~alpine/aports

main/sshfs: post-install v1 PROPOSED

Stuart Cardall <developer@it-offshore.co.uk>
9 years ago 
Stuart Cardall: 1
 main/sshfs: post-install

 2 files changed, 32 insertions(+), 1 deletions(-)
IT Developer <developer@it-offshore.co.uk>
9 years ago 
I thought apk's only had to build non interactively (which it does) - &
under grsecurity in Alpine non root users can only read /proc if they
have GID:30 (readproc). I didn't see how sshfs could be patched when
/proc/mounts would need to be read.

There were some small errors in APKBUILD which I've now fixed.

Stuart.

On 02/06/2015 02:58 PM, Timo Teras wrote:
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git: 

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1555/mbox | git am -3
Learn more about email & git
Reply to thread View this thread in the archives

[alpine-aports] [PATCH] main/sshfs: post-install Export this patch

Stuart Cardall <developer@it-offshore.co.uk>
9 years ago 
Small post-install script giving the option to selectively add normal
users to group readproc so they can mount sshfs under grsecurity.
---
 main/sshfs/APKBUILD           |  4 +++-
 main/sshfs/sshfs.post-install | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 main/sshfs/sshfs.post-install

diff --git a/main/sshfs/APKBUILD b/main/sshfs/APKBUILD
index 6b3c3b4..07897f6 100644
--- a/main/sshfs/APKBUILD
+++ b/main/sshfs/APKBUILD
@@ -8,7 +8,9 @@ arch="all"
license="GPL"
depends="openssh-client"
makedepends="pkgconfig fuse-dev glib-dev"
source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz"
source="http://downloads.sourceforge.net/sourceforge/fuse/sshfs-fuse-$pkgver.tar.gz
	$pkgname.setup
	"

_builddir="$srcdir"/sshfs-fuse-$pkgver
build () 
diff --git a/main/sshfs/sshfs.post-install b/main/sshfs/sshfs.post-install
new file mode 100644
index 0000000..852cdfa
--- /dev/null
+++ b/main/sshfs/sshfs.post-install
@@ -0,0 +1,29 @@
#!/bin/sh

NORMAL="\033[1;0m"
STRONG="\033[1;1m"
GREEN="\033[1;32m"

print_strong() {
	local prompt="${STRONG}$1 ${GREEN}$2${NORMAL}"
        printf "${prompt} %s"
}

user_list=$(awk -F':' '{ if ( $3 >= 1000 && $1 != "nobody" ) print $1}' /etc/passwd)
group=readproc

if [ -n "$user_list" ]; then
	print_strong "\nAdd normal system users to group '$group'" "(to allow sshfs mounting) [y/N]:"
	read answer

	case "$answer" in
    		y*|Y*) for user in $user_list; do
		       		read -p "Add '$user' to Group '$group'?: [y/N] " answer
		 		case "$answer" in
		    		    y*|Y*) addgroup $user readproc;;
		 		esac
	   	       done;;
	esac
fi
exit 0


-- 
2.2.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Timo Teras <timo.teras@iki.fi>
9 years ago 
While I understand what it's trying to fix, and why you suggest this.
It is not correct on multiple levels:
- apk packages need to be installable non-interactively
- adding to readproc allows lots of other stuff
- the fix should be to:
  1) make sshfs not read those files, or not fail if they are not
  readable
  2) fix grsec proc permissions to allow it work

Do you know which files sshfs needs that are not readable for regular
user?

On Fri,  6 Feb 2015 14:28:59 +0000
Stuart Cardall <developer@it-offshore.co.uk> wrote: