X-Original-To: alpine-aports@lists.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from apollo.thewebhostserver.com (apollomail.thewebhostserver.com [46.23.65.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id EA7A6DC0092 for ; Fri, 6 Feb 2015 16:40:20 +0000 (UTC) Received: from [2.123.96.16] (port=44237 helo=[192.168.0.17]) by apollo.thewebhostserver.com with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from ) id 1YJlx2-001haV-J4; Fri, 06 Feb 2015 16:40:16 +0000 Message-ID: <54D4EE71.8010107@it-offshore.co.uk> Date: Fri, 06 Feb 2015 16:40:17 +0000 From: IT Developer Reply-To: developer@it-offshore.co.uk Organization: IT Offshore User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: Timo Teras CC: alpine-aports@lists.alpinelinux.org Subject: Re: [alpine-aports] [PATCH] main/sshfs: post-install References: <1423232939-499-1-git-send-email-developer@it-offshore.co.uk> <20150206165852.58a695d7@vostro> In-Reply-To: <20150206165852.58a695d7@vostro> Content-Type: multipart/alternative; boundary="------------050009050208050506010202" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - apollo.thewebhostserver.com X-AntiAbuse: Original Domain - lists.alpinelinux.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - it-offshore.co.uk X-Get-Message-Sender-Via: apollo.thewebhostserver.com: authenticated_id: developer@it-offshore.co.uk X-Source: X-Source-Args: X-Source-Dir: This is a multi-part message in MIME format. --------------050009050208050506010202 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable I thought apk's only had to build non interactively (which it does) - & under grsecurity in Alpine non root users can only read /proc if they have GID:30 (readproc). I didn't see how sshfs could be patched when /proc/mounts would need to be read. There were some small errors in APKBUILD which I've now fixed. Stuart. On 02/06/2015 02:58 PM, Timo Teras wrote: > While I understand what it's trying to fix, and why you suggest this. > It is not correct on multiple levels: > - apk packages need to be installable non-interactively > - adding to readproc allows lots of other stuff > - the fix should be to: > 1) make sshfs not read those files, or not fail if they are not > readable > 2) fix grsec proc permissions to allow it work > > Do you know which files sshfs needs that are not readable for regular > user? > > On Fri, 6 Feb 2015 14:28:59 +0000 > Stuart Cardall wrote: > >> Small post-install script giving the option to selectively add normal >> users to group readproc so they can mount sshfs under grsecurity. >> --- >> main/sshfs/APKBUILD | 4 +++- >> main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++ >> 2 files changed, 32 insertions(+), 1 deletion(-) >> create mode 100644 main/sshfs/sshfs.post-install >> >> diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD >> index 6b3c3b4..07897f6 100644 >> --- a/main/sshfs/APKBUILD >> +++ b/main/sshfs/APKBUILD >> @@ -8,7 +8,9 @@ arch=3D"all" >> license=3D"GPL" >> depends=3D"openssh-client" >> makedepends=3D"pkgconfig fuse-dev glib-dev" >> -source=3D"http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fus= e-$pkgver.tar.gz" >> +source=3D"http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fus= e-$pkgver.tar.gz >> + $pkgname.setup >> + " >> =20 >> _builddir=3D"$srcdir"/sshfs-fuse-$pkgver >> build ()=20 >> diff --git a/main/sshfs/sshfs.post-install >> b/main/sshfs/sshfs.post-install new file mode 100644 >> index 0000000..852cdfa >> --- /dev/null >> +++ b/main/sshfs/sshfs.post-install >> @@ -0,0 +1,29 @@ >> +#!/bin/sh >> + >> +NORMAL=3D"\033[1;0m" >> +STRONG=3D"\033[1;1m" >> +GREEN=3D"\033[1;32m" >> + >> +print_strong() { >> + local prompt=3D"${STRONG}$1 ${GREEN}$2${NORMAL}" >> + printf "${prompt} %s" >> +} >> + >> +user_list=3D$(awk -F':' '{ if ( $3 >=3D 1000 && $1 !=3D "nobody" ) pr= int >> $1}' /etc/passwd) +group=3Dreadproc >> + >> +if [ -n "$user_list" ]; then >> + print_strong "\nAdd normal system users to group '$group'" >> "(to allow sshfs mounting) [y/N]:" >> + read answer >> + >> + case "$answer" in >> + y*|Y*) for user in $user_list; do >> + read -p "Add '$user' to Group >> '$group'?: [y/N] " answer >> + case "$answer" in >> + y*|Y*) addgroup $user >> readproc;; >> + esac >> + done;; >> + esac >> +fi >> +exit 0 >> + --------------050009050208050506010202 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit I thought apk's only had to build non interactively (which it does) - & under grsecurity in Alpine non root users can only read /proc if they have GID:30 (readproc). I didn't see how sshfs could be patched when /proc/mounts would need to be read.

There were some small errors in APKBUILD which I've now fixed.

Stuart.
On 02/06/2015 02:58 PM, Timo Teras wrote:
While I understand what it's trying to fix, and why you suggest this.
It is not correct on multiple levels:
- apk packages need to be installable non-interactively
- adding to readproc allows lots of other stuff
- the fix should be to:
  1) make sshfs not read those files, or not fail if they are not
  readable
  2) fix grsec proc permissions to allow it work

Do you know which files sshfs needs that are not readable for regular
user?

On Fri,  6 Feb 2015 14:28:59 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:


Small post-install script giving the option to selectively add normal
users to group readproc so they can mount sshfs under grsecurity.
---
 main/sshfs/APKBUILD           |  4 +++-
 main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 main/sshfs/sshfs.post-install

diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
index 6b3c3b4..07897f6 100644
--- a/main/sshfs/APKBUILD
+++ b/main/sshfs/APKBUILD
@@ -8,7 +8,9 @@ arch="all"
 license="GPL"
 depends="openssh-client"
 makedepends="pkgconfig fuse-dev glib-dev"
-source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
+source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
+	$pkgname.setup
+	"
 
 _builddir="$srcdir"/sshfs-fuse-$pkgver
 build () 
diff --git a/main/sshfs/sshfs.post-install
b/main/sshfs/sshfs.post-install new file mode 100644
index 0000000..852cdfa
--- /dev/null
+++ b/main/sshfs/sshfs.post-install
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+NORMAL="\033[1;0m"
+STRONG="\033[1;1m"
+GREEN="\033[1;32m"
+
+print_strong() {
+	local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
+        printf "${prompt} %s"
+}
+
+user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print
$1}' /etc/passwd) +group=readproc
+
+if [ -n "$user_list" ]; then
+	print_strong "\nAdd normal system users to group '$group'"
"(to allow sshfs mounting) [y/N]:"
+	read answer
+
+	case "$answer" in
+    		y*|Y*) for user in $user_list; do
+		       		read -p "Add '$user' to Group
'$group'?: [y/N] " answer
+		 		case "$answer" in
+		    		    y*|Y*) addgroup $user
readproc;;
+		 		esac
+	   	       done;;
+	esac
+fi
+exit 0
+


    

    

  


--------------050009050208050506010202--


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---