From 7dfd6595c8a5a2d1b73eeb0f1e5286620b7ddb5969095f84a0fda735a46064e6 Mon Sep 17 00:00:00 2001 From: Eric Schirra Date: Wed, 30 Oct 2019 07:29:39 +0000 Subject: [PATCH] Accepting request 741605 from home:lemmy04:branches:network:utilities - Security fix: BSC#1154324 * Have as little as possible owned by, and writable for, the apache user OBS-URL: https://build.opensuse.org/request/show/741605 OBS-URL: https://build.opensuse.org/package/show/network:utilities/matomo?expand=0&rev=37 --- matomo.changes | 6 ++++++ matomo.spec | 13 ++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/matomo.changes b/matomo.changes index 5a82466..483cbe4 100644 --- a/matomo.changes +++ b/matomo.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 21 18:39:50 UTC 2019 - Mathias Homann + +- Security fix: BSC#1154324 + * Have as little as possible owned by, and writable for, the apache user + ------------------------------------------------------------------- Thu Jul 25 06:16:08 UTC 2019 - ecsos@opensuse.org diff --git a/matomo.spec b/matomo.spec index 376bf7b..d0f5950 100644 --- a/matomo.spec +++ b/matomo.spec @@ -116,6 +116,7 @@ done %install # make directories install -d -m0755 %{buildroot}/%{ap_serverroot}/%{name} +install -d -m0755 %{buildroot}/%{ap_serverroot}/%{name}/tmp install -d -m0755 %{buildroot}/%{_sysconfdir}/%{name} install -d -m0755 %{buildroot}/%{_defaultdocdir}/%{name} # copy src from build to buildroot @@ -152,7 +153,8 @@ install -D -m0644 %{SOURCE13} %{buildroot}/%{_sysconfdir}/my.cnf.d/%{name}.my.cn %service_add_pre matomo-archive.timer matomo-archive.service %post -chown -R %{ap_usr}:%{ap_grp} %{ap_serverroot}/%{name} +# BSC#1154324 +# # # chown -R %{ap_usr}:%{ap_grp} %{ap_serverroot}/%{name} %service_add_post matomo-archive.timer matomo-archive.service apache2.service # Update matomo if this is an upgrade $1 == 2 echo "matomo: Update matomo:core..." @@ -184,9 +186,14 @@ fi %{_unitdir}/%{name}-archive.timer %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name} %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment -%defattr(640,%{ap_usr},%{ap_grp},750) +%attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/*.php +%attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment/*.php +%defattr(644,root,root,755) %dir %{ap_serverroot}/%{name} -%dir /var/log/%{name} +%dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc +%dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/plugins +%dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/tmp +%dir %attr(0750,%{ap_usr},%{ap_grp}) /var/log/%{name} %config(noreplace) %attr(600,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/*php %{_sysconfdir}/%{name}/environment/*php %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/console