec3646629ad7fd3fde2f3c3237e48ad96bd08b46e73c34c76507d9b17613ea309e1bd5e6e85a0d9eb96029e54b54e5ee367c56aab31be3dcec9169c5ada5 diff --git a/www-apps/tt-rss/files/permissions b/www-apps/tt-rss/files/permissions new file mode 100644 index 000000000000..a26b87f4e715 --- /dev/null +++ b/www-apps/tt-rss/files/permissions @@ -0,0 +1,25 @@ +#!/bin/bash -e + +cd "${MY_INSTALLDIR}" + +if [[ $1 = install ]]; then + # We need to lock down cache/ for the operations below to be + # safe. The permissions match the webapp-config defaults but these + # can be changed and existing installations may also differ. + chown root:root cache/ + chmod 00755 cache/ + + chgrp --no-dereference ttrssd feed-icons/ lock/ cache/*/ + chmod g+ws feed-icons/ lock/ cache/*/ + + # Files within lock/ are exclusively written by the update + # daemon. Files within feed-icons/ are always unlinked before + # modification. Only cache/ holds files that are modified in place + # by both processes and therefore ACLs are required to ensure that + # the files themselves are created as group writable. + if ! setfacl --modify d:g::rwX cache/*/; then + echo "WARNING: ACLs are not available on this filesystem. Either enable them or set TTRSSD_USER to your PHP user in /etc/conf.d/ttrssd to avoid permission issues." + elif [[ -n $(find cache/ -type f ! -name ".*" ! \( -group ttrssd -perm -020 \) -print -quit) ]]; then + echo "WARNING: Files that are not writable by the ttrssd group found within the cache directory. Either delete them or correct their permissions." + fi +fi diff --git a/www-apps/tt-rss/files/postinstall-en-with-daemon-r1.txt b/www-apps/tt-rss/files/postinstall-en-with-daemon-r1.txt new file mode 100644 index 000000000000..8c72406d76d2 --- /dev/null +++ b/www-apps/tt-rss/files/postinstall-en-with-daemon-r1.txt @@ -0,0 +1,14 @@ +Please read https://tt-rss.org/wiki/InstallationNotes. + +Once you have configured TT-RSS, tweak /etc/conf.d/ttrssd to your +needs if you have not already done so. If ACLs are unavailable on the +filesystem you have just installed to then you will need to set +TTRSSD_USER to your PHP user. When everything is ready, (re)start the +update daemon like so: + + /etc/init.d/ttrssd restart + +This will periodically update your feeds in the background. Add the +daemon to your default runlevel to start it on every boot: + + rc-update add ttrssd default diff --git a/www-apps/tt-rss/files/postinstall-en-with-daemon.txt b/www-apps/tt-rss/files/postinstall-en-with-daemon.txt index 7d269d7165f2..25545842a381 100644 --- a/www-apps/tt-rss/files/postinstall-en-with-daemon.txt +++ b/www-apps/tt-rss/files/postinstall-en-with-daemon.txt @@ -1,4 +1,4 @@ -Please read http://tt-rss.org/redmine/projects/tt-rss/wiki/InstallationNotes +Please read https://tt-rss.org/wiki/InstallationNotes. Once you have configured TT-RSS, put the path to this instance into the INSTANCE_DIRS variable in /etc/conf.d/ttrssd. Make sure that diff --git a/www-apps/tt-rss/files/postinstall-en.txt b/www-apps/tt-rss/files/postinstall-en.txt index 7b4b279e5be4..67a16111f3d5 100644 --- a/www-apps/tt-rss/files/postinstall-en.txt +++ b/www-apps/tt-rss/files/postinstall-en.txt @@ -1,6 +1 @@ -Please read http://tt-rss.org/redmine/projects/tt-rss/wiki/InstallationNotes - -With the update to 1.7.0 the 'magpie' RSS parser has been removed. -That means TT-RSS will use the 'simplepie' parser. If you have been -using 'magpie' so far, the switch might cause lots of duplicate -articles - it's a one-time thing for each instance. +Please read https://tt-rss.org/wiki/InstallationNotes. diff --git a/www-apps/tt-rss/files/ttrssd.confd-r2 b/www-apps/tt-rss/files/ttrssd.confd-r2 new file mode 100644 index 000000000000..b169b548bb9a --- /dev/null +++ b/www-apps/tt-rss/files/ttrssd.confd-r2 @@ -0,0 +1,47 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Space-separated paths of TT-RSS instances that you want to start the +# update daemon for. If left empty, these will be automatically +# detected using data from /var/db/webapps/tt-rss. Instances without +# the update_daemon2.php script present will be skipped. +# +# Default: +# INSTANCE_DIRS="" +# Example: +# INSTANCE_DIRS="/some/webhost/htdocs/tt-rss /some/otherwebhost/htdocs/newsreader" +# +INSTANCE_DIRS="" + +# Path to the log files. One log file will be created for each TT-RSS +# instance. Update the logrotate file after changing this. +# +# Default: +# LOG_DIR="/var/log/ttrssd" +# +LOG_DIR="/var/log/ttrssd" + +# User to run the update daemon as. You should not run this as +# root. If ACLs are unavailable on the filesystem used by the TT-RSS +# instances then choosing the same user that serves the PHP web +# interface is recommended to avoid permission issues. You *must* add +# this user to the ttrssd group. If the PHP user is not the same as +# the web server user (e.g. apache or nginx) then this user must be +# added to the ttrssd group too. +# +# Default: +# TTRSSD_USER="ttrssd" +# +TTRSSD_USER="ttrssd" + +# Additional options to pass to the update daemon. If you want to pass +# different options to different TT-RSS instances then create symlinks +# of the ttrssd init.d script (e.g. ttrssd.foo, ttrssd.bar) and +# configure INSTANCE_DIRS and TTRSSD_OPTS for each of these. +# +# Default: +# TTRSSD_OPTS="" +# Example: +# TTRSSD_OPTS="--tasks=1 --interval=300" +# +TTRSSD_OPTS="" diff --git a/www-apps/tt-rss/files/ttrssd.initd-r3 b/www-apps/tt-rss/files/ttrssd.initd-r3 new file mode 100644 index 000000000000..a6f3b8a78ef1 --- /dev/null +++ b/www-apps/tt-rss/files/ttrssd.initd-r3 @@ -0,0 +1,88 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +depend() { + need net + after postgresql mysql +} + +PID_DIR="/run/ttrssd" +LOG_DIR=${LOG_DIR:-"/var/log/ttrssd"} +TTRSSD_USER=${TTRSSD_USER:-"ttrssd"} + +setup() { + mkdir -p "${PID_DIR}" "${LOG_DIR}" || return 1 + chown "${TTRSSD_USER}":ttrssd "${LOG_DIR}" || return 1 +} + +list_instance_dirs() { + if [ -z "${INSTANCE_DIRS}" ]; then + cut -d" " -f4 /var/db/webapps/tt-rss/*/installs 2>/dev/null + else + printf "%s\n" ${INSTANCE_DIRS} + fi +} + +instance_dir_to_name() { + local name=${1#/} + echo ${name//\//--} +} + +start() { + setup || return 1 + local instance_dir instance_name ret=1 + + IFS=$'\n' + for instance_dir in $(list_instance_dirs); do + if [ -d "${instance_dir}" ]; then + if [ ! -f "${instance_dir}"/update_daemon2.php ]; then + ewarn "TT-RSS instance in ${instance_dir} has no update_daemon2.php script" + elif [ ! -f "${instance_dir}"/config.php ]; then + eerror "TT-RSS instance in ${instance_dir} is not configured" + else + instance_name=$(instance_dir_to_name "${instance_dir}") + ebegin "Starting TT-RSS update daemon in ${instance_dir}" + start-stop-daemon --start --user "${TTRSSD_USER}":ttrssd \ + --background --wait 2000 \ + --stdout "${LOG_DIR}/${instance_name}.log" \ + --stderr "${LOG_DIR}/${instance_name}.log" \ + --make-pidfile --pidfile "${PID_DIR}/${instance_name}.pid" \ + --exec /usr/bin/php -- -f "${instance_dir}"/update_daemon2.php \ + -- ${TTRSSD_OPTS} + eend $? && ret=0 + fi + else + eerror "TT-RSS instance in ${instance_dir} is missing" + fi + done + unset IFS + + # Succeed if at least one started. + return ${ret} +} + +stop() { + local instance_dir instance_name + + IFS=$'\n' + for instance_dir in $(list_instance_dirs); do + instance_name=$(instance_dir_to_name "${instance_dir}") + + [ -f "${PID_DIR}/${instance_name}.pid" ] || + [ -f "${instance_dir}"/update_daemon2.php ] || + continue + + ebegin "Stopping TT-RSS update daemon in ${instance_dir}" + start-stop-daemon --stop --retry 5 --pidfile "${PID_DIR}/${instance_name}.pid" \ + --exec /usr/bin/php -- -f "${instance_dir}"/update_daemon2.php \ + -- ${TTRSSD_OPTS} + eend $? + + rm -f "${instance_dir}"/lock/*.lock + done + unset IFS + + # Always succeed. + return 0 +} diff --git a/www-apps/tt-rss/files/ttrssd.logrotated b/www-apps/tt-rss/files/ttrssd.logrotated index 9616a98c3029..2bb0d0c1dd37 100644 --- a/www-apps/tt-rss/files/ttrssd.logrotated +++ b/www-apps/tt-rss/files/ttrssd.logrotated @@ -1,5 +1,6 @@ /var/log/ttrssd.log { daily + delaycompress missingok notifempty postrotate diff --git a/www-apps/tt-rss/files/ttrssd.logrotated-r1 b/www-apps/tt-rss/files/ttrssd.logrotated-r1 new file mode 100644 index 000000000000..c2bf08f75619 --- /dev/null +++ b/www-apps/tt-rss/files/ttrssd.logrotated-r1 @@ -0,0 +1,9 @@ +/var/log/ttrssd/*.log { + daily + delaycompress + missingok + notifempty + postrotate + /etc/init.d/ttrssd restart > /dev/null + endscript +} diff --git a/www-apps/tt-rss/tt-rss-20180105.ebuild b/www-apps/tt-rss/tt-rss-20180105.ebuild new file mode 100644 index 000000000000..9affdac7e139 --- /dev/null +++ b/www-apps/tt-rss/tt-rss-20180105.ebuild @@ -0,0 +1,84 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit prefix user webapp + +COMMIT="c30f5e18119d1935e8fe6d422053b127e8f4f1b3" +DESCRIPTION="Tiny Tiny RSS - A web-based news feed (RSS/Atom) aggregator using AJAX" +HOMEPAGE="https://tt-rss.org/" +SRC_URI="https://git.tt-rss.org/git/${PN}/archive/${COMMIT}.tar.gz -> ${P}.tar.gz" +LICENSE="GPL-3" +KEYWORDS="~amd64 ~arm ~mips ~x86" +IUSE="+acl daemon +mysqli postgres" +REQUIRED_USE="|| ( mysqli postgres )" + +DEPEND="daemon? ( acl? ( sys-apps/acl ) )" + +RDEPEND="${DEPEND} + daemon? ( dev-lang/php:*[mysqli?,postgres?,curl,cli,pcntl,pdo] ) + !daemon? ( dev-lang/php:*[mysqli?,postgres?,curl,pdo] ) + virtual/httpd-php:*" + +DEPEND="!vhosts? ( ${DEPEND} )" + +need_httpd_cgi # From webapp.eclass + +S="${WORKDIR}/${PN}" + +pkg_setup() { + webapp_pkg_setup + + if use daemon; then + enewgroup ttrssd + enewuser ttrssd -1 /bin/sh /dev/null ttrssd + fi +} + +src_configure() { + hprefixify config.php-dist + + sed -i -r \ + -e "/'DB_TYPE'/s:,.*:, '$(usex mysqli mysql pgsql)'); // mysql or pgsql:" \ + -e "/'CHECK_FOR_UPDATES'/s/true/false/" \ + config.php-dist || die +} + +src_install() { + webapp_src_preinst + + insinto "${MY_HTDOCSDIR}" + doins -r * + + # When updating, grep the plugins directory for additional CACHE_DIR + # instances as they cannot be created later due to permissions. + dodir "${MY_HTDOCSDIR}"/cache/starred-images + + local dir + for dir in "${ED}${MY_HTDOCSDIR}"/{cache/*,feed-icons,lock}/; do + webapp_serverowned "${dir#${ED}}" + done + + if use daemon; then + webapp_hook_script "${FILESDIR}"/permissions + webapp_postinst_txt en "${FILESDIR}"/postinstall-en-with-daemon-r1.txt + + newinitd "${FILESDIR}"/ttrssd.initd-r3 ttrssd + newconfd "${FILESDIR}"/ttrssd.confd-r2 ttrssd + + insinto /etc/logrotate.d + newins "${FILESDIR}"/ttrssd.logrotated-r1 ttrssd + + elog "After upgrading, please restart ttrssd." + else + webapp_postinst_txt en "${FILESDIR}"/postinstall-en.txt + fi + + webapp_src_install +} + +pkg_postinst() { + elog "You need to merge config.php-dist into config.php manually when upgrading." + webapp_pkg_postinst +} |