I thought apk's only had to build non interactively (which it does) - &
under grsecurity in Alpine non root users can only read /proc if they
have GID:30 (readproc). I didn't see how sshfs could be patched when
/proc/mounts would need to be read.
There were some small errors in APKBUILD which I've now fixed.
Stuart.
On 02/06/2015 02:58 PM, Timo Teras wrote:
> While I understand what it's trying to fix, and why you suggest this.> It is not correct on multiple levels:> - apk packages need to be installable non-interactively> - adding to readproc allows lots of other stuff> - the fix should be to:> 1) make sshfs not read those files, or not fail if they are not> readable> 2) fix grsec proc permissions to allow it work>> Do you know which files sshfs needs that are not readable for regular> user?>> On Fri, 6 Feb 2015 14:28:59 +0000> Stuart Cardall <developer@it-offshore.co.uk> wrote:>>> Small post-install script giving the option to selectively add normal>> users to group readproc so they can mount sshfs under grsecurity.>> --->> main/sshfs/APKBUILD | 4 +++->> main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++>> 2 files changed, 32 insertions(+), 1 deletion(-)>> create mode 100644 main/sshfs/sshfs.post-install>>>> diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD>> index 6b3c3b4..07897f6 100644>> --- a/main/sshfs/APKBUILD>> +++ b/main/sshfs/APKBUILD>> @@ -8,7 +8,9 @@ arch="all">> license="GPL">> depends="openssh-client">> makedepends="pkgconfig fuse-dev glib-dev">> -source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz">> +source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz>> + $pkgname.setup>> + ">> >> _builddir="$srcdir"/sshfs-fuse-$pkgver>> build () >> diff --git a/main/sshfs/sshfs.post-install>> b/main/sshfs/sshfs.post-install new file mode 100644>> index 0000000..852cdfa>> --- /dev/null>> +++ b/main/sshfs/sshfs.post-install>> @@ -0,0 +1,29 @@>> +#!/bin/sh>> +>> +NORMAL="\033[1;0m">> +STRONG="\033[1;1m">> +GREEN="\033[1;32m">> +>> +print_strong() {>> + local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}">> + printf "${prompt} %s">> +}>> +>> +user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print>> $1}' /etc/passwd) +group=readproc>> +>> +if [ -n "$user_list" ]; then>> + print_strong "\nAdd normal system users to group '$group'">> "(to allow sshfs mounting) [y/N]:">> + read answer>> +>> + case "$answer" in>> + y*|Y*) for user in $user_list; do>> + read -p "Add '$user' to Group>> '$group'?: [y/N] " answer>> + case "$answer" in>> + y*|Y*) addgroup $user>> readproc;;>> + esac>> + done;;>> + esac>> +fi>> +exit 0>> +
While I understand what it's trying to fix, and why you suggest this.
It is not correct on multiple levels:
- apk packages need to be installable non-interactively
- adding to readproc allows lots of other stuff
- the fix should be to:
1) make sshfs not read those files, or not fail if they are not
readable
2) fix grsec proc permissions to allow it work
Do you know which files sshfs needs that are not readable for regular
user?
On Fri, 6 Feb 2015 14:28:59 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:
> Small post-install script giving the option to selectively add normal> users to group readproc so they can mount sshfs under grsecurity.> ---> main/sshfs/APKBUILD | 4 +++-> main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++> 2 files changed, 32 insertions(+), 1 deletion(-)> create mode 100644 main/sshfs/sshfs.post-install> > diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD> index 6b3c3b4..07897f6 100644> --- a/main/sshfs/APKBUILD> +++ b/main/sshfs/APKBUILD> @@ -8,7 +8,9 @@ arch="all"> license="GPL"> depends="openssh-client"> makedepends="pkgconfig fuse-dev glib-dev"> -source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"> +source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz> + $pkgname.setup> + "> > _builddir="$srcdir"/sshfs-fuse-$pkgver> build () > diff --git a/main/sshfs/sshfs.post-install> b/main/sshfs/sshfs.post-install new file mode 100644> index 0000000..852cdfa> --- /dev/null> +++ b/main/sshfs/sshfs.post-install> @@ -0,0 +1,29 @@> +#!/bin/sh> +> +NORMAL="\033[1;0m"> +STRONG="\033[1;1m"> +GREEN="\033[1;32m"> +> +print_strong() {> + local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"> + printf "${prompt} %s"> +}> +> +user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print> $1}' /etc/passwd) +group=readproc> +> +if [ -n "$user_list" ]; then> + print_strong "\nAdd normal system users to group '$group'"> "(to allow sshfs mounting) [y/N]:"> + read answer> +> + case "$answer" in> + y*|Y*) for user in $user_list; do> + read -p "Add '$user' to Group> '$group'?: [y/N] " answer> + case "$answer" in> + y*|Y*) addgroup $user> readproc;;> + esac> + done;;> + esac> +fi> +exit 0> +
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---