2 2

[alpine-aports] [PATCH] main/openntpd: fixes privelege seperation defaults

systmkor
Details
Message ID
<1440630224-14407-1-git-send-email-systmkor@gmail.com>
Sender timestamp
1440630224
DKIM signature
missing
Download raw message
Patch: +3 -1
 - compiles default privelege seperation user as ntp instead of _ntp
 - creates required chroot directory /var/empty in .pre-install script
---
 main/openntpd/APKBUILD             | 3 ++-
 main/openntpd/openntpd.pre-install | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/main/openntpd/APKBUILD b/main/openntpd/APKBUILD
index d2de528..fd68e84 100644
--- a/main/openntpd/APKBUILD
+++ b/main/openntpd/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=openntpd
 pkgver=5.7_p4
 _myver=${pkgver/_/}
-pkgrel=0
+pkgrel=1
 pkgdesc="Lightweight NTP server ported from OpenBSD"
 url=http://www.openntpd.org/
 install="$pkgname.pre-install $pkgname.pre-upgrade $pkgname.post-upgrade"
@@ -41,6 +41,7 @@ build() {
 		--localstatedir=/var \
 		--mandir=/usr/share/man \
 		--sysconfdir=/etc \
+		--with-privsep-user=ntp \
 		|| return 1
 	make || return 1
 }
diff --git a/main/openntpd/openntpd.pre-install b/main/openntpd/openntpd.pre-install
index 0b2be06..36778a9 100644
--- a/main/openntpd/openntpd.pre-install
+++ b/main/openntpd/openntpd.pre-install
@@ -2,6 +2,7 @@
 
 # this user should be included in alpine-baselayout-1.2.
 # included here for backward compability.
+mkdir -p /var/empty
 adduser -H -h /var/empty -s /sbin/nologin -D ntp  2>/dev/null
 
 exit 0
-- 
2.4.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Orion Miller
Details
Message ID
<CAPQg+vqfu=hG_r5pLe6aFrVMSzPeUGt4zNHYWFswD1pi77MSWQ@mail.gmail.com>
In-Reply-To
<20150827092423.GA11801@francium.lan> (view parent)
Sender timestamp
1440697682
DKIM signature
missing
Download raw message
> The prepare function still substitutes _ntp with ntp in src/ntpd.h I
> am assuming that this is no longer necessary? If so then please
> remove the sed(1) invocation from the prepare function.

I'll try removing the sed call in the prepare function and verify that
OpenNTPD still works.

> The OpenSSH aports creates the /var/empty directory in its OpenRC
> services[1], maybe it would be a good idea to do that here as well for
> the sake of consistency?

I thought if I did that it would cause a package ownership
contention over that specific file (i.e. a directory). I'll try it. :D

-- 
keybase.io/systmkor


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Sören Tempel
Details
Message ID
<20150827092423.GA11801@francium.lan>
In-Reply-To
<1440630224-14407-1-git-send-email-systmkor@gmail.com> (view parent)
Sender timestamp
1440667463
DKIM signature
missing
Download raw message
On 26.08.15, systmkor wrote:
>  - compiles default privelege seperation user as ntp instead of _ntp
>  - creates required chroot directory /var/empty in .pre-install script
> ---
>  main/openntpd/APKBUILD             | 3 ++-
>  main/openntpd/openntpd.pre-install | 1 +
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/main/openntpd/APKBUILD b/main/openntpd/APKBUILD
> index d2de528..fd68e84 100644
> --- a/main/openntpd/APKBUILD
> +++ b/main/openntpd/APKBUILD
> @@ -2,7 +2,7 @@
>  pkgname=openntpd
>  pkgver=5.7_p4
>  _myver=${pkgver/_/}
> -pkgrel=0
> +pkgrel=1
>  pkgdesc="Lightweight NTP server ported from OpenBSD"
>  url=http://www.openntpd.org/
>  install="$pkgname.pre-install $pkgname.pre-upgrade $pkgname.post-upgrade"
> @@ -41,6 +41,7 @@ build() {
>  		--localstatedir=/var \
>  		--mandir=/usr/share/man \
>  		--sysconfdir=/etc \
> +		--with-privsep-user=ntp \
>  		|| return 1
>  	make || return 1
>  }
> diff --git a/main/openntpd/openntpd.pre-install b/main/openntpd/openntpd.pre-install

The prepare function still substitutes _ntp with ntp in src/ntpd.h I am
assuming that this is no longer necessary? If so then please remove the
sed(1) invocation from the prepare function.

> index 0b2be06..36778a9 100644
> --- a/main/openntpd/openntpd.pre-install
> +++ b/main/openntpd/openntpd.pre-install
> @@ -2,6 +2,7 @@
>
>  # this user should be included in alpine-baselayout-1.2.
>  # included here for backward compability.
> +mkdir -p /var/empty
>  adduser -H -h /var/empty -s /sbin/nologin -D ntp  2>/dev/null
>
>  exit 0

The OpenSSH aports creates the /var/empty directory in its OpenRC
services[1], maybe it would be a good idea to do that here as well for
the sake of consistency?

[1]: http://git.alpinelinux.org/cgit/aports/tree/main/openssh/sshd.initd#n39

Sören.


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---