X-Original-To: alpine-aports@lists.alpinelinux.org
Delivered-To: alpine-aports@mail.alpinelinux.org
Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id D2E1DDC0092
	for <alpine-aports@lists.alpinelinux.org>; Fri,  6 Feb 2015 14:59:27 +0000 (UTC)
Received: by labhz20 with SMTP id hz20so1633000lab.0
        for <alpine-aports@lists.alpinelinux.org>; Fri, 06 Feb 2015 06:59:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:date:from:to:cc:subject:message-id:in-reply-to:references
         :mime-version:content-type:content-transfer-encoding;
        bh=oM6sCgN4pAe2S9EljkSUnDNuqhJ0g6LbAeTOUgIu7O8=;
        b=ASY+QtiQgWayo/oWEh8xS/DfqXTB0W0K2QzFXAtdUWClart3n+t6rGVxVqX21t8J4R
         gwwO4ZwJ84uoKNrT3xauTbyNDffmjKMyZ+T0/ZzRfbm2nRm10nKpjhzZZbFCtslWKeBD
         NtCKYVPb+17kobzsoSnUQFhB3CVQfHhqfEX0IZJkz1TPRAsjXI2pZ+gnl+XIK+r4wjs5
         cLOc+Ox+5p1g59LGQMt6mTCYJEwi2S9WN1WCWriNTyzz/LwSOPAt04KS+gZy83sAC70k
         5xjfuzb4mp1Nn8QFILUMkSxziHGemI9kOJIPGjADeQFpwvc1JOCa4rRXxXs48UXzAzQG
         dNnw==
X-Received: by 10.152.9.170 with SMTP id a10mr3167760lab.1.1423234765949;
        Fri, 06 Feb 2015 06:59:25 -0800 (PST)
Received: from vostro ([83.145.235.202])
        by mx.google.com with ESMTPSA id j9sm455342lae.39.2015.02.06.06.59.25
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 06 Feb 2015 06:59:25 -0800 (PST)
Sender: =?UTF-8?Q?Timo_Ter=C3=A4s?= <timo.teras@gmail.com>
Date: Fri, 6 Feb 2015 16:58:52 +0200
From: Timo Teras <timo.teras@iki.fi>
To: Stuart Cardall <developer@it-offshore.co.uk>
Cc: alpine-aports@lists.alpinelinux.org
Subject: Re: [alpine-aports] [PATCH] main/sshfs: post-install
Message-ID: <20150206165852.58a695d7@vostro>
In-Reply-To: <1423232939-499-1-git-send-email-developer@it-offshore.co.uk>
References: <1423232939-499-1-git-send-email-developer@it-offshore.co.uk>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-alpine-linux-musl)
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

While I understand what it's trying to fix, and why you suggest this.
It is not correct on multiple levels:
- apk packages need to be installable non-interactively
- adding to readproc allows lots of other stuff
- the fix should be to:
  1) make sshfs not read those files, or not fail if they are not
  readable
  2) fix grsec proc permissions to allow it work

Do you know which files sshfs needs that are not readable for regular
user?

On Fri,  6 Feb 2015 14:28:59 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote:

> Small post-install script giving the option to selectively add normal
> users to group readproc so they can mount sshfs under grsecurity.
> ---
>  main/sshfs/APKBUILD           |  4 +++-
>  main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
>  2 files changed, 32 insertions(+), 1 deletion(-)
>  create mode 100644 main/sshfs/sshfs.post-install
> 
> diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
> index 6b3c3b4..07897f6 100644
> --- a/main/sshfs/APKBUILD
> +++ b/main/sshfs/APKBUILD
> @@ -8,7 +8,9 @@ arch="all"
>  license="GPL"
>  depends="openssh-client"
>  makedepends="pkgconfig fuse-dev glib-dev"
> -source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
> +source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
> +	$pkgname.setup
> +	"
>  
>  _builddir="$srcdir"/sshfs-fuse-$pkgver
>  build () 
> diff --git a/main/sshfs/sshfs.post-install
> b/main/sshfs/sshfs.post-install new file mode 100644
> index 0000000..852cdfa
> --- /dev/null
> +++ b/main/sshfs/sshfs.post-install
> @@ -0,0 +1,29 @@
> +#!/bin/sh
> +
> +NORMAL="\033[1;0m"
> +STRONG="\033[1;1m"
> +GREEN="\033[1;32m"
> +
> +print_strong() {
> +	local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
> +        printf "${prompt} %s"
> +}
> +
> +user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print
> $1}' /etc/passwd) +group=readproc
> +
> +if [ -n "$user_list" ]; then
> +	print_strong "\nAdd normal system users to group '$group'"
> "(to allow sshfs mounting) [y/N]:"
> +	read answer
> +
> +	case "$answer" in
> +    		y*|Y*) for user in $user_list; do
> +		       		read -p "Add '$user' to Group
> '$group'?: [y/N] " answer
> +		 		case "$answer" in
> +		    		    y*|Y*) addgroup $user
> readproc;;
> +		 		esac
> +	   	       done;;
> +	esac
> +fi
> +exit 0
> +



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---