From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 67AEC139085 for ; Wed, 28 Dec 2016 13:10:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9522EE0CAE; Wed, 28 Dec 2016 13:10:45 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6A245E0CAE for ; Wed, 28 Dec 2016 13:10:45 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 26E52341616 for ; Wed, 28 Dec 2016 13:10:44 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 61BAE4A0 for ; Wed, 28 Dec 2016 13:10:42 +0000 (UTC) From: "Slawek Lis" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Slawek Lis" Message-ID: <1482929951.2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1.slis@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-analyzer/suricata/files/suricata-3.2-conf net-analyzer/suricata/files/suricata-3.2-init net-analyzer/suricata/suricata-3.2-r1.ebuild X-VCS-Directories: net-analyzer/suricata/files/ net-analyzer/suricata/ X-VCS-Committer: slis X-VCS-Committer-Name: Slawek Lis X-VCS-Revision: 2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1 X-VCS-Branch: master Date: Wed, 28 Dec 2016 13:10:42 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 99e93fba-c464-45ae-940e-9ca101dd8fa7 X-Archives-Hash: 4201bf55b210b820b5c8b4ba55b7d037 commit: 2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1 Author: Slawomir Lis gentoo org> AuthorDate: Wed Dec 28 12:59:11 2016 +0000 Commit: Slawek Lis gentoo org> CommitDate: Wed Dec 28 12:59:11 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c174cb6 net-analyzer/suricata: Dropping user privs in init script Bug #602590 Package-Manager: Portage-2.3.3, Repoman-2.3.1 net-analyzer/suricata/files/suricata-3.2-conf | 12 ++++++++- net-analyzer/suricata/files/suricata-3.2-init | 39 ++++++++++++++++++++------- net-analyzer/suricata/suricata-3.2-r1.ebuild | 5 ++-- 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf index fc6885d..d8466b4 100644 --- a/net-analyzer/suricata/files/suricata-3.2-conf +++ b/net-analyzer/suricata/files/suricata-3.2-conf @@ -29,7 +29,7 @@ # SURICATA_CONF="suricata.yaml" # You can define the options here: -# NB: avoid using -l, -c and setting logging.outputs.1.file.filename as the init script will try to set them for you. +# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you. # SURICATA_OPTS_q0="-q 0" # SURICATA_OPTS_q1="-q 1" @@ -44,3 +44,13 @@ SURICATA_OPTS="-i eth0" # SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log" # SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log" # SURICATA_LOG_FILE="/var/log/suricata/suricata.log" + +# Run as user/group. +# Do not define if you want to run as root or as the user defined in the yaml config file (run-as). +# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below. +# SURICATA_USER_q0="suricata" +# SURICATA_GROUP_q0="suricata" +# SURICATA_USER_q1="suricata" +# SURICATA_GROUP_q1="suricata" +# SURICATA_USER="suricata" +# SURICATA_GROUP="suricata" diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init index 1717dbb..b276f49 100644 --- a/net-analyzer/suricata/files/suricata-3.2-init +++ b/net-analyzer/suricata/files/suricata-3.2-init @@ -13,13 +13,19 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid" eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID} eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID} + eval SURICATAUSER=\$SURICATA_USER_${SURICATAID} + eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID} else SURICATACONF=${SURICATA_CONF} [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}" SURICATAPID="/var/run/suricata/suricata.pid" SURICATAOPTS=${SURICATA_OPTS} SURICATALOGPATH=${SURICATA_LOG_FILE} + SURICATAUSER=${SURICATA_USER} + SURICATAGROUP=${SURICATA_GROUP} fi +SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}} +SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}} [ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}" description="Suricata IDS/IPS" @@ -37,11 +43,6 @@ depend() { } checkconfig() { - if [ ! -e ${SURICATACONF} ] ; then - einfo "The configuration file ${SURICATACONF} was not found." - einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata." - einfo "Take a look at the suricata arguments --set and --dump-config." - fi if [ ! -d "/var/run/suricata" ] ; then checkpath -d /var/run/suricata fi @@ -52,9 +53,22 @@ checkconfig() { if [ ! -d "${SURICATALOGPATH}" ] ; then checkpath -d "${SURICATALOGPATH}" fi + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then + chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1 + chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1 + fi SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}" SURICATALOGPATH="-l ${SURICATALOGPATH}" fi + if [ ! -e ${SURICATACONF} ] ; then + einfo "The configuration file ${SURICATACONF} was not found." + einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata." + einfo "Take a look at the suricata arguments --set and --dump-config." + fi + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then + einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}." + SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}" + fi } initpidinfo() { @@ -77,8 +91,7 @@ checkpidinfo() { eerror "Unable to determine user running ${SVCNAME}!" return 1 elif [ "x${SUR_USER}" != "xroot" ]; then - eerror "${SVCNAME} must be running as root for reload or relog to work!" - return 1 + ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work." fi } @@ -135,7 +148,11 @@ reload() { checkpidinfo || return 1 checkconfig || return 1 ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload." - start-stop-daemon --signal USR2 --pidfile ${SURICATAPID} + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then + start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID} + else + start-stop-daemon --signal USR2 --pidfile ${SURICATAPID} + fi eend $? } @@ -143,7 +160,11 @@ relog() { checkpidinfo || return 1 checkconfig || return 1 ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files." - start-stop-daemon --signal HUP --pidfile ${SURICATAPID} + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then + start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID} + else + start-stop-daemon --signal HUP --pidfile ${SURICATAPID} + fi eend $? } diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild index 816a69d..ee724a5 100644 --- a/net-analyzer/suricata/suricata-3.2-r1.ebuild +++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild @@ -34,6 +34,7 @@ DEPEND=" nfqueue? ( net-libs/libnetfilter_queue ) redis? ( dev-libs/hiredis ) logrotate? ( app-admin/logrotate ) + sys-libs/libcap-ng " # #446814 # prelude? ( dev-libs/libprelude ) @@ -119,8 +120,6 @@ src_install() { dodir "/var/lib/${PN}" dodir "/var/log/${PN}" - dodir "/var/log/${PN}" \ - "/var/lib/${PN}" fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" @@ -151,7 +150,7 @@ pkg_postinst() { elog "You can create as many ${PN}.foo* services as you wish." if use logrotate; then - elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/." + elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/." fi if use debug; then