Hartmut
78d50b78d3
Scripts: - stop.sh: replace Linux-only fuser with cross-platform lsof fallback - start.sh: parameterize port (APP_PORT) and container name (dynamic lookup) - app-dev-start.sh: cross-platform stat (GNU -c / BSD -f) and setpriv/su fallback - deploy-compose.sh: parameterize Docker registry via DOCKER_REGISTRY env var - harden-postgres.sh: make DB_USER and DB_NAME configurable via env vars NPM security: - next: 15.5.12 → 15.5.15 (fixes HTTP request smuggling CVE) - nodemailer: 8.0.1 → 8.0.5 (fixes SMTP command injection CVEs) - lodash-es: add pnpm override to force >=4.18.0 (fixes code injection + prototype pollution) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
24 lines
951 B
Bash
Executable File
24 lines
951 B
Bash
Executable File
#!/usr/bin/env bash
|
|
# Remove SUPERUSER from the application database user
|
|
# Run after initial setup: bash scripts/harden-postgres.sh
|
|
|
|
DB_USER="${DB_USER:-capakraken}"
|
|
DB_NAME="${DB_NAME:-capakraken}"
|
|
|
|
echo "Hardening PostgreSQL for $DB_USER..."
|
|
|
|
# Remove SUPERUSER privilege
|
|
docker compose exec -T postgres psql -U postgres -c "ALTER USER $DB_USER NOSUPERUSER;"
|
|
|
|
# Grant only needed permissions
|
|
docker compose exec -T postgres psql -U postgres -d $DB_NAME -c "
|
|
GRANT CONNECT ON DATABASE $DB_NAME TO $DB_USER;
|
|
GRANT USAGE ON SCHEMA public TO $DB_USER;
|
|
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO $DB_USER;
|
|
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO $DB_USER;
|
|
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO $DB_USER;
|
|
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO $DB_USER;
|
|
"
|
|
|
|
echo "Done. $DB_USER no longer has SUPERUSER."
|