5 4

[alpine-aports] [PATCH] main/openntpd: fixes privelege seperation defaults

systmkor
Details
Message ID
<1440703097-6498-1-git-send-email-systmkor@gmail.com>
Sender timestamp
1440703097
DKIM signature
missing
Download raw message
Patch: +8 -7
 - compiles default privelege seperation user as ntp instead of _ntp
 - creates required chroot directory /var/empty
---
 main/openntpd/APKBUILD | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/main/openntpd/APKBUILD b/main/openntpd/APKBUILD
index d2de528..9886012 100644
--- a/main/openntpd/APKBUILD
+++ b/main/openntpd/APKBUILD
@@ -4,14 +4,14 @@ pkgver=5.7_p4
 _myver=${pkgver/_/}
 pkgrel=0
 pkgdesc="Lightweight NTP server ported from OpenBSD"
-url=http://www.openntpd.org/
+url="http://www.openntpd.org/"
 install="$pkgname.pre-install $pkgname.pre-upgrade $pkgname.post-upgrade"
 
 subpackages="openntpd-doc"
-depends=
+depends=""
 makedepends="openssl-dev linux-headers bsd-compat-headers"
 arch="all"
-license=BSD
+license="BSD"
 source="
 	http://ftp.openbsd.org/pub/OpenBSD/OpenNTPD/openntpd-$_myver.tar.gz
 	openntpd.confd
@@ -29,7 +29,6 @@ prepare() {
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
 		esac
 	done
-	sed -i '/NTPD_USER/s:_ntp:ntp:' src/ntpd.h || return 1
 }
 
 build() {
@@ -41,15 +40,17 @@ build() {
 		--localstatedir=/var \
 		--mandir=/usr/share/man \
 		--sysconfdir=/etc \
+		--with-privsep-user=ntp \
 		|| return 1
 	make || return 1
 }
 
 package() {
 	cd "$_builddir"
-	make install DESTDIR="$pkgdir"
-	install -Dm755 ../openntpd.initd "$pkgdir/etc/init.d/$pkgname"
-	install -Dm644 ../openntpd.confd "$pkgdir/etc/conf.d/$pkgname"
+	make install DESTDIR="$pkgdir" || return 1
+	mkdir -p "$pkgdir"/var/empty || return 1
+	install -Dm755 "$srcdir"/openntpd.initd "$pkgdir"/etc/init.d/"$pkgname" || return 1
+	install -Dm644 "$srcdir"/openntpd.confd "$pkgdir"/etc/conf.d/"$pkgname" || return 1
 }
 
 md5sums="9d818a143fbc5d830203fa2f4b4c6a2a  openntpd-5.7p4.tar.gz
-- 
2.4.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Sören Tempel
Details
Message ID
<20150829101544.GA25793@francium.lan>
In-Reply-To
<1440703097-6498-1-git-send-email-systmkor@gmail.com> (view parent)
Sender timestamp
1440843344
DKIM signature
missing
Download raw message
On 27.08.15, systmkor wrote:
>  package() {
>  	cd "$_builddir"
> -	make install DESTDIR="$pkgdir"
> -	install -Dm755 ../openntpd.initd "$pkgdir/etc/init.d/$pkgname"
> -	install -Dm644 ../openntpd.confd "$pkgdir/etc/conf.d/$pkgname"
> +	make install DESTDIR="$pkgdir" || return 1
> +	mkdir -p "$pkgdir"/var/empty || return 1
> +	install -Dm755 "$srcdir"/openntpd.initd "$pkgdir"/etc/init.d/"$pkgname" || return 1
> +	install -Dm644 "$srcdir"/openntpd.confd "$pkgdir"/etc/conf.d/"$pkgname" || return 1
>  }

This would make the OpenNTPD package the owner of /var/empty. I don't
think that this is a good idea.

Sören.


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Orion Miller
Details
Message ID
<CAPQg+vpb+SxOp-gpBsvS_dnmU7TEcj7svie2-cW612Sw9wGXLA@mail.gmail.com>
In-Reply-To
<20150829101544.GA25793@francium.lan> (view parent)
Sender timestamp
1440880650
DKIM signature
missing
Download raw message
On Sat, 29 Aug 2015 12:15:44 +0200
Sören Tempel <soeren@soeren-tempel.net> wrote:
> This would make the OpenNTPD package the owner of /var/empty. I don't
> think that this is a good idea.

Okay, so what are you saying? Because I thought I wrote what you
suggested in the last patch. And now you are suggesting to do what you
said I should do last time. [1]

If you look at the OpenSSH APKBUILD file it creates /var/empty in it's
package function. So I'm not sure what you are actually suggesting.

# References

[1] Last Patch Discussion
On Thu, 27 Aug 2015 10:48:02 -0700
Orion Miller <systmkor@gmail.com> wrote:
> > The OpenSSH aports creates the /var/empty directory in its OpenRC
> > services[1], maybe it would be a good idea to do that here as well
> > for the sake of consistency?
>
> I thought if I did that it would cause a package ownership
> contention over that specific file (i.e. a directory). I'll try it. :D

-- 
keybase.io/systmkor


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Sören Tempel
Details
Message ID
<20150903091752.GA3122@calcium.lan>
In-Reply-To
<CAPQg+vpb+SxOp-gpBsvS_dnmU7TEcj7svie2-cW612Sw9wGXLA@mail.gmail.com> (view parent)
Sender timestamp
1441271872
DKIM signature
missing
Download raw message
On 29.08.15, Orion Miller wrote:
> Okay, so what are you saying? Because I thought I wrote what you
> suggested in the last patch. And now you are suggesting to do what you
> said I should do last time. [1]

No, I suggested to create that directory in the OpenRC service not in
the package function. Did you even read your own reference?

On 29.08.15, Orion Miller wrote:
> If you look at the OpenSSH APKBUILD file it creates /var/empty in it's
> package function. So I'm not sure what you are actually suggesting.

Turns out: OpenSSH creates /var/empty in the package function and it
creates it again in the OpenRC service:

See:
  - http://git.alpinelinux.org/cgit/aports/tree/main/openssh/sshd.initd#n39
  - http://git.alpinelinux.org/cgit/aports/tree/main/openssh/APKBUILD#n75

I personally believe that this is a fault in the OpenSSH aport. Still
the question remains what the best way to create that directory is…I
personally dislike the creation of /var/empty in the package() function.
Maybe we should simply create that in alpine-baselayout?


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20150905131551.5453121d@ncopa-laptop>
In-Reply-To
<20150903091752.GA3122@calcium.lan> (view parent)
Sender timestamp
1441451751
DKIM signature
missing
Download raw message
On Thu, 3 Sep 2015 11:17:52 +0200
Sören Tempel <soeren@soeren-tempel.net> wrote:

> On 29.08.15, Orion Miller wrote:
> > Okay, so what are you saying? Because I thought I wrote what you
> > suggested in the last patch. And now you are suggesting to do what you
> > said I should do last time. [1]
> 
> No, I suggested to create that directory in the OpenRC service not in
> the package function. Did you even read your own reference?
> 
> On 29.08.15, Orion Miller wrote:
> > If you look at the OpenSSH APKBUILD file it creates /var/empty in it's
> > package function. So I'm not sure what you are actually suggesting.
> 
> Turns out: OpenSSH creates /var/empty in the package function and it
> creates it again in the OpenRC service:
> 
> See:
>   - http://git.alpinelinux.org/cgit/aports/tree/main/openssh/sshd.initd#n39
>   - http://git.alpinelinux.org/cgit/aports/tree/main/openssh/APKBUILD#n75
> 
> I personally believe that this is a fault in the OpenSSH aport. Still
> the question remains what the best way to create that directory is…I
> personally dislike the creation of /var/empty in the package() function.

I think it is perfectly fine that packages that uses a directory
creates it.

> Maybe we should simply create that in alpine-baselayout?

I think we should and I just did.

Thanks!

-nc


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Orion
Details
Message ID
<D6512FBA-34D2-4D9C-9C6A-9A9E211B9C4C@gmail.com>
In-Reply-To
<20150905131551.5453121d@ncopa-laptop> (view parent)
Sender timestamp
1441501614
DKIM signature
missing
Download raw message
Thank you both. Sorry Sören for the miscommunication.

For me this raises a question about package management. Should packages possibly have files that they require/depend on but don't necessarily need to own? The /var/empty directory between OpenSSH and OpenNTPD I think is a good example.

What are your thoughts? Should we continue this in alpine-devel?

---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---