Patches for aports can be sent to this list

2 2

[alpine-aports] [PATCH] main/sshfs: post-install

Stuart Cardall
Details
Message ID
<1423232939-499-1-git-send-email-developer@it-offshore.co.uk>
Sender timestamp
1423232939
DKIM signature
missing
Download raw message
Patch: +32 -1
Small post-install script giving the option to selectively add normal
users to group readproc so they can mount sshfs under grsecurity.
---
 main/sshfs/APKBUILD           |  4 +++-
 main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 main/sshfs/sshfs.post-install

diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
index 6b3c3b4..07897f6 100644
--- a/main/sshfs/APKBUILD
+++ b/main/sshfs/APKBUILD
@@ -8,7 +8,9 @@ arch="all"
 license="GPL"
 depends="openssh-client"
 makedepends="pkgconfig fuse-dev glib-dev"
-source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
+source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
+	$pkgname.setup
+	"
 
 _builddir="$srcdir"/sshfs-fuse-$pkgver
 build () 
diff --git a/main/sshfs/sshfs.post-install b/main/sshfs/sshfs.post-install
new file mode 100644
index 0000000..852cdfa
--- /dev/null
+++ b/main/sshfs/sshfs.post-install
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+NORMAL="\033[1;0m"
+STRONG="\033[1;1m"
+GREEN="\033[1;32m"
+
+print_strong() {
+	local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
+        printf "${prompt} %s"
+}
+
+user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print $1}' /etc/passwd)
+group=readproc
+
+if [ -n "$user_list" ]; then
+	print_strong "\nAdd normal system users to group '$group'" "(to allow sshfs mounting) [y/N]:"
+	read answer
+
+	case "$answer" in
+    		y*|Y*) for user in $user_list; do
+		       		read -p "Add '$user' to Group '$group'?: [y/N] " answer
+		 		case "$answer" in
+		    		    y*|Y*) addgroup $user readproc;;
+		 		esac
+	   	       done;;
+	esac
+fi
+exit 0
+
-- 
2.2.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
IT Developer
Details
Message ID
<54D4EE71.8010107@it-offshore.co.uk>
In-Reply-To
<20150206165852.58a695d7@vostro> (view parent)
Sender timestamp
1423240817
DKIM signature
missing
Download raw message
I thought apk's only had to build non interactively (which it does) - &
under grsecurity in Alpine non root users can only read /proc if they
have GID:30 (readproc). I didn't see how sshfs could be patched when
/proc/mounts would need to be read.

There were some small errors in APKBUILD which I've now fixed.

Stuart.

On 02/06/2015 02:58 PM, Timo Teras wrote:
> While I understand what it's trying to fix, and why you suggest this.
> It is not correct on multiple levels:
> - apk packages need to be installable non-interactively
> - adding to readproc allows lots of other stuff
> - the fix should be to:
>   1) make sshfs not read those files, or not fail if they are not
>   readable
>   2) fix grsec proc permissions to allow it work
>
> Do you know which files sshfs needs that are not readable for regular
> user?
>
> On Fri,  6 Feb 2015 14:28:59 +0000
> Stuart Cardall <developer@it-offshore.co.uk> wrote:
>
>> Small post-install script giving the option to selectively add normal
>> users to group readproc so they can mount sshfs under grsecurity.
>> ---
>>  main/sshfs/APKBUILD           |  4 +++-
>>  main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
>>  2 files changed, 32 insertions(+), 1 deletion(-)
>>  create mode 100644 main/sshfs/sshfs.post-install
>>
>> diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
>> index 6b3c3b4..07897f6 100644
>> --- a/main/sshfs/APKBUILD
>> +++ b/main/sshfs/APKBUILD
>> @@ -8,7 +8,9 @@ arch="all"
>>  license="GPL"
>>  depends="openssh-client"
>>  makedepends="pkgconfig fuse-dev glib-dev"
>> -source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
>> +source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
>> +	$pkgname.setup
>> +	"
>>  
>>  _builddir="$srcdir"/sshfs-fuse-$pkgver
>>  build () 
>> diff --git a/main/sshfs/sshfs.post-install
>> b/main/sshfs/sshfs.post-install new file mode 100644
>> index 0000000..852cdfa
>> --- /dev/null
>> +++ b/main/sshfs/sshfs.post-install
>> @@ -0,0 +1,29 @@
>> +#!/bin/sh
>> +
>> +NORMAL="\033[1;0m"
>> +STRONG="\033[1;1m"
>> +GREEN="\033[1;32m"
>> +
>> +print_strong() {
>> +	local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
>> +        printf "${prompt} %s"
>> +}
>> +
>> +user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print
>> $1}' /etc/passwd) +group=readproc
>> +
>> +if [ -n "$user_list" ]; then
>> +	print_strong "\nAdd normal system users to group '$group'"
>> "(to allow sshfs mounting) [y/N]:"
>> +	read answer
>> +
>> +	case "$answer" in
>> +    		y*|Y*) for user in $user_list; do
>> +		       		read -p "Add '$user' to Group
>> '$group'?: [y/N] " answer
>> +		 		case "$answer" in
>> +		    		    y*|Y*) addgroup $user
>> readproc;;
>> +		 		esac
>> +	   	       done;;
>> +	esac
>> +fi
>> +exit 0
>> +
Timo Teras
Details
Message ID
<20150206165852.58a695d7@vostro>
In-Reply-To
<1423232939-499-1-git-send-email-developer@it-offshore.co.uk> (view parent)
Sender timestamp
1423234732
DKIM signature
missing
Download raw message
While I understand what it's trying to fix, and why you suggest this.
It is not correct on multiple levels:
- apk packages need to be installable non-interactively
- adding to readproc allows lots of other stuff
- the fix should be to:
  1) make sshfs not read those files, or not fail if they are not
  readable
  2) fix grsec proc permissions to allow it work

Do you know which files sshfs needs that are not readable for regular
user?

On Fri,  6 Feb 2015 14:28:59 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:

> Small post-install script giving the option to selectively add normal
> users to group readproc so they can mount sshfs under grsecurity.
> ---
>  main/sshfs/APKBUILD           |  4 +++-
>  main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
>  2 files changed, 32 insertions(+), 1 deletion(-)
>  create mode 100644 main/sshfs/sshfs.post-install
> 
> diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
> index 6b3c3b4..07897f6 100644
> --- a/main/sshfs/APKBUILD
> +++ b/main/sshfs/APKBUILD
> @@ -8,7 +8,9 @@ arch="all"
>  license="GPL"
>  depends="openssh-client"
>  makedepends="pkgconfig fuse-dev glib-dev"
> -source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
> +source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
> +	$pkgname.setup
> +	"
>  
>  _builddir="$srcdir"/sshfs-fuse-$pkgver
>  build () 
> diff --git a/main/sshfs/sshfs.post-install
> b/main/sshfs/sshfs.post-install new file mode 100644
> index 0000000..852cdfa
> --- /dev/null
> +++ b/main/sshfs/sshfs.post-install
> @@ -0,0 +1,29 @@
> +#!/bin/sh
> +
> +NORMAL="\033[1;0m"
> +STRONG="\033[1;1m"
> +GREEN="\033[1;32m"
> +
> +print_strong() {
> +	local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
> +        printf "${prompt} %s"
> +}
> +
> +user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print
> $1}' /etc/passwd) +group=readproc
> +
> +if [ -n "$user_list" ]; then
> +	print_strong "\nAdd normal system users to group '$group'"
> "(to allow sshfs mounting) [y/N]:"
> +	read answer
> +
> +	case "$answer" in
> +    		y*|Y*) for user in $user_list; do
> +		       		read -p "Add '$user' to Group
> '$group'?: [y/N] " answer
> +		 		case "$answer" in
> +		    		    y*|Y*) addgroup $user
> readproc;;
> +		 		esac
> +	   	       done;;
> +	esac
> +fi
> +exit 0
> +



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---