Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:freedombox User: [email protected] Usertags: pu
[ Reason ]Fix a security issue CVE-2025-68462 where the backup data for several FreedomBox apps was stored with incorrect permissions. It was coordinated with the security team to batch the fix via upcoming point release.
[ Impact ]Any user on the system can access some private data belonging to other users in some specific apps managed by FreedomBox. They can also access a stored password for a dynamic DNS service.
[ Tests ]I tested using automated functional tests for backups and for the affected apps. I then manually checked that the backups-data directory had the expected permissions.
[ Risks ]The code is fairly simple. After freedombox package is updated to have the fix, it will create or modify the backups-data folder to have the correct permissions.
[ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Besides the fix for the security issue, the following changes are included: - Update handling of apt sources.list file to tolerate comments. - Update release date for trixie that is shown in the interface. - Update the manual to the version retrieved August 2nd that will match with trixie content.
diff -Nru freedombox-25.9.3/debian/changelog freedombox-25.9.3+deb13u1/debian/changelog --- freedombox-25.9.3/debian/changelog 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/debian/changelog 2025-12-18 08:48:51.000000000 -0500 @@ -1,3 +1,15 @@ +freedombox (25.9.3+deb13u1) trixie; urgency=medium + + [ Sunil Mohan Adapa ] + * distupgrade: Handle comments in sources.list file + * distupgrade: Update Trixie's release date as announced + * backups: Set proper permissions for backups-data directory (CVE-2025-68462) + + [ James Valleroy ] + * doc: Fetch latest manual + + -- James Valleroy <[email protected]> Thu, 18 Dec 2025 08:48:51 -0500 + freedombox (25.9.3) unstable; urgency=medium [ J AK ] diff -Nru freedombox-25.9.3/doc/manual/en/ExposeLocalService.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/en/ExposeLocalService.raw.wiki --- freedombox-25.9.3/doc/manual/en/ExposeLocalService.raw.wiki 1969-12-31 19:00:00.000000000 -0500 +++ freedombox-25.9.3+deb13u1/doc/manual/en/ExposeLocalService.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -0,0 +1,158 @@ +#language en + +##TAG:TRANSLATION-HEADER-START +~- [[FreedomBox/Guide/ExposeLocalService|English]] - [[DebianWiki/EditorGuide#translation|(+)]] -~ +##TAG:TRANSLATION-HEADER-END + +<<TableOfContents>> + +## BEGIN_INCLUDE + +== Expose a Local Service to Internet using FreedomBox == + +This guide describes to expose a local service you have on your LAN to the internet using FreedomBox that is already exposed on the internet. + +=== Goal === + + * ''You have a !FreedomBox running'' with a working domain already setup. You are able to access your !FreedomBox using a URL such as `https://www.mysite.example/` . + * ''You have a different server running a local service'' on LAN that you wish to expose to the Internet on the same domain as your !FreedomBox. The local service must be a web service using the HTTP protocol (it is also possible to setup non-HTTP service, but that is a different approach). Optionally, you can have special domain assigned specifically for this local service. + * You wish for ''!FreedomBox to handle the TLS certificates'' for this domain as !FreedomBox typically does. Your local service need not setup and manage TLS certificates. + * Optionally, you may want to ''limit access to local service using !FreedomBox credentials''. Only users with a !FreedomBox account (and belonging to a chosen group) will be able to access this service. The local service will not be available to general public on the Internet. This way you can host local services that don’t implement their own authentication or local services with their own authentication mechanisms disabled. + +=== Exposing Local LAN servers === + + * To expose the service, create an Apache configuration file in `/etc/apache2/conf-available/` and write a `ProxyPass` directive. Assuming your local service is running on a computer with IP address `192.168.0.20` on port `3000`, you can do this by running a command (as a root user on the terminal): + + {{{#!highlight bash +cat > /etc/apache2/conf-available/my-local-service.conf <<EOL +ProxyPass /myservice http://192.168.0.20:3000/ +EOL +}}} + + * Then, enable this Apache configuration. Run the following command: + {{{#!highlight bash +a2enconf my-local-service +}}} + * Then reload Apache web server. + {{{#!highlight bash +systemctl reload apache2 +}}} + +You can now access your local service at the following URL `https://www.mysite.example/myservice/` . Note that the URL is a secure URL with `https://`. The certificates will be managed by FreedomBox/Let’s Encrypt. All your other apps and services work as usual. You can add any number services you want this way. + +=== Running the Service on FreedomBox Itself === + +The above approach will also work if the local service is running on !FreedomBox itself. In this case, the `ProxyPass` directive in the configuration should be modified to look like `ProxyPass /myservice http://127.0.0.1:3000/`. + +=== Disabling the service === + +To disable exposing the local service: + + 1. Disable the Apache configuration file. + {{{#!highlight bash +a2disconf my-local-service +}}} + 1. Then, reload Apache web server. + {{{#!highlight bash +systemctl reload apache2 +}}} + +=== Adding Authentication === + +You can configure the service to be available to only users with !FreedomBox account. This is a good choice if: + + * The local service that is exposed to the Internet should not be available to everyone. And, + * The local service does not provide its own authentication mechanism. Or, + * The local service provides it’s own authentication but you don’t want to maintain a different set of user accounts for that service and want to reuse your FreedomBox user accounts. + + 1. Update the Apache configuration file `/etc/apache2/conf-available/my-local-service.conf` to look like the following. + {{{#!highlight apache +<Location /myservice/> + Include includes/freedombox-single-sign-on.conf + + ProxyPass http://192.168.0.20:3000/ +</Location> +}}} + 1. Then, reload Apache web server. + {{{#!highlight bash +systemctl reload apache2 +}}} + +If you wish for only some groups of users to be able to access the service, another change to the configuration is needed. Make the configuration look like the following if you wish to allow users of “web-search” group and also users of “admin” group to access the local service. All other users even if they have a valid !FreedomBox account will be denied access. + +{{{#!highlight apache +<Location /myservice/> + Include includes/freedombox-single-sign-on.conf + + <IfModule mod_auth_pubtkt.c> + TKTAuthToken "web-search" "admin" + </IfModule> + + ProxyPass http://192.168.0.20:3000/ +</Location> +}}} + +=== Hosting the Service on a Separate Domain === + +Some services and web applications hosted under a URL fragment such as `/myservice/` do not work well. They require an entire domain or subdomain to be dedicated to them. In these cases too, !FreedomBox can expose local services. + + 1. First acquire a domain or a subdomain. + * If your domain is a custom domain that you own, go to the DNS settings on your domain name provider and add a subdomain. You can create a CNAME record that simply points to the main domain. + * If you are using !FreedomBox Dynamic DNS service, then login into https://ddns.freedombox.org and enable the “Wildcard” option. With this change, for a domain (such as `example.fbx.one`), all subdomains (such as `myservice.example.fbx.one`) of your domain will point to your main domain. + 1. Add the new domain into !FreedomBox. Goto System → Name Services → Domain (regular) → Add. For example, add `myservice.mysite.example`. + 1. Then create an Apache configuration file at `/etc/apache2/includes/<domainname>-include.conf`. For our example this is: `/etc/apache2/includes/myservice.mysite.example-include.conf`. The contents of the file should be: + {{{#!highlight apache +ProxyPass / http://192.168.0.20:3000/ +}}} + 1. Modify the above file for authentication if necessary by adding the `Include` and `<IfModule>` configuration directives as shown in the authentication section above. + +=== Troubleshooting === + +When your setup does not work as expected, to debug, run a temporary web service on your FreedomBox. + + 1. Create a temporary directory with an index.html page on the !FreedomBox. + {{{#!highlight bash +mkdir temp +cd temp +cat > index.html <<EOL +<!DOCTYPE html> +<html> + <head> + <title>My test page</title> + </head> + <body> + <h1>Hello, World!</h1> + </body> +</html> +EOL +}}} + 1. Run a temporary web server (press Control-C to terminate): + {{{#!highlight bash +python3 -m http.server 3000 +}}} + 1. Update the Apache configuration to point to this temporary service on !FreedomBox. + {{{#!highlight apache +ProxyPass /myservice http://127.0.0.1:3000/ +}}} + +=== Extras === + +There are many additional features that Apache can provide to improve the local service. For these, [[https://httpd.apache.org/docs/current/|explore Apache documentation]]. Some features include: + + * Serving static files such as JS, CSS, and media files from local directory without invoking the local service to improve performance. + * Caching the responses from the local service to improve performance. + * Setting additional headers for security, cache control, etc. + * Modify the HTTP header responses from the service when it does not work well to hosting under a URL fragment such as `/myservice/`. + * Perform redirects from `http://` URL to `https://` and setting HSTS header. + * Load balancing among multiple local services for high availability, scaling, etc. + * And more. + + +## END_INCLUDE + +Back to [[FreedomBox/Features|Features introduction]] or [[FreedomBox/Manual|manual]] pages. + +<<Include(FreedomBox/Portal)>> + +---- +CategoryFreedomBox diff -Nru freedombox-25.9.3/doc/manual/en/freedombox-manual.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/en/freedombox-manual.raw.wiki --- freedombox-25.9.3/doc/manual/en/freedombox-manual.raw.wiki 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/doc/manual/en/freedombox-manual.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -28,6 +28,7 @@ <<Include(FreedomBox/Manual/Infinoted, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/Janus, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/JSXC, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> +<<Include(FreedomBox/Manual/Kiwix, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/MatrixSynapse, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/MediaWiki, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/Minetest, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> @@ -80,6 +81,9 @@ <<Include(FreedomBox/Manual/Upgrades, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/Users, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> += Guides = +<<Include(FreedomBox/Guide/ExposeLocalService, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> + = Hardware = <<Include(FreedomBox/Hardware, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Hardware/PioneerEdition, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/kiwix-tile.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/kiwix-tile.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_apps.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_apps.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_burger_icon.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_burger_icon.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_burger_menu.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_burger_menu.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_frontpage.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_frontpage.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_frontpage_with_app.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_frontpage_with_app.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_help.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_help.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_system.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_system.png differ Binary files /tmp/maZOtn5Gh6/freedombox-25.9.3/doc/manual/en/images/ui_user_menu.png and /tmp/hOWMVVv3Ok/freedombox-25.9.3+deb13u1/doc/manual/en/images/ui_user_menu.png differ diff -Nru freedombox-25.9.3/doc/manual/en/Kiwix.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/en/Kiwix.raw.wiki --- freedombox-25.9.3/doc/manual/en/Kiwix.raw.wiki 1969-12-31 19:00:00.000000000 -0500 +++ freedombox-25.9.3+deb13u1/doc/manual/en/Kiwix.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -0,0 +1,55 @@ +#language en +##TAG:TRANSLATION-HEADER-START +Translations ~- [[DebianWiki/EditorGuide#translation|(+)]] - [[FreedomBox/Manual/Kiwix|English]] - [[es/FreedomBox/Manual/Kiwix|Español]] -~ +##TAG:TRANSLATION-HEADER-END + +<<TableOfContents()>> + +## BEGIN_INCLUDE +== Kiwix (Offline Wikipedia) == +'''Available since:''' version 23.19 +||<tablestyle="float: right;"> {{attachment:kiwix-tile.png|Kiwix icon}} || + +[[https://en.wikipedia.org/wiki/Kiwix|Kiwix]] can serve archives of websites offline. It was originally created to serve an offline version of Wikipedia, the free encyclopedia. + +=== Use Cases === + +[[https://en.wikibooks.org/wiki/FreedomBox_for_Communities|FreedomBox for Communities]] was already using Kiwix years before it was officially included as an app. Kiwix was used to serve content over community Wi-Fi networks in [[https://en.wikipedia.org/wiki/Gangadevipalli#Free_Community_WiFi|villages]] of India with unreliable or insufficient Internet access. In addition to an offline Wikipedia, Kiwix served + * the archive "Wikipedia for Schools" which was used by school teachers and students for homework assignments and as a teaching aid. + * the archive "!WikiSource (in Telugu)" which served as a digital library. + +Kiwix is also useful when you have reliable Internet access. + 1. Archival and preservation: Archives of websites can be created and preserved as ZIM files. These archives can be served using Kiwix. + 2. Fast access to slow websites: An offline archive can be faster to access than a website. + 3. Access to websites that can be temporarily unavailable. For example, the Low Tech Magazine is hosted on a solar-powered single-board computer and could go offline sometimes. There is a Kiwix archive available for it which can be hosted locally. + +=== Kiwix on FreedomBox === + +!FreedomBox serves the Debian package called kiwix-tools which allows managing and serving content archives in ZIM file format. ZIM files can be added or removed by a !FreedomBox administrator or any user in the "kiwix" user group. + +Kiwix on !FreedomBox is available via web interface only. There are mobile and desktop clients for Kiwix, but they can only read local archives. They cannot pull content from Kiwix hosted on !FreedomBox. + +The web interface of Kiwix is available for public access by default. + +=== Finding content archives === + +To find content for Kiwix, go to [[https://library.kiwix.org|library.kiwix.org]]. You can download archives (called "books") using direct download or using BitTorrent. The website itself is a Kiwix installation, so you can have a preview of the content before downloading, to check that the archive is not broken. + +An alternative source of the same files is [[https://wiki.kiwix.org/wiki/Main_Page|wiki.kiwix.org]], a wiki with download links and more information about the Kiwix project. + +=== Creating content archives === + +The [[https://openzim.org/|OpenZim]] project maintains tools to create ZIM files. The tool [[https://github.com/openzim/zimit|zimit]] is a complete solution that can scrape a website and create a ZIM file. You can also request a ZIM archive using the website [[https://youzim.it|youzim.it]]. + +=== External links === + * Upstream project: https://kiwix.org/ + * Upstream documentation: https://kiwix.org/frequently-asked-questions/ + +## END_INCLUDE + +Back to [[FreedomBox/Features|Features introduction]] or [[FreedomBox/Manual|manual]] pages. + +<<Include(FreedomBox/Portal)>> + +---- +CategoryFreedomBox diff -Nru freedombox-25.9.3/doc/manual/en/QuickStart.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/en/QuickStart.raw.wiki --- freedombox-25.9.3/doc/manual/en/QuickStart.raw.wiki 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/doc/manual/en/QuickStart.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -93,7 +93,7 @@ === Apps menu === -The Apps menu can be accessed by clicking the grid icon, next to the !FreedomBox logo. This page lists all of the apps that are available for installing on !FreedomBox. Click the name of an app to visit its page, where you can install and configure it. +The Apps menu can be accessed by clicking the grid icon, next to the !FreedomBox logo. This page lists all of the apps that are available for installing on !FreedomBox. Click the name of an app to visit its page, where you can install and configure it. Currently installed and enabled apps are shown above the remaining available apps. {{attachment:ui_apps.png|Apps|width=600}} diff -Nru freedombox-25.9.3/doc/manual/en/ReleaseNotes.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/en/ReleaseNotes.raw.wiki --- freedombox-25.9.3/doc/manual/en/ReleaseNotes.raw.wiki 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/doc/manual/en/ReleaseNotes.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -8,6 +8,19 @@ The following are the release notes for each !FreedomBox version. +== FreedomBox 25.9.4 (2025-08-02) == + + * distupgrade: Handle comments in sources.list file + * distupgrade: Update Trixie's release date as announced + +== FreedomBox 25.9.3 (2025-07-21) == + + * config: Allow overriding target path in dropin config component + * email: Add support for Dovecot 2.4 + * email: Start servers during re-setup if they are not running + * locale: Update translations for Albanian, Bulgarian, Catalan, Estonian, Tamil + * sogo: Fix typo in configuration for sieve server + == FreedomBox 25.9.2 (2025-06-23) == * debian: Set the branch for trixie diff -Nru freedombox-25.9.3/doc/manual/es/Manual.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/es/Manual.raw.wiki --- freedombox-25.9.3/doc/manual/es/Manual.raw.wiki 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/doc/manual/es/Manual.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -28,6 +28,7 @@ <<Include(FreedomBox/Manual/Infinoted, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/Janus, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/JSXC, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> +<<Include(FreedomBox/Manual/Kiwix, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/MatrixSynapse, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/MediaWiki, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/Minetest, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> @@ -80,6 +81,9 @@ <<Include(FreedomBox/Manual/Upgrades, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Manual/Users, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> += Guides = +<<Include(FreedomBox/Guide/ExposeLocalService, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> + = Hardware = <<Include(FreedomBox/Hardware, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> <<Include(FreedomBox/Hardware/PioneerEdition, , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>> diff -Nru freedombox-25.9.3/doc/manual/es/ReleaseNotes.raw.wiki freedombox-25.9.3+deb13u1/doc/manual/es/ReleaseNotes.raw.wiki --- freedombox-25.9.3/doc/manual/es/ReleaseNotes.raw.wiki 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/doc/manual/es/ReleaseNotes.raw.wiki 2025-12-18 08:48:51.000000000 -0500 @@ -8,6 +8,19 @@ The following are the release notes for each !FreedomBox version. +== FreedomBox 25.9.4 (2025-08-02) == + + * distupgrade: Handle comments in sources.list file + * distupgrade: Update Trixie's release date as announced + +== FreedomBox 25.9.3 (2025-07-21) == + + * config: Allow overriding target path in dropin config component + * email: Add support for Dovecot 2.4 + * email: Start servers during re-setup if they are not running + * locale: Update translations for Albanian, Bulgarian, Catalan, Estonian, Tamil + * sogo: Fix typo in configuration for sieve server + == FreedomBox 25.9.2 (2025-06-23) == * debian: Set the branch for trixie diff -Nru freedombox-25.9.3/plinth/db/postgres.py freedombox-25.9.3+deb13u1/plinth/db/postgres.py --- freedombox-25.9.3/plinth/db/postgres.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/db/postgres.py 2025-12-18 08:48:51.000000000 -0500 @@ -94,7 +94,6 @@ file if it exists. """ backup_path = pathlib.Path(backup_file) - backup_path.parent.mkdir(parents=True, exist_ok=True) with action_utils.service_ensure_running('postgresql'): with open(backup_path, 'w', encoding='utf-8') as file_handle: _run_as([ diff -Nru freedombox-25.9.3/plinth/modules/backups/__init__.py freedombox-25.9.3+deb13u1/plinth/modules/backups/__init__.py --- freedombox-25.9.3/plinth/modules/backups/__init__.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/backups/__init__.py 2025-12-18 08:48:51.000000000 -0500 @@ -33,7 +33,7 @@ app_id = 'backups' - _version = 3 + _version = 4 def __init__(self) -> None: """Create components for the app.""" diff -Nru freedombox-25.9.3/plinth/modules/backups/privileged.py freedombox-25.9.3+deb13u1/plinth/modules/backups/privileged.py --- freedombox-25.9.3/plinth/modules/backups/privileged.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/backups/privileged.py 2025-12-18 08:48:51.000000000 -0500 @@ -211,6 +211,8 @@ @privileged def setup(path: str): """Create repository if it does not already exist.""" + _create_backup_data_directory() + try: _run(['borg', 'info', path], check=True) except subprocess.CalledProcessError: @@ -221,6 +223,17 @@ _init_repository(path, encryption='none') +def _create_backup_data_directory(): + """Create the backups-data with proper permissions.""" + old_umask = os.umask(0o077) + try: + BACKUPS_DATA_PATH.mkdir(exist_ok=True) + BACKUPS_DATA_PATH.chmod(0o700) + shutil.chown(BACKUPS_DATA_PATH, 'root', 'root') + finally: + os.umask(old_umask) + + def _init_repository(path: str, encryption: str, encryption_passphrase: str | None = None): """Initialize a local or remote borg repository.""" @@ -467,7 +480,6 @@ def dump_settings(app_id: str, settings: dict[str, int | float | bool | str]): """Dump an app's settings to a JSON file.""" _assert_app_id(app_id) - BACKUPS_DATA_PATH.mkdir(exist_ok=True) settings_path = BACKUPS_DATA_PATH / f'{app_id}-settings.json' settings_path.write_text(json.dumps(settings)) diff -Nru freedombox-25.9.3/plinth/modules/nextcloud/privileged.py freedombox-25.9.3+deb13u1/plinth/modules/nextcloud/privileged.py --- freedombox-25.9.3/plinth/modules/nextcloud/privileged.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/nextcloud/privileged.py 2025-12-18 08:48:51.000000000 -0500 @@ -358,8 +358,6 @@ @privileged def dump_database(): """Dump database to file.""" - DB_BACKUP_FILE.parent.mkdir(parents=True, exist_ok=True) - with _maintenance_mode(): with DB_BACKUP_FILE.open('w', encoding='utf-8') as file_handle: subprocess.run([ diff -Nru freedombox-25.9.3/plinth/modules/upgrades/distupgrade.py freedombox-25.9.3+deb13u1/plinth/modules/upgrades/distupgrade.py --- freedombox-25.9.3/plinth/modules/upgrades/distupgrade.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/upgrades/distupgrade.py 2025-12-18 08:48:51.000000000 -0500 @@ -46,7 +46,7 @@ 'trixie': { 'version': 13, 'next': 'forky', - 'release_date': datetime.datetime(2025, 8, 20, tzinfo=timezone.utc), + 'release_date': datetime.datetime(2025, 8, 9, tzinfo=timezone.utc), }, 'forky': { 'version': 14, @@ -116,6 +116,9 @@ dists = set() for match_ in aug.match('*'): dist = aug.get(match_ + '/distribution') + if not dist: + continue + dist = dist.removesuffix('-updates') dist = dist.removesuffix('-security') dists.add(dist) diff -Nru freedombox-25.9.3/plinth/modules/upgrades/tests/test_distupgrade.py freedombox-25.9.3+deb13u1/plinth/modules/upgrades/tests/test_distupgrade.py --- freedombox-25.9.3/plinth/modules/upgrades/tests/test_distupgrade.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/upgrades/tests/test_distupgrade.py 2025-12-18 08:48:51.000000000 -0500 @@ -190,7 +190,7 @@ assert status['current_release_date'] == current_date assert status['next_codename'] == 'trixie' assert status['next_version'] == 13 - next_date = datetime_original(2025, 8, 20, tzinfo=timezone.utc) + next_date = datetime_original(2025, 8, 9, tzinfo=timezone.utc) assert status['next_release_date'] == next_date assert status['next_action'] == 'manual' diff -Nru freedombox-25.9.3/plinth/modules/wordpress/privileged.py freedombox-25.9.3+deb13u1/plinth/modules/wordpress/privileged.py --- freedombox-25.9.3/plinth/modules/wordpress/privileged.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/wordpress/privileged.py 2025-12-18 08:48:51.000000000 -0500 @@ -143,7 +143,6 @@ @privileged def dump_database(): """Dump database to file.""" - _db_backup_file.parent.mkdir(parents=True, exist_ok=True) with action_utils.service_ensure_running('mysql'): with _db_backup_file.open('w', encoding='utf-8') as file_handle: subprocess.run([ diff -Nru freedombox-25.9.3/plinth/modules/zoph/privileged.py freedombox-25.9.3+deb13u1/plinth/modules/zoph/privileged.py --- freedombox-25.9.3/plinth/modules/zoph/privileged.py 2025-07-21 19:29:32.000000000 -0400 +++ freedombox-25.9.3+deb13u1/plinth/modules/zoph/privileged.py 2025-12-18 08:48:51.000000000 -0500 @@ -2,7 +2,6 @@ """Configuration helper for Zoph server.""" import configparser -import os import pathlib import re import subprocess @@ -122,7 +121,6 @@ """ with action_utils.service_ensure_running('mysql'): db_name = _get_db_config()['db_name'] - os.makedirs(os.path.dirname(DB_BACKUP_FILE), exist_ok=True) with open(DB_BACKUP_FILE, 'w', encoding='utf-8') as db_backup_file: subprocess.run(['mysqldump', db_name], stdout=db_backup_file, check=True)
OpenPGP_signature.asc
Description: OpenPGP digital signature
