pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pkg/33222: wwwoffle daemon and root priviledges
>Number: 33222
>Category: pkg
>Synopsis: wwwoffle daemon and root priviledges
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Apr 08 21:15:00 +0000 2006
>Originator: cheusov%tut.by@localhost
>Release: NetBSD 3.0_STABLE
>Organization:
Best regards, Aleksey Cheusov.
>Environment:
System: NetBSD chen.chizhovka.net 3.0_STABLE NetBSD 3.0_STABLE (GENERIC) #2:
Sun Mar 12 12:49:58 GMT 2006
cheusov@chen:/usr/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
Hi all.
By default, www/wwwoffle package provides
wwoffled daemon (simple caching proxy)
which runs with root priviledges. Also its example config file
($PKG/share/examples/wwwoffle.conf)
binds listerning socket to all network interfaces.
With the following patch 'wwwoffled' will be run as daemon:daemon
by default instead of root:root.
Also the default config file binds a socket to 127.0.0.1 interface only.
I think this solution is more secure.
BTW there is a minor fix in PLIST, see running of gzip+tar)
The owner and group of /var/wwwoffle directory with all subdirectories
are also changed to daemon:daemon.
I hope pkgsrc users will find these changes useful.
The following patch may be incomplete or even bad in some aspects
but I hope it is useful.
P.S.
It may be even better to run wwwoffle with
wwwoffle:wwwoffle priviledges instead of daemon:daemon.
>How-To-Repeat:
>Fix:
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/www/wwwoffle/Makefile,v
retrieving revision 1.60
diff -u -r1.60 Makefile
--- Makefile 29 Dec 2005 06:22:25 -0000 1.60
+++ Makefile 19 Mar 2006 09:23:37 -0000
@@ -14,17 +14,27 @@
USE_TOOLS+= gmake gzip
GNU_CONFIGURE= yes
+WWWOFFLE_USER= daemon
+WWWOFFLE_GROUP= daemon
+
CONFIGURE_ARGS+= --with-confdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+= --with-spooldir=${VARBASE}/wwwoffle
PKG_SYSCONFSUBDIR= wwwoffle
PLIST_SUBST+= GZIP_CMD=${GZIP_CMD:Q}
+PLIST_SUBST+= WWWOFFLE_USER=${WWWOFFLE_USER}
+PLIST_SUBST+= WWWOFFLE_GROUP=${WWWOFFLE_GROUP}
+
INSTALL_EXTRA_TMPL= ${PKGDIR}/INSTALL
RCD_SCRIPTS= wwwoffled
+BUILD_DEFS+= WWWOFFLE_USER WWWOFFLE_GROUP
+
BUILD_DEFS+= USE_INET6
+OWN_DIRS_PERMS= ${VARBASE}/wwwoffle ${WWWOFFLE_USER} ${WWWOFFLE_GROUP}
0755
+
post-build:
cd ${WRKSRC}/cache/search/htdig/scripts; \
for f in wwwoffle-ht*; do \
@@ -42,12 +52,21 @@
${MKDIR} ${VARBASE}/wwwoffle/prevtime1
post-install:
- if [ -f ${PKG_SYSCONFDIR}/wwwoffle.conf.install ]; then \
- ${CP} -p ${PKG_SYSCONFDIR}/wwwoffle.conf.install \
- ${PREFIX}/share/examples/wwwoffle.conf; \
- elif [ -f ${PKG_SYSCONFDIR}/wwwoffle.conf ]; then \
- ${CP} -p ${PKG_SYSCONFDIR}/wwwoffle.conf \
- ${PREFIX}/share/examples/wwwoffle.conf; \
+ c1=${PKG_SYSCONFDIR}/wwwoffle.conf; \
+ c2=${PKG_SYSCONFDIR}/wwwoffle.conf.install; \
+ e=${PREFIX}/share/examples/wwwoffle.conf; \
+ if [ -f $$c2 ]; then \
+ ${CP} -p $$c2 $$e; \
+ ${SED} -e 's/WWWOFFLE_USER/${WWWOFFLE_USER}/' \
+ -e 's/WWWOFFLE_GROUP/${WWWOFFLE_GROUP}/' \
+ < $$e > $$c2; \
+ ${CAT} < $$c2 > $$e; \
+ elif [ -f $$c1 ]; then \
+ ${CP} -p $$c1 $$e; \
+ ${SED} -e 's/WWWOFFLE_USER/${WWWOFFLE_USER}/' \
+ -e 's/WWWOFFLE_GROUP/${WWWOFFLE_GROUP}/' \
+ < $$e > $$c1; \
+ ${CAT} < $$c1 > $$e; \
fi
${INSTALL_PROGRAM} ${WRKSRC}/src/convert-cache \
${PREFIX}/sbin/wwwoffle-convert-cache
@@ -57,6 +76,8 @@
${PREFIX}/sbin/wwwoffle-upgrade-config.pl
${INSTALL_SCRIPT} ${WRKSRC}/conf/upgrade-config-2.x-2.5.pl \
${PREFIX}/sbin/wwwoffle-upgrade-config-2.x-2.5.pl
+ ${CHOWN} -R ${WWWOFFLE_USER} ${VARBASE}/wwwoffle && \
+ ${CHGRP} -R ${WWWOFFLE_GROUP} ${VARBASE}/wwwoffle
# Directories other than html and search are automatically created at run time
${TAR} cCf / - var/wwwoffle/html var/wwwoffle/search | ${GZIP_CMD} -9 \
> ${PREFIX}/libdata/wwwoffle-spool.tar.gz
@@ -73,6 +94,7 @@
@${ECHO} ==+===+===+===+===+===+===+===+===+===+===+===+===+===+===+=
@${ECHO}
+
# We don't do the following automatically, as that would inconvenience
# package build machines, not to mention putting the wrong information
# into the "wwwoffle.pac" files.
Index: PLIST
===================================================================
RCS file: /cvsroot/pkgsrc/www/wwwoffle/PLIST,v
retrieving revision 1.12
diff -u -r1.12 PLIST
--- PLIST 1 Nov 2005 12:22:24 -0000 1.12
+++ PLIST 19 Mar 2006 09:23:37 -0000
@@ -69,7 +69,9 @@
@dirrm share/doc/wwwoffle/es
@dirrm share/doc/wwwoffle/de
@dirrm share/doc/wwwoffle
-@exec gzip -d -c %D/libdata/wwwoffle-spool.tar.gz | tar xzCf /
+@exec gzip -d -c %D/libdata/wwwoffle-spool.tar.gz | tar xCf / -
+@exec ${CHOWN} -R ${WWWOFFLE_USER} /var/wwwoffle
+@exec ${CHGRP} -R ${WWWOFFLE_GROUP} /var/wwwoffle
@unexec cd /var/wwwoffle && ${RM} -rf html* search*
@unexec ${RMDIR} /var/wwwoffle/* 2>/dev/null && ${RMDIR} /var/wwwoffle
2>/dev/null || ${TRUE}
@unexec if [ -d /var/wwwoffle ]; then echo "If you won't use the WWWOFFLE
package anymore, remove the cache manually by"; echo ' rm -rf
/var/wwwoffle'; fi
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/www/wwwoffle/distinfo,v
retrieving revision 1.22
diff -u -r1.22 distinfo
--- distinfo 7 May 2005 11:02:48 -0000 1.22
+++ distinfo 19 Mar 2006 09:23:37 -0000
@@ -4,3 +4,4 @@
RMD160 (wwwoffle-2.8e.tgz) = a9243f0c2aab2c735ce355ee81d3a802e8d797dc
Size (wwwoffle-2.8e.tgz) = 1015694 bytes
SHA1 (patch-aa) = 897de385a47826e16a8a09b1bc1c207a2d350f94
+SHA1 (patch-ab) = 46be9f8911cccb10afd1b9ed256c32d9aecffe16
Index: patches/patch-ab
===================================================================
RCS file: patches/patch-ab
diff -N patches/patch-ab
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ab 19 Mar 2006 09:23:37 -0000
@@ -0,0 +1,22 @@
+--- conf/wwwoffle.conf.template.orig 2005-01-29 15:47:53.000000000 +0000
++++ conf/wwwoffle.conf.template 2006-03-13 01:21:40.000000000 +0000
+@@ -116,7 +116,7 @@
+
+ StartUp
+ {
+- bind-ipv4 = 0.0.0.0
++ bind-ipv4 = 127.0.0.1
+ #bind-ipv6 = ::
+
+ http-port = 8080
+@@ -124,8 +124,8 @@
+
+ spool-dir = SPOOLDIR
+
+-#run-uid = daemon
+-#run-gid = daemon
++ run-uid = WWWOFFLE_USER
++ run-gid = WWWOFFLE_GROUP
+
+ use-syslog = yes
+
Home |
Main Index |
Thread Index |
Old Index