Mail archive
alpine-aports

Re: [alpine-aports] [PATCH] main/sshfs: post-install

From: IT Developer <developer_at_it-offshore.co.uk>
Date: Fri, 06 Feb 2015 16:40:17 +0000

I thought apk's only had to build non interactively (which it does) - &
under grsecurity in Alpine non root users can only read /proc if they
have GID:30 (readproc). I didn't see how sshfs could be patched when
/proc/mounts would need to be read.

There were some small errors in APKBUILD which I've now fixed.

Stuart.

On 02/06/2015 02:58 PM, Timo Teras wrote:
> While I understand what it's trying to fix, and why you suggest this.
> It is not correct on multiple levels:
> - apk packages need to be installable non-interactively
> - adding to readproc allows lots of other stuff
> - the fix should be to:
> 1) make sshfs not read those files, or not fail if they are not
> readable
> 2) fix grsec proc permissions to allow it work
>
> Do you know which files sshfs needs that are not readable for regular
> user?
>
> On Fri, 6 Feb 2015 14:28:59 +0000
> Stuart Cardall <developer_at_it-offshore.co.uk> wrote:
>
>> Small post-install script giving the option to selectively add normal
>> users to group readproc so they can mount sshfs under grsecurity.
>> ---
>> main/sshfs/APKBUILD | 4 +++-
>> main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
>> 2 files changed, 32 insertions(+), 1 deletion(-)
>> create mode 100644 main/sshfs/sshfs.post-install
>>
>> diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
>> index 6b3c3b4..07897f6 100644
>> --- a/main/sshfs/APKBUILD
>> +++ b/main/sshfs/APKBUILD
>> _at__at_ -8,7 +8,9 @@ arch="all"
>> license="GPL"
>> depends="openssh-client"
>> makedepends="pkgconfig fuse-dev glib-dev"
>> -source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
>> +source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
>> + $pkgname.setup
>> + "
>>
>> _builddir="$srcdir"/sshfs-fuse-$pkgver
>> build ()
>> diff --git a/main/sshfs/sshfs.post-install
>> b/main/sshfs/sshfs.post-install new file mode 100644
>> index 0000000..852cdfa
>> --- /dev/null
>> +++ b/main/sshfs/sshfs.post-install
>> _at__at_ -0,0 +1,29 @@
>> +#!/bin/sh
>> +
>> +NORMAL="\033[1;0m"
>> +STRONG="\033[1;1m"
>> +GREEN="\033[1;32m"
>> +
>> +print_strong() {
>> + local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
>> + printf "${prompt} %s"
>> +}
>> +
>> +user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print
>> $1}' /etc/passwd) +group=readproc
>> +
>> +if [ -n "$user_list" ]; then
>> + print_strong "\nAdd normal system users to group '$group'"
>> "(to allow sshfs mounting) [y/N]:"
>> + read answer
>> +
>> + case "$answer" in
>> + y*|Y*) for user in $user_list; do
>> + read -p "Add '$user' to Group
>> '$group'?: [y/N] " answer
>> + case "$answer" in
>> + y*|Y*) addgroup $user
>> readproc;;
>> + esac
>> + done;;
>> + esac
>> +fi
>> +exit 0
>> +




---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Fri Feb 06 2015 - 16:40:17 GMT