From: "Matsuu Takuto (matsuu)" <matsuu@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] gentoo-x86 commit in net-misc/scponly: scponly-4.8-r4.ebuild ChangeLog
Date: Sat, 23 Jan 2010 03:18:07 +0000 [thread overview]
Message-ID: <E1NYWVj-0005pl-1n@stork.gentoo.org> (raw)
matsuu 10/01/23 03:18:07
Modified: ChangeLog
Added: scponly-4.8-r4.ebuild
Log:
Fixed chroot issue, bug #299521.
(Portage version: 2.1.7.16/cvs/Linux x86_64)
Revision Changes Path
1.46 net-misc/scponly/ChangeLog
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/scponly/ChangeLog?rev=1.46&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/scponly/ChangeLog?rev=1.46&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/scponly/ChangeLog?r1=1.45&r2=1.46
Index: ChangeLog
===================================================================
RCS file: /var/cvsroot/gentoo-x86/net-misc/scponly/ChangeLog,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- ChangeLog 23 Sep 2009 19:44:01 -0000 1.45
+++ ChangeLog 23 Jan 2010 03:18:06 -0000 1.46
@@ -1,6 +1,11 @@
# ChangeLog for net-misc/scponly
-# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/scponly/ChangeLog,v 1.45 2009/09/23 19:44:01 patrick Exp $
+# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/scponly/ChangeLog,v 1.46 2010/01/23 03:18:06 matsuu Exp $
+
+*scponly-4.8-r4 (23 Jan 2010)
+
+ 23 Jan 2010; MATSUU Takuto <matsuu@gentoo.org> +scponly-4.8-r4.ebuild:
+ Fixed chroot issue, bug #299521.
23 Sep 2009; Patrick Lauer <patrick@gentoo.org> scponly-4.8.ebuild,
scponly-4.8-r3.ebuild:
1.1 net-misc/scponly/scponly-4.8-r4.ebuild
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/scponly/scponly-4.8-r4.ebuild?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/scponly/scponly-4.8-r4.ebuild?rev=1.1&content-type=text/plain
Index: scponly-4.8-r4.ebuild
===================================================================
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-misc/scponly/scponly-4.8-r4.ebuild,v 1.1 2010/01/23 03:18:06 matsuu Exp $
EAPI="1"
inherit eutils multilib toolchain-funcs
DESCRIPTION="A tiny pseudoshell which only permits scp and sftp"
HOMEPAGE="http://www.sublimation.org/scponly/"
SRC_URI="mirror://sourceforge/scponly/${P}.tgz"
LICENSE="as-is"
SLOT="0"
KEYWORDS="~amd64 ~mips ~ppc ~sparc ~x86"
IUSE="+sftp scp winscp gftp rsync unison subversion wildcards quota passwd logging"
RDEPEND="sys-apps/sed
net-misc/openssh
quota? ( sys-fs/quota )
!mips? ( passwd? ( sys-apps/shadow ) )
rsync? ( net-misc/rsync )
!mips? ( unison? ( net-misc/unison ) )
subversion? ( dev-util/subversion )"
DEPEND="${RDEPEND}"
myuser="scponly"
myhome="/home/${myuser}"
mysubdir="/pub"
pkg_setup() {
if use mips; then
if use unison || use passwd; then
eerror
eerror "unison and passwd use-flags are not supported on mips yet!"
die "unsupported use-flags for your arch"
fi
fi
if use unison; then
if [ ! -e "${ROOT}usr/bin/unison" ]; then
eerror
eerror "please run 'eselect unison set <version>' first!"
die "can't find /usr/bin/unison"
fi
fi
if ! use subversion && ! use unison && ! use rsync && \
! use sftp && ! use scp && ! use winscp; then
eerror
eerror "you have to enable at least one of the following use-flags:"
eerror "sftp scp winscp rsync unison subversion"
die "your build will quite useless without any compatibility mode"
fi
if use subversion || use unison || use rsync || use wildcards || use scp || use winscp; then
ewarn
ewarn "NOTE THE FOLLOWING SECURITY RISKS:"
ewarn
if use wildcards; then
ewarn "-- by enabling wildcards, there is a slightly higher chance of an exploit"
fi
if use scp || use winscp; then
ewarn "-- by enabling scp and/or winscp compatibility, more programs will need"
ewarn " to be installed in the chroot which increases the risk."
fi
if use subversion; then
ewarn "-- CAUTION: by enabling subversion the user WILL BE ABLE TO EXECUTE"
ewarn " SCRIPTS OR PROGRAMS INDIRECTLY! svn and svnserve will try to execute"
ewarn " pre-commit, post-commit hooks, as well as a few others. These files"
ewarn " have specific filenames at specific locations relative to the svn"
ewarn " repository root. Thus, unless you are *very* careful about security,"
ewarn " the user WILL BE ABLE TO EXECUTE SCRIPTS OR PROGRAMS INDIRECTLY!"
ewarn " This can be prevented by a careful configuration."
fi
if use subversion || use unison || use rsync; then
ewarn "-- The following programs use configuration files that might allow the"
ewarn " user to bypass security restrictions placed on command line arguments:"
ewarn " svn, svnserve, rsync, unison"
fi
ewarn
ewarn "please read /usr/share/doc/${PF}/SECURITY* after install!"
ewarn
ebeep 5
fi
}
src_unpack() {
unpack ${A}
cd "${S}"
epatch "${FILESDIR}/${P}-rsync.patch"
# bug #269242
epatch "${FILESDIR}/${P}-gcc4.4.0.patch"
}
src_compile() {
CFLAGS="${CFLAGS} ${LDFLAGS}" econf \
--with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \
--with-default-chdir="/" \
--disable-restrictive-names \
--enable-chrooted-binary \
--enable-chroot-checkdir \
$(use_enable winscp winscp-compat) \
$(use_enable gftp gftp-compat) \
$(use_enable scp scp-compat) \
$(use_enable sftp sftp) \
$(use_enable quota quota-compat) \
$(use_enable passwd passwd-compat) \
$(use_enable rsync rsync-compat) \
$(use_enable unison unison-compat) \
$(use_enable subversion svn-compat) \
$(use_enable subversion svnserv-compat) \
$(use_enable logging sftp-logging-compat) \
$(use_enable wildcards wildcards) \
|| die "econf failed"
emake CC=$(tc-getCC) || die "emake failed"
}
src_install() {
emake DESTDIR="${D}" install || die
dodoc AUTHOR BUILDING-JAILS.TXT CHANGELOG CONTRIB README SECURITY TODO
# don't compress setup-script, so it is usable if necessary
insinto /usr/share/doc/${PF}/chroot
doins setup_chroot.sh config.h
}
pkg_postinst() {
elog
elog "You might want to run"
elog " emerge --config =${CATEGORY}/${PF}"
elog "to setup the chroot. Otherwise you will have to setup chroot manually."
elog
elog "Please read the docs in /usr/share/doc/${PF} for more informations!"
elog
# two slashes ('//') are used by scponlyc to determine the chroot point.
enewgroup "${myuser}"
enewuser "${myuser}" -1 /usr/sbin/scponlyc "${myhome}//" "${myuser}"
}
pkg_config() {
# pkg_postinst is based on ${S}/setup_chroot.sh.
einfo "Collecting binaries and libraries..."
# Binaries launched in sftp compat mode
if built_with_use =${CATEGORY}/${PF} sftp; then
BINARIES="/usr/$(get_libdir)/misc/sftp-server"
fi
# Binaries launched by vanilla- and WinSCP modes
if built_with_use =${CATEGORY}/${PF} scp || \
built_with_use =${CATEGORY}/${PF} winscp; then
BINARIES="${BINARIES} /usr/bin/scp /bin/ls /bin/rm /bin/ln /bin/mv"
BINARIES="${BINARIES} /bin/chmod /bin/chown /bin/chgrp /bin/mkdir /bin/rmdir"
fi
# Binaries launched in WinSCP compatibility mode
if built_with_use =${CATEGORY}/${PF} winscp; then
BINARIES="${BINARIES} /bin/pwd /bin/groups /usr/bin/id /bin/echo"
fi
# Rsync compatability mode
if built_with_use =${CATEGORY}/${PF} rsync; then
BINARIES="${BINARIES} /usr/bin/rsync"
fi
# Unison compatability mode
if built_with_use =${CATEGORY}/${PF} unison; then
BINARIES="${BINARIES} /usr/bin/unison"
fi
# subversion cli/svnserv compatibility
if built_with_use =${CATEGORY}/${PF} subversion; then
BINARIES="${BINARIES} /usr/bin/svn /usr/bin/svnserve"
fi
# passwd compatibility
if built_with_use =${CATEGORY}/${PF} passwd; then
BINARIES="${BINARIES} /bin/passwd"
fi
# quota compatibility
if built_with_use =${CATEGORY}/${PF} quota; then
BINARIES="${BINARIES} /usr/bin/quota"
fi
# build lib dependencies
LIB_LIST=$(ldd ${BINARIES} | sed -n 's:.* => \(/[^ ]\+\).*:\1:p' | sort -u)
# search and add ld*.so
for LIB in /$(get_libdir)/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 \
/usr/libexec/ld.so /$(get_libdir)/ld-linux*.so.2 /usr/libexec/ld-elf.so.1; do
[ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}"
done
# search and add libnss_*.so
for LIB in /$(get_libdir)/libnss_{compat,files}*.so.*; do
[ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}"
done
# create base dirs
if [ ! -d "${myhome}" ]; then
einfo "Creating ${myhome}"
install -o0 -g0 -m0755 -d "${myhome}"
else
einfo "Setting owner for ${myhome}"
chown 0:0 "${myhome}"
fi
if [ ! -d "${myhome}/etc" ]; then
einfo "Creating ${myhome}/etc"
install -o0 -g0 -m0755 -d "${myhome}/etc"
fi
if [ ! -d "${myhome}/$(get_libdir)" ]; then
einfo "Creating ${myhome}/$(get_libdir)"
install -o0 -g0 -m0755 -d "${myhome}/$(get_libdir)"
fi
if [ ! -e "${myhome}/lib" ]; then
einfo "Creating ${myhome}/lib"
ln -snf $(get_libdir) "${myhome}/lib"
fi
if [ ! -d "${myhome}/usr/$(get_libdir)" ]; then
einfo "Creating ${myhome}/usr/$(get_libdir)"
install -o0 -g0 -m0755 -d "${myhome}/usr/$(get_libdir)"
fi
if [ ! -e "${myhome}/usr/lib" ]; then
einfo "Creating ${myhome}/usr/lib"
ln -snf $(get_libdir) "${myhome}/usr/lib"
fi
if [ ! -d "${myhome}${mysubdir}" ]; then
einfo "Creating ${myhome}${mysubdir} directory for uploading files"
install -o${myuser} -g${myuser} -m0755 -d "${myhome}${mysubdir}"
fi
# create /dev/null (Bug 135505)
if [ ! -e "${myhome}/dev/null" ]; then
install -o0 -g0 -m0755 -d "${myhome}/dev"
mknod -m0777 "${myhome}/dev/null" c 1 3
fi
# install binaries
for BIN in ${BINARIES}; do
einfo "Install ${BIN}"
install -o0 -g0 -m0755 -d "${myhome}$(dirname ${BIN})"
if [ "${BIN}" = "/bin/passwd" ]; then # needs suid
install -p -o0 -g0 -m04711 "${BIN}" "${myhome}/${BIN}"
else
install -p -o0 -g0 -m0755 "${BIN}" "${myhome}/${BIN}"
fi
done
# install libs
for LIB in ${LIB_LIST}; do
einfo "Install ${LIB}"
install -o0 -g0 -m0755 -d "${myhome}$(dirname ${LIB})"
install -p -o0 -g0 -m0755 "${LIB}" "${myhome}/${LIB}"
done
# create ld.so.conf
einfo "Creating /etc/ld.so.conf"
for LIB in ${LIB_LIST}; do
dirname ${LIB}
done | sort -u | while read DIR; do
if ! grep 2>/dev/null -q "^${DIR}$" "${myhome}/etc/ld.so.conf"; then
echo "${DIR}" >> "${myhome}/etc/ld.so.conf"
fi
done
ldconfig -r "${myhome}"
# update shells
einfo "Updating /etc/shells"
grep 2>/dev/null -q "^/usr/bin/scponly$" /etc/shells \
|| echo "/usr/bin/scponly" >> /etc/shells
grep 2>/dev/null -q "^/usr/sbin/scponlyc$" /etc/shells \
|| echo "/usr/sbin/scponlyc" >> /etc/shells
# create /etc/passwd
if [ ! -e "${myhome}/etc/passwd" ]; then
(
echo "root:x:0:0:root:/:/bin/sh"
sed -n "s|^\(${myuser}:[^:]*:[^:]*:[^:]*:[^:]*:\).*|\1${mysubdir}:/bin/sh|p" /etc/passwd
) > "${myhome}/etc/passwd"
fi
# create /etc/group
if [ ! -e "${myhome}/etc/group" ]; then
(
echo "root:x:0:"
sed -n "s|^\(${myuser}:[^:]*:[^:]*:\).*|\1|p" /etc/group
) > "${myhome}/etc/group"
fi
}
next reply other threads:[~2010-01-23 3:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-23 3:18 Matsuu Takuto (matsuu) [this message]
-- strict thread matches above, loose matches on Subject: below --
2010-02-25 15:54 [gentoo-commits] gentoo-x86 commit in net-misc/scponly: scponly-4.8-r4.ebuild ChangeLog PaweA Hajdan (phajdan.jr)
2010-03-01 11:08 Samuli Suominen (ssuominen)
2010-03-20 17:14 Raul Porcel (armin76)
2010-04-11 11:16 Gysbert Wassenaar (nixnut)
2011-10-15 23:12 Matt Turner (mattst88)
2012-12-15 16:54 Ulrich Mueller (ulm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1NYWVj-0005pl-1n@stork.gentoo.org \
--to=matsuu@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox