diff --git a/matomo-tmpfile.conf b/matomo-tmpfile.conf new file mode 100644 index 0000000..1320896 --- /dev/null +++ b/matomo-tmpfile.conf @@ -0,0 +1,2 @@ +# setting PHP's session.save_path to this directory +d /run/matomo_sessions 0750 wwwrun www - diff --git a/matomo.changes b/matomo.changes index 4cccc5e..521d3a4 100644 --- a/matomo.changes +++ b/matomo.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Dec 23 22:56:28 UTC 2019 - Lars Vogdt + +- (add) more secure PHP settings for: + upload_tmp_dir => "/var/cache/apache2" (upload is disabled, but this + makes Matomo's security check happy) + session.save_path => "/run/matomo_sessions/", to keep session files + secure. Added: matomo-tmpfile.conf for this +- just recommend cron and mariadb: + * mariadb can be run on another host (matomo just needs the client) + * cron script can be obsoleted by the provided systemd timer +- pre-require php, to run the commands in post +- recommend php-openssl for (php) curl requests from matomo + ------------------------------------------------------------------- Thu Dec 12 11:22:26 UTC 2019 - Lars Vogdt diff --git a/matomo.conf b/matomo.conf index afa986c..6437f36 100644 --- a/matomo.conf +++ b/matomo.conf @@ -75,11 +75,13 @@ Alias /matomo "__matomo_web__" # improved security - php_admin_value open_basedir "__matomo_web__:__matomo_conf__:__matomo_log__:/tmp:/usr/bin" + php_admin_value open_basedir "__matomo_web__:__matomo_conf__:__matomo_log__:/tmp:/usr/bin:/var/cache/apache2:/run/matomo_sessions" php_admin_flag display_startup_errors Off php_admin_flag display_errors Off php_admin_flag file_uploads Off php_admin_flag allow_url_fopen Off + php_admin_value upload_tmp_dir "/var/cache/apache2" + php_admin_value session.save_path "/run/matomo_sessions/" php_admin_value disable_functions "posix_setpgid,exec,ftp_login,mysql_pconnect,apache_setenv,popen,posix_getpwuid,posix_setsid,passthru,escapeshellcmd,ini_alter,ftp_raw,ftp_nb_fput,ini_restore,shell_exec,ftp_get,proc_get_status,highlight_file,proc_close,proc_terminate,syslog,ftp_connect,posix_uname,ini_get_all,proc_open,posix_kill,escapeshellarg,ftp_rawlist,posix_setuid,openlog,php_uname,system,ftp_exec,posix_mkfifo,proc_nice,ftp_put" php_admin_value memory_limit "1024M" php_admin_value max_execution_time 120 diff --git a/matomo.spec b/matomo.spec index 8da4711..a2b919f 100644 --- a/matomo.spec +++ b/matomo.spec @@ -29,6 +29,7 @@ %define ap_usr nobody %define ap_grp nogroup %endif +%{!?_tmpfilesdir:%global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} Name: matomo Version: 3.13.0 @@ -45,6 +46,7 @@ Source10: %{name}-archive.cron Source11: %{name}-archive.service Source12: %{name}-archive.timer Source13: %{name}.my.cnf +Source14: %{name}-tmpfile.conf Source99: %{name}.rpmlintrc BuildArch: noarch %if 0%{?suse_version} >= 1500 @@ -61,9 +63,7 @@ BuildRequires: mariadb BuildRequires: systemd BuildRequires: unzip Requires: apache2 -Requires: cron Requires: logrotate -Requires: mariadb Requires: mod_php_any >= 5.5.9 Requires: php-ctype Requires: php-curl @@ -73,17 +73,19 @@ Requires: php-iconv Requires: php-json Requires: php-mbstring Requires: php-mysql -#Requires: php-openssl Requires: php-pdo #Requires: php-sqlite Requires: php-tokenizer Requires: php-xmlreader Requires: php-xmlwriter Requires: php-zlib +Requires(pre): php %{?systemd_requires} Recommends: php-geoip +Recommends: php-openssl Recommends: apache2-mod_geoip - +Recommends: mariadb +Recommends: cron Conflicts: piwik %description @@ -157,6 +159,7 @@ install -d -m 0755 %{buildroot}/var/log/%{name} install -D -m 0644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/cron.d/%{name}-archive install -D -m 0644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}-archive.service install -D -m 0644 %{SOURCE12} %{buildroot}%{_unitdir}/%{name}-archive.timer +install -D -m 0644 %{SOURCE14} %{buildroot}%{_tmpfilesdir}/%{name}.conf sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_sysconfdir}/cron.d/%{name}-archive sed -i -e 's|@ap_serverroot@|%{ap_serverroot}|g' %{buildroot}%{_unitdir}/%{name}-archive.service # install changes for mariadb @@ -172,6 +175,7 @@ install -D -m0644 %{SOURCE13} %{buildroot}/%{_sysconfdir}/my.cnf.d/%{name}.my.cn # BSC#1154324 # # # chown -R %{ap_usr}:%{ap_grp} %{ap_serverroot}/%{name} %service_add_post matomo-archive.timer matomo-archive.service apache2.service +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf if [ $1 -gt 1 ]; then # Update matomo if this is an upgrade $1 == 2 echo "matomo: Update matomo:core..." @@ -191,7 +195,6 @@ fi %files %defattr(-,root,root,-) -#%%doc README.SUSE CHANGELOG.md CONTRIBUTING.md LEGALNOTICE README.md SECURITY.md %dir %{_defaultdocdir}/%{name} %{_defaultdocdir}/%{name}/* %config(noreplace) %{ap_sysconfdir}/conf.d/%{name}.conf @@ -200,10 +203,12 @@ fi %config(noreplace) %{_sysconfdir}/my.cnf.d/%{name}.my.cnf %{_unitdir}/%{name}-archive.service %{_unitdir}/%{name}-archive.timer +%{_tmpfilesdir}/%{name}.conf %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name} %dir %attr(0750,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment %attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/*.php %attr(0640,%{ap_usr},%{ap_grp}) %{_sysconfdir}/%{name}/environment/*.php +%ghost %attr(0750,%{ap_usr},%{ap_grp}) /run/%{name}_sessions %defattr(644,root,root,755) %dir %{ap_serverroot}/%{name} %dir %attr(0750,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/js @@ -218,16 +223,17 @@ fi %attr(0644,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/js/piwik.min.js %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/console %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/cron/archive.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/log-analytics/import_logs.py +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/log-analytics/import_logs.py %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/composer/clean-xhprof.sh %attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/misc/composer/build-xhprof.sh #%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/plugins/TestRunner/scripts/on_instance_launch.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/package.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/lessify -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/plessc -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/pear/archive_tar/sync-php4 -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/szymach/c-pchart/coverage.sh -#%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/tecnickcom/tcpdf/tools/tcpdf_addfont.php +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/package.sh +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/lessify +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/leafo/lessphp/plessc +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/pear/archive_tar/sync-php4 +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/szymach/c-pchart/coverage.sh +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/tecnickcom/tcpdf/tools/tcpdf_addfont.php +%attr(0770,%{ap_usr},%{ap_grp}) %{ap_serverroot}/%{name}/vendor/twig/twig/drupal_test.sh %{ap_serverroot}/%{name}/* %changelog