summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarek Szuba <marecki@gentoo.org>2017-12-20 17:02:37 +0100
committerMarek Szuba <marecki@gentoo.org>2017-12-20 17:30:43 +0100
commit88b7eff0dff2a5ac42ba1915a902051060323b57 (patch)
tree21440211350d74c85bee3f804882af2a40fb5cb3
parentRetirement: vapier package reassigment (diff)
downloadgentoo-88b7eff0.tar.gz
gentoo-88b7eff0.tar.bz2
gentoo-88b7eff0.zip
app-backup/burp-2.0.54: backport setuid-after-getting-lock fix from 2.1
This should take care of potential privilege escalation via PID-file manipulation. Gentoo-Bug: https://bugs.gentoo.org/628770 Package-Manager: Portage-2.3.13, Repoman-2.3.3
-rw-r--r--app-backup/burp/burp-2.0.54-r3.ebuild111
-rw-r--r--app-backup/burp/files/burp-2.0.54-chuser_after_getting_lock.patch38
2 files changed, 149 insertions, 0 deletions
diff --git a/app-backup/burp/burp-2.0.54-r3.ebuild b/app-backup/burp/burp-2.0.54-r3.ebuild
new file mode 100644
index 00000000000..7d916cbb59c
--- /dev/null
+++ b/app-backup/burp/burp-2.0.54-r3.ebuild
@@ -0,0 +1,111 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools systemd user versionator
+
+DESCRIPTION="Network backup and restore client and server for Unix and Windows"
+HOMEPAGE="http://burp.grke.org/"
+SRC_URI="https://github.com/grke/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="AGPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="acl ipv6 libressl test xattr"
+
+CDEPEND="dev-libs/uthash
+ net-libs/librsync
+ sys-libs/ncurses:0=
+ sys-libs/zlib
+ !libressl? ( dev-libs/openssl:0= )
+ libressl? ( dev-libs/libressl:0= )
+ acl? ( sys-apps/acl )
+ xattr? ( sys-apps/attr )"
+DEPEND="${CDEPEND}
+ virtual/pkgconfig
+ test? ( dev-libs/check )"
+RDEPEND="${CDEPEND}
+ virtual/logger"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.0.54-ncurses_pkg-config.patch
+ "${FILESDIR}"/${PN}-2.0.54-no_mkdir_run.patch
+ "${FILESDIR}"/${PN}-2.0.54-protocol1_by_default.patch
+ "${FILESDIR}"/${PN}-2.0.54-server_user.patch
+ "${FILESDIR}"/${PN}-2.0.54-chuser_after_getting_lock.patch
+)
+
+pkg_setup() {
+ enewgroup "${PN}"
+ enewuser "${PN}" -1 "" "" "${PN}"
+}
+
+src_prepare() {
+ default
+
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ --localstatedir=/var
+ --sysconfdir=/etc/burp
+ --enable-largefile
+ $(use_enable acl)
+ $(use_enable ipv6)
+ $(use_enable xattr)
+ )
+ # --runstatedir option will only work from autoconf-2.70 onwards
+ runstatedir='/run' \
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+ fowners -R root:${PN} /var/spool/burp
+ fperms 0770 /var/spool/burp
+
+ emake DESTDIR="${D}" install-configs
+ fowners -R root:${PN} /etc/burp
+ fperms 0775 /etc/burp
+ fperms 0640 /etc/burp/burp-server.conf
+ fperms 0750 /etc/burp/clientconfdir
+
+ newinitd "${FILESDIR}"/${PN}.initd ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+}
+
+pkg_postinst() {
+ elog "Burp ebuilds now support the autoupgrade mechanism in both"
+ elog "client and server mode. In both cases it is disabled by"
+ elog "default. You almost certainly do NOT want to enable it in"
+ elog "client mode because upgrades obtained this way will not be"
+ elog "managed by Portage."
+
+ if [[ ! -e /etc/burp/CA/index.txt ]]; then
+ elog ""
+ elog "At first run burp server will generate DH parameters and SSL"
+ elog "certificates. You should adjust configuration before."
+ elog "Server configuration is located at"
+ elog ""
+ elog " /etc/burp/burp-server.conf"
+ elog ""
+ fi
+
+ # According to PMS this can be a space-separated list of version
+ # numbers, even though in practice it is typically just one.
+ local oldver
+ for oldver in ${REPLACING_VERSIONS}; do
+ if [[ $(get_major_version ${oldver}) -lt 2 ]]; then
+ ewarn "Starting with version 2.0.54 we no longer patch bedup to use"
+ ewarn "the server config file by default. If you use bedup, please"
+ ewarn "update your scripts to invoke it as"
+ ewarn ""
+ ewarn " bedup -c /etc/burp/burp-server.conf"
+ ewarn ""
+ ewarn "Otherwise deduplication will not work!"
+ break
+ fi
+ done
+}
diff --git a/app-backup/burp/files/burp-2.0.54-chuser_after_getting_lock.patch b/app-backup/burp/files/burp-2.0.54-chuser_after_getting_lock.patch
new file mode 100644
index 00000000000..3f75c878d5b
--- /dev/null
+++ b/app-backup/burp/files/burp-2.0.54-chuser_after_getting_lock.patch
@@ -0,0 +1,38 @@
+From f765ad2c9f421eefcd3afc447ed45fa3fd2d17a0 Mon Sep 17 00:00:00 2001
+From: Graham Keeling <grke@grke.net>
+Date: Sun, 13 Aug 2017 11:50:54 +0000
+Subject: [PATCH] Drop privileges after main pidfile creation.
+
+Change-Id: I762541db55e7884531e4d869e1a86533df71b5b8
+---
+ src/prog.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/prog.c b/src/prog.c
+index 244590d3..b94df6d3 100644
+--- a/src/prog.c
++++ b/src/prog.c
+@@ -111,11 +111,6 @@ int reload(struct conf **confs, const char *conffile, bool firsttime)
+ setup_signals();
+ #endif
+
+- // Do not try to change user or group after the first time.
+- if(firsttime && chuser_and_or_chgrp(
+- get_string(confs[OPT_USER]), get_string(confs[OPT_GROUP])))
+- return -1;
+-
+ return 0;
+ }
+
+@@ -486,6 +481,11 @@ int real_main(int argc, char *argv[])
+ }
+ }
+
++ // Change privileges after having got the lock, for convenience.
++ if(chuser_and_or_chgrp(
++ get_string(confs[OPT_USER]), get_string(confs[OPT_GROUP])))
++ return -1;
++
+ set_int(confs[OPT_OVERWRITE], forceoverwrite);
+ set_int(confs[OPT_STRIP], strip);
+ set_int(confs[OPT_FORK], forking);