github polterguy/magic v10.0.4
Tightening security

latest releases: v17.3.9, v17.3.8, v17.3.7...
2 years ago

The primary feature of this release is that it tightens security significantly by creating an explicit user in the backend that's called "magic", which the backend runs within. This ensures way tighter security when deploying through Docker, since by default this user only has write access to the "/files/" folder, preventing security issues from being able to tamper with the underlaying operating system in any ways.

Notice - This is a breaking change if you update, and/or pull the servergardens/magic-backend Docker image, since to avoid using the old modules mounted volumes that was chown'ed by 'root" I had to create new volume declarations. If you're using Magic through its Docker images, you'll need to take a backup of the following folders before you update.

  • /files/etc/
  • /files/modules/

If you don't, you might run the risk of loosing data.

If you are only using the source code version, the above shouldn't apply to you. Notice, the docker-compose.yml file in the magic.deploy repository has also been updated. Implying you'll have to pull this repository from your server if you intend to apply the changes to an existing installation.

The above change also makes it easier to use Magic in a development environment, since now the configuration, modules, and everything that's changed during setup of Magic, also when you're using the development Docker docker-compose.yml file is now preserved.

Notice though, that you'll need to download the new docker-compose.yml file if you want to take advantage of these security additions, and you can not use an old docker-compose file, for a previous release.

Don't miss a new magic release

NewReleases is sending notifications on new releases.