diff --git a/hyperkitty-manage.sh b/hyperkitty-manage.sh index bd4d857..5d6d3ef 100644 --- a/hyperkitty-manage.sh +++ b/hyperkitty-manage.sh @@ -1,3 +1,3 @@ #!/bin/bash -sudo -u hyperkitty-admin /usr/bin/python3 /srv/www/webapps/mailman/hyperkitty/manage.py "$@" +sudo -u hyperkitty /usr/bin/python3 /srv/www/webapps/mailman/hyperkitty/manage.py "$@" diff --git a/hyperkitty-permissions.sh b/hyperkitty-permissions.sh deleted file mode 100644 index 3c626d3..0000000 --- a/hyperkitty-permissions.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -LOG_DIR="/var/log/hyperkitty" -LIB_DIR="/var/lib/hyperkitty" -DATA_DIR="${LIB_DIR}/data" -WEBAPPS_DIR="/srv/www/webapps/mailman/hyperkitty" -CACHE_DIR="${WEBAPPS_DIR}/static/CACHE" - -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} - -chown hyperkitty-admin:hyperkitty-admin ${LIB_DIR} -chmod u=rwX,g=rwX,o= ${LIB_DIR} - -chown -R hyperkitty:hyperkitty ${DATA_DIR} -chmod -R u=rwX,g=rwX,o= ${DATA_DIR} - -chown hyperkitty:hyperkitty ${DATA_DIR}/hyperkitty.db 2>/dev/null -chmod u=rwX,g=rwX,o= ${DATA_DIR}/hyperkitty.db 2>/dev/null - -setfacl -R --no-mask -m u:hyperkitty:rwX ${DATA_DIR} -setfacl -R -d --no-mask -m u:hyperkitty:rwX ${DATA_DIR} -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${DATA_DIR} - -chown hyperkitty-admin:hyperkitty-admin ${LOG_DIR} -chmod u=rwX,g=rwX,o= ${LOG_DIR} -chown hyperkitty-admin:hyperkitty-admin ${LOG_DIR}/hyperkitty.log 2>/dev/null -chmod u=rwX,g=rwX,o= ${LOG_DIR}/hyperkitty.log 2>/dev/null - -setfacl -R --no-mask -m u:hyperkitty:rwX ${LOG_DIR} -setfacl -R -d --no-mask -m u:hyperkitty:rwX ${LOG_DIR} -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${LOG_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${LOG_DIR} - -# The wsgi needs to write to static/CACHE -chown -R hyperkitty:hyperkitty ${CACHE_DIR} -chmod -R u=rwX,g=rwX,o=rX ${CACHE_DIR} - -setfacl -R --no-mask -m u:hyperkitty:rwX ${CACHE_DIR} -setfacl -R -d --no-mask -m u:hyperkitty:rwX ${CACHE_DIR} -setfacl -R --no-mask -m u:hyperkitty-admin:rwX ${CACHE_DIR} -setfacl -R -d --no-mask -m u:hyperkitty-admin:rwX ${CACHE_DIR} diff --git a/hyperkitty-runjob.service b/hyperkitty-runjob.service index 55d6954..de75c07 100644 --- a/hyperkitty-runjob.service +++ b/hyperkitty-runjob.service @@ -4,5 +4,5 @@ Description=HyperKitty runjob @HYPERKITTY_RUNJOB@ [Service] Type=oneshot ExecStart=/usr/bin/python3 /srv/www/webapps/mailman/hyperkitty/manage.py runjob @HYPERKITTY_RUNJOB@ --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings -User=hyperkitty-admin -Group=hyperkitty-admin +User=hyperkitty +Group=hyperkitty diff --git a/python-HyperKitty.changes b/python-HyperKitty.changes index ca560bd..fdcf585 100644 --- a/python-HyperKitty.changes +++ b/python-HyperKitty.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed May 26 14:04:05 UTC 2021 - Andreas Schneider + +- Remove the hyperkitty-admin user + +------------------------------------------------------------------- +Tue May 25 18:55:19 UTC 2021 - Andreas Schneider + +- Create static files as part of the build process +- Fixed CVE-2021-25322 + ------------------------------------------------------------------- Tue May 4 09:31:59 UTC 2021 - Ben Greiner diff --git a/python-HyperKitty.spec b/python-HyperKitty.spec index 93c0e69..65d3365 100644 --- a/python-HyperKitty.spec +++ b/python-HyperKitty.spec @@ -45,7 +45,6 @@ Source0: https://files.pythonhosted.org/packages/source/H/HyperKitty/Hype Source1: python-HyperKitty-rpmlintrc # Source10: hyperkitty-manage.sh -Source11: hyperkitty-permissions.sh Source12: hyperkitty.uwsgi # Source20: hyperkitty-qcluster.service @@ -64,6 +63,7 @@ BuildRequires: acl BuildRequires: fdupes BuildRequires: openssl BuildRequires: python-rpm-macros +BuildRequires: rsync BuildRequires: sudo Requires: python-Django >= 1.11 Requires: python-django-compressor >= 1.3 @@ -138,20 +138,27 @@ A web user interface for GNU Mailman. This package holds the uwsgi configuration. %prep -%autosetup -p1 -n HyperKitty-%{version} +%setup -n HyperKitty-%{version} cp %{SOURCE30} . touch settings_local.py +# Copy exmaple_project to just build the static files +rsync -a example_project/* build_static_files + +%autopatch -p1 + %build sed -i 's|^#!/usr/bin/env.*|#!%{_bindir}/python3|' \ example_project/manage.py %python_build -%install -%python_install -%python_expand %fdupes %{buildroot}%{$python_sitelib} +# Build static files +export PYTHONPATH=$(pwd) +%python_exec build_static_files/manage.py collectstatic --clear --noinput +%python_exec build_static_files/manage.py compress --force +%install install -d -m 0750 \ %{buildroot}%{hyperkitty_etcdir} \ %{buildroot}%{hyperkitty_libdir} \ @@ -166,7 +173,15 @@ install -d -m 0755 \ %{buildroot}%{hyperkitty_staticdir}/CACHE \ %{buildroot}%{_unitdir} -cp -a example_project/* %{buildroot}%{hyperkitty_basedir} +%python_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +# Copy static files +rsync -a build_static_files/static %{buildroot}%{hyperkitty_basedir} +# Remove the directory +rm -rf %{buildroot}%{python_sitelib}/build_static_files + +rsync -a example_project/* %{buildroot}%{hyperkitty_basedir} chmod -x %{buildroot}%{hyperkitty_basedir}/wsgi.py for f in \ @@ -193,7 +208,6 @@ ln -svf %{hyperkitty_etcdir}/settings_local.py \ # Manage script install -d -m 0755 %{buildroot}%{_sbindir} install -m 0750 %{SOURCE10} %{buildroot}%{_sbindir}/hyperkitty-manage -install -m 0750 %{SOURCE11} %{buildroot}%{_sbindir}/hyperkitty-fix-permissions install -d -m 0755 %{buildroot}%{_sysconfdir}/uwsgi/vassals install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/uwsgi/vassals/hyperkitty.ini @@ -235,29 +249,21 @@ done %check export DJANGO_SETTINGS_MODULE="hyperkitty.tests.settings_test" -export PYTHONPATH='.' +export PYTHONPATH=$(pwd) %python_exec example_project/manage.py test %pre -n %{hyperkitty_pkgname}-web /usr/sbin/groupadd -r hyperkitty &>/dev/null || : /usr/sbin/useradd -g hyperkitty -s /bin/false -r -c "HyperKitty" -d %{hyperkitty_basedir} hyperkitty &>/dev/null || : -/usr/sbin/groupadd -r hyperkitty-admin &>/dev/null || : -/usr/sbin/useradd -g hyperkitty-admin -s /bin/bash -r -c "HyperKitty Admin" -d %{hyperkitty_basedir} hyperkitty-admin &>/dev/null || : - %service_add_pre %{hyperkitty_services} %post -n %{hyperkitty_pkgname}-web -%{_sbindir}/hyperkitty-fix-permissions # We need a SECRET_KEY for manage to work if ! grep -q "^SECRET_KEY.*" %{hyperkitty_etcdir}/settings_local.py; then echo "SECRET_KEY='$(openssl rand -base64 48)'" >> %{hyperkitty_etcdir}/settings_local.py fi %{_sbindir}/hyperkitty-manage migrate --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings -%{_sbindir}/hyperkitty-manage collectstatic --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings --clear --noinput -%{_sbindir}/hyperkitty-manage compress --pythonpath /srv/www/webapps/mailman/hyperkitty/ --settings settings --force -# Run hyperkitty-fix-permissions again for cache dir permissions -%{_sbindir}/hyperkitty-fix-permissions %service_add_post %{hyperkitty_services} @@ -276,7 +282,6 @@ fi %files -n %{hyperkitty_pkgname}-web %doc README.SUSE.md %{_sbindir}/hyperkitty-manage -%{_sbindir}/hyperkitty-fix-permissions %{_sbindir}/rchyperkitty-qcluster %{_sbindir}/rchyperkitty-runjob-* %dir %{webapps_dir} @@ -285,7 +290,7 @@ fi %{_unitdir}/hyperkitty-runjob-*.service %{_unitdir}/hyperkitty-runjob-*.timer -%defattr(-,hyperkitty-admin,hyperkitty) +%defattr(-,root,hyperkitty) %dir %{hyperkitty_basedir} %{hyperkitty_basedir}/__init__.py %{hyperkitty_basedir}/manage.py @@ -294,16 +299,32 @@ fi %{hyperkitty_basedir}/urls.py %{hyperkitty_basedir}/wsgi.py +%dir %{hyperkitty_basedir}/static +%{hyperkitty_basedir}/static/admin +%{hyperkitty_basedir}/static/debug_toolbar +%{hyperkitty_basedir}/static/django-mailman3 +%{hyperkitty_basedir}/static/django_extensions +%{hyperkitty_basedir}/static/facebook +%{hyperkitty_basedir}/static/hyperkitty +%{hyperkitty_basedir}/static/rest_framework + +# The wsgi needs to write to static/CACHE +%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE +%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/manifest.json + +%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE/css +%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/css/output.*.css + +%attr(755,hyperkitty,hyperkitty) %dir %{hyperkitty_basedir}/static/CACHE/js +%attr(644,hyperkitty,hyperkitty) %{hyperkitty_basedir}/static/CACHE/js/output.*.js + %dir %{hyperkitty_localedir} -%dir %{hyperkitty_staticdir} -%dir %{hyperkitty_staticdir}/CACHE - -%attr(750,hyperkitty-admin,hyperkitty) %dir %{hyperkitty_etcdir} -%attr(640,hyperkitty-admin,hyperkitty) %config(noreplace) %{hyperkitty_etcdir}/settings_local.py -%attr(750,hyperkitty-admin,hyperkitty) %dir %{hyperkitty_libdir} -%attr(750,hyperkitty-admin,hyperkitty) %dir %{hyperkitty_datadir} -%attr(750,hyperkitty-admin,hyperkitty) %dir %{hyperkitty_logdir} +%attr(750,root,hyperkitty) %dir %{hyperkitty_etcdir} +%attr(640,root,hyperkitty) %config(noreplace) %{hyperkitty_etcdir}/settings_local.py +%attr(750,root,hyperkitty) %dir %{hyperkitty_libdir} +%attr(750,hyperkitty,hyperkitty) %dir %{hyperkitty_datadir} +%attr(770,root,hyperkitty) %dir %{hyperkitty_logdir} %files -n %{hyperkitty_pkgname}-web-uwsgi %dir %{_sysconfdir}/uwsgi