~alpine/aports

[alpine-aports] main/busybox: split package into core and suid subpackages v1 PROPOSED

Christian Kampka: 2
 main/busybox: split package into core and suid subpackages
 None

 11 files changed, 88 insertions(+), 63 deletions(-)
> >
> > > The proposed patch splits the busybox package into two subpackages,
> > > busybox-core and busybox-suid. The core package contains everything
> > > that is currently included in the busybox package except for the
> > > bbsuid binary. This will be shipped via the busybox-suid package. The
> > > busybox package will be turned into a metapackage that pulls in
> > > busybox-core and busybox-suid, so for most use cases nothing will
> > > change except for those installations that desire it explicitly.
> >
> > I wonder if we somehow can solve this with totally 2 packages:
> >   busybox + busybox-suid
> > instead of totally 3:
> >   busybox-core + busybox-suid + busybox.
> >
> 
> I did not go for this option because it introduces a breaking change, but
> it is certainly desirable in the long run. Since 3.3 is now in freeze, it
> may be OK to possibly break dependencies here.
> 
> 
> 
> > We could for example add busybox-suid as a dependency to alpine-base,
> > or assume that busybox-suid is needed if some other package like openrc
> > is installed and have install_if="busybox=$pkgver openrc". I wonder
> > what happens then, if you "apk add !busybox-suid" to opt out?
> >
> 
> Having busybox-suid as a dependency to alpine-base is crucial,
If we can let alpine-base depend on busybox-suid then I think we will
be fine and can probably just drop the busybox-core package.
> but I think
> we need to take care of packages that really require it, eg. mkinitfs
> without suid could lead to really interesting problems.
How? the suid binaries are only:
        "/bin/mount",
        "/bin/ping",
        "/bin/ping6",
        "/bin/umount",
        "/usr/bin/crontab",
        "/usr/bin/passwd",
        "/usr/bin/su",
        "/usr/bin/traceroute",

mkinitfs needs to run as root already so it should not need elevate any
privileges and thus should not need anything suid root.

I think the only things that may need suid are things like ping/ping6
(any scripts using ping?) and interactive use like su and passwd.

I don't think it is simple to find out what packages that actually
needs suid. Even postgresql init.d script uses su but I expect su work
without suid in that case because it will reduce permissions from root
to user 'postgres'.
Next
Hi,
Next
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/456/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH] main/busybox: split package into core and suid subpackages Export this patch

---
 main/alpine-base/APKBUILD    |  2 +-
 main/busybox/APKBUILD        | 18 +++++++++++++-----
 main/busybox/busybox.trigger |  3 +--
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/main/alpine-base/APKBUILD b/main/alpine-base/APKBUILD
index 834d763..cb55dd3 100644
--- a/main/alpine-base/APKBUILD
+++ b/main/alpine-base/APKBUILD
@@ -7,7 +7,7 @@ pkgdesc="Meta package for minimal alpine base"
url="http://alpinelinux.org"
arch="noarch"
license="GPL"
depends="alpine-baselayout alpine-conf apk-tools busybox busybox-initscripts
depends="alpine-baselayout alpine-conf apk-tools busybox busybox-suid busybox-initscripts
	openrc libc-utils alpine-keys"
makedepends=""
install=""
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index c548540..bd0780d 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -2,15 +2,13 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.23.2
pkgrel=9
pkgrel=10
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
arch="all"
license="GPL2"
depends=
makedepends="linux-headers"
install="$pkgname.post-install $pkgname.post-upgrade"
subpackages="$pkgname-static"
subpackages="$pkgname-static $pkgname-suid"
options="suid"
triggers="busybox.trigger=/bin:/usr/bin:/sbin:/usr/sbin:/lib/modules/*"
source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
@@ -41,6 +39,7 @@ _sdir="$srcdir"/$pkgname-$pkgver
_staticdir="$srcdir"/build-static
_dyndir="$srcdir"/build-dynamic
_config="$srcdir"/busyboxconfig

prepare() {
	mkdir -p "$_staticdir" "$_dyndir"
	#patches
@@ -92,7 +91,6 @@ package() {
		"$pkgdir"/var/cache/misc "$pkgdir"/bin "$pkgdir"/sbin
	chmod 1777 "$pkgdir"/tmp
	install -m755 busybox "$pkgdir"/bin/busybox || return 1
	install -m4111 bbsuid "$pkgdir"/bin/bbsuid || return 1
	# we need /bin/sh to be able to execute post-install
	ln -s /bin/busybox "$pkgdir"/bin/sh

@@ -114,6 +112,16 @@ package() {
		"$pkgdir"/etc/udhcpd.conf || return 1
}

suid() {
	pkgdesc="suid binaries of Busybox"
	depends="${pkgname}"
	triggers="busybox-suid.trigger=/bin:/usr/bin:/sbin:/usr/sbin"

	cd "$_dyndir"
	mkdir -p "$subpkgdir"/bin
	install -m4111 bbsuid "$subpkgdir"/bin/bbsuid || return 1
}

static() {
	pkgdesc="Statically linked Busybox"
	mkdir -p "$subpkgdir"/bin
diff --git a/main/busybox/busybox.trigger b/main/busybox/busybox.trigger
index 39cc6b4..c9f9059 100644
--- a/main/busybox/busybox.trigger
+++ b/main/busybox/busybox.trigger
@@ -14,7 +14,6 @@ for i in "$@"; do
done

if [ -n "$do_bb_install" ]; then
	/bin/bbsuid --install
	[ -e /bin/bbsuid ] && /bin/bbsuid --install
	/bin/busybox --install -s
fi

-- 
2.6.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH] main/busybox: split package into core and suid subpackages Export this patch

---
 main/busybox/APKBUILD                  | 57 ++++++++++++++++++++++------------
 main/busybox/busybox-core.post-install |  4 +++
 main/busybox/busybox-core.post-upgrade | 11 +++++++
 main/busybox/busybox-core.trigger      | 18 +++++++++++
 main/busybox/busybox-suid.trigger      |  3 ++
 main/busybox/busybox.post-install      |  4 ---
 main/busybox/busybox.post-upgrade      | 11 -------
 main/busybox/busybox.trigger           | 20 ------------
 8 files changed, 73 insertions(+), 55 deletions(-)
 create mode 100644 main/busybox/busybox-core.post-install
 create mode 100644 main/busybox/busybox-core.post-upgrade
 create mode 100644 main/busybox/busybox-core.trigger
 create mode 100644 main/busybox/busybox-suid.trigger
 delete mode 100644 main/busybox/busybox.post-install
 delete mode 100644 main/busybox/busybox.post-upgrade
 delete mode 100644 main/busybox/busybox.trigger

diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index c548540..23d24d8 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -2,17 +2,15 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.23.2
pkgrel=9
pkgrel=10
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
arch="all"
license="GPL2"
depends=
depends="$pkgname-core $pkgname-suid"
makedepends="linux-headers"
install="$pkgname.post-install $pkgname.post-upgrade"
subpackages="$pkgname-static"
subpackages="$pkgname-static $pkgname-core $pkgname-suid"
options="suid"
triggers="busybox.trigger=/bin:/usr/bin:/sbin:/usr/sbin:/lib/modules/*"
source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
	bbsuid.c

@@ -41,6 +39,7 @@ _sdir="$srcdir"/$pkgname-$pkgver
_staticdir="$srcdir"/build-static
_dyndir="$srcdir"/build-dynamic
_config="$srcdir"/busyboxconfig

prepare() {
	mkdir -p "$_staticdir" "$_dyndir"
	#patches
@@ -87,31 +86,49 @@ build() {
}

package() {
	mkdir -p "$pkgdir" && return 0
}

core() {
	pkgdesc="Core utilities of Busybox"
	install="$pkgname-core.post-install $pkgname-core.post-upgrade"
	triggers="busybox-core.trigger=/bin:/usr/bin:/sbin:/usr/sbin:/lib/modules/*"
	depends=

	cd "$_dyndir"
	mkdir -p "$pkgdir"/usr/sbin "$pkgdir"/usr/bin "$pkgdir"/tmp \
		"$pkgdir"/var/cache/misc "$pkgdir"/bin "$pkgdir"/sbin
	chmod 1777 "$pkgdir"/tmp
	install -m755 busybox "$pkgdir"/bin/busybox || return 1
	install -m4111 bbsuid "$pkgdir"/bin/bbsuid || return 1
	mkdir -p "$subpkgdir"/usr/sbin "$subpkgdir"/usr/bin "$subpkgdir"/tmp \
		"$subpkgdir"/var/cache/misc "$subpkgdir"/bin "$subpkgdir"/sbin
	chmod 1777 "$subpkgdir"/tmp
	install -m755 busybox "$subpkgdir"/bin/busybox || return 1
	# we need /bin/sh to be able to execute post-install
	ln -s /bin/busybox "$pkgdir"/bin/sh
	ln -s /bin/busybox "$subpkgdir"/bin/sh

	#ifupdown needs those dirs to be present
	mkdir -p \
		"$pkgdir"/etc/network/if-down.d \
		"$pkgdir"/etc/network/if-post-down.d \
		"$pkgdir"/etc/network/if-post-up.d \
		"$pkgdir"/etc/network/if-pre-down.d \
		"$pkgdir"/etc/network/if-pre-up.d \
		"$pkgdir"/etc/network/if-up.d \
		"$subpkgdir"/etc/network/if-down.d \
		"$subpkgdir"/etc/network/if-post-down.d \
		"$subpkgdir"/etc/network/if-post-up.d \
		"$subpkgdir"/etc/network/if-pre-down.d \
		"$subpkgdir"/etc/network/if-pre-up.d \
		"$subpkgdir"/etc/network/if-up.d \
		|| return 1

	install -Dm644 "$srcdir"/acpid.logrotate \
		"$pkgdir/etc/logrotate.d/acpid" || return 1
		"$subpkgdir/etc/logrotate.d/acpid" || return 1

	mkdir -p "$pkgdir"/var/lib/udhcpd || return 1
	mkdir -p "$subpkgdir"/var/lib/udhcpd || return 1
	install -Dm644 "$_sdir"/examples/udhcp/udhcpd.conf \
		"$pkgdir"/etc/udhcpd.conf || return 1
		"$subpkgdir"/etc/udhcpd.conf || return 1
}

suid() {
	pkgdesc="suid binaries of Busybox"
	depends="${pkgname}-core"
	triggers="busybox-suid.trigger=/bin:/usr/bin:/sbin:/usr/sbin"

	cd "$_dyndir"
	mkdir -p "$subpkgdir"/bin
	install -m4111 bbsuid "$subpkgdir"/bin/bbsuid || return 1
}

static() {
diff --git a/main/busybox/busybox-core.post-install b/main/busybox/busybox-core.post-install
new file mode 100644
index 0000000..a986b2f
--- /dev/null
+++ b/main/busybox/busybox-core.post-install
@@ -0,0 +1,4 @@
#!/bin/sh

# We need the symlinks early
exec /bin/busybox --install -s
diff --git a/main/busybox/busybox-core.post-upgrade b/main/busybox/busybox-core.post-upgrade
new file mode 100644
index 0000000..268f22d
--- /dev/null
+++ b/main/busybox/busybox-core.post-upgrade
@@ -0,0 +1,11 @@
#!/bin/sh

# remove links that has been relocated
for link in /bin/install /bin/ip /bin/vi /usr/bin/lspci; do
	if [ -L "$link" ] && [ "$(readlink $link)" = "/bin/busybox" ]; then
		rm "$link"
	fi
done

# We need the symlinks early
exec /bin/busybox --install -s
diff --git a/main/busybox/busybox-core.trigger b/main/busybox/busybox-core.trigger
new file mode 100644
index 0000000..0572ade
--- /dev/null
+++ b/main/busybox/busybox-core.trigger
@@ -0,0 +1,18 @@
#!/bin/sh

do_bb_install=

for i in "$@"; do
	case "$i" in
		/lib/modules/*)
			if [ -d "$i" ]; then
				/bin/busybox depmod ${i#/lib/modules/}
			fi
			;;
		*) do_bb_install=yes;;
	esac
done

if [ -n "$do_bb_install" ]; then
	/bin/busybox --install -s
fi
diff --git a/main/busybox/busybox-suid.trigger b/main/busybox/busybox-suid.trigger
new file mode 100644
index 0000000..7520da3
--- /dev/null
+++ b/main/busybox/busybox-suid.trigger
@@ -0,0 +1,3 @@
#!/bin/sh

/bin/bbsuid --install
diff --git a/main/busybox/busybox.post-install b/main/busybox/busybox.post-install
deleted file mode 100644
index a986b2f..0000000
--- a/main/busybox/busybox.post-install
@@ -1,4 +0,0 @@
#!/bin/sh

# We need the symlinks early
exec /bin/busybox --install -s
diff --git a/main/busybox/busybox.post-upgrade b/main/busybox/busybox.post-upgrade
deleted file mode 100644
index 268f22d..0000000
--- a/main/busybox/busybox.post-upgrade
@@ -1,11 +0,0 @@
#!/bin/sh

# remove links that has been relocated
for link in /bin/install /bin/ip /bin/vi /usr/bin/lspci; do
	if [ -L "$link" ] && [ "$(readlink $link)" = "/bin/busybox" ]; then
		rm "$link"
	fi
done

# We need the symlinks early
exec /bin/busybox --install -s
diff --git a/main/busybox/busybox.trigger b/main/busybox/busybox.trigger
deleted file mode 100644
index 39cc6b4..0000000
--- a/main/busybox/busybox.trigger
@@ -1,20 +0,0 @@
#!/bin/sh

do_bb_install=

for i in "$@"; do
	case "$i" in
		/lib/modules/*)
			if [ -d "$i" ]; then
				/bin/busybox depmod ${i#/lib/modules/}
			fi
			;;
		*) do_bb_install=yes;;
	esac
done

if [ -n "$do_bb_install" ]; then
	/bin/bbsuid --install
	/bin/busybox --install -s
fi

-- 
2.6.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---