Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc/tlsdate/files
diff options
context:
space:
mode:
Diffstat (limited to 'net-misc/tlsdate/files')
-rw-r--r--net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch72
-rw-r--r--net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch66
-rw-r--r--net-misc/tlsdate/files/tlsdate.confd8
-rwxr-xr-xnet-misc/tlsdate/files/tlsdate.rc17
-rw-r--r--net-misc/tlsdate/files/tlsdated.confd15
-rwxr-xr-xnet-misc/tlsdate/files/tlsdated.rc19
6 files changed, 197 insertions, 0 deletions
diff --git a/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch b/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch
new file mode 100644
index 000000000000..dbccaabe597f
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch
@@ -0,0 +1,72 @@
+fix in upstream now
+
+From 8b94e111e58fc5d8a2cf47effaaf410a6e4eca46 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Tue, 18 Dec 2012 15:38:51 -0500
+Subject: [PATCH] make hardened compiler flags optional
+
+First note: the default behavior is unchanged.
+
+For people building tlsdate themselves with a known toolchain env, the
+checked flags can be redundant, or even harmful. A compile/link check
+for PIE behavior for example might not catch the full supported status
+for some architectures/C libraries.
+
+Further, the current code starts by throwing away the user's compiler
+settings which can also be harmful. Those often times include settings
+related to ABI or target cpu selection and ignoring them can produce an
+unusable binary.
+
+So add a flag that people (including distros) can leverage to bypass
+all of the checks.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ configure.ac | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 555ae28..f6efb0b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -67,19 +67,28 @@ AC_SUBST(RT_LIB)
+
+ # Debug and hardening flags all in one shot
+ # Alwas do this at the end, otherwise you end up filtering system/other libraries
++AC_ARG_ENABLE([hardened-checks],
++ [AS_HELP_STRING([--disable-hardened-checks],
++ [Disable automatically enabling hardened toolchain options])])
+ AC_DEFUN([LOCAL_CHECK_FLAGS],[
+ AC_REQUIRE([AX_CHECK_LINK_FLAG])
+ AC_REQUIRE([AX_APPEND_COMPILE_FLAGS])
+ AC_LANG_PUSH([C])
+- CFLAGS=
+- LIBS=
+- AX_APPEND_COMPILE_FLAGS([-g -O1 -Wall])
+- AX_APPEND_COMPILE_FLAGS([-fno-strict-aliasing])
+- AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all])
+- AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector])
+- AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1])
+- AX_CHECK_LINK_FLAG([-z relro -z now])
+- AX_CHECK_LINK_FLAG([-pie])
++ AS_IF([test "x$enable_hardened_checks" != xno], [
++ CFLAGS=
++ LIBS=
++ AX_APPEND_COMPILE_FLAGS([-g -O1])
++ ], [
++ AC_MSG_WARN([using hardened flags is HIGHLY RECOMMENDED and disabling them is a BAD IDEA])
++ ])
++ AX_APPEND_COMPILE_FLAGS([-Wall -fno-strict-aliasing])
++ AS_IF([test "x$enable_hardened_checks" != xno], [
++ AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all])
++ AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector])
++ AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1])
++ AX_CHECK_LINK_FLAG([-z relro -z now])
++ AX_CHECK_LINK_FLAG([-pie])
++ ])
+ AC_LANG_POP
+ ])
+ LOCAL_CHECK_FLAGS
+--
+1.8.0
+
diff --git a/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch b/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch
new file mode 100644
index 000000000000..8cd2472cf44e
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch
@@ -0,0 +1,66 @@
+From e6edd1f581b59dffbc1e21d2221af049a5f0b38a Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 19 Dec 2012 15:48:22 -0500
+Subject: [PATCH] add configure flags for setting droppriv user/group
+
+In order to override the default user/group, you have to append your
+CPPFLAGS before compiling. Since you also have to pass along double
+quotes, it can get ugly/messy fast in shell (due to the escaping).
+Plus, the existing code always defines UNPRIV_USER to "nobody" which
+leads to compile time warnings.
+
+Add dedicated configure flags to make the interface simple for people
+to control.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ configure.ac | 20 ++++++++++++++++++++
+ src/tlsdate.h | 1 -
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f6efb0b..c95090e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -57,6 +57,26 @@ AC_CHECK_HEADERS([unistd.h], ,[AC_MSG_ERROR([Required headers missing; compilati
+ AC_CHECK_FUNCS([setresuid])
+ AC_CHECK_FUNCS([gettimeofday])
+
++AC_MSG_CHECKING([user/group to drop privs to])
++
++AC_ARG_WITH([unpriv-user],
++ [AS_HELP_STRING([--with-unpriv-user=<user>],
++ [User to drop privs to @<:@default: nobody@:>@])])
++AS_CASE([$with_unpriv_user],
++ [""|yes|no], [UNPRIV_USER="nobody"],
++ [*], [UNPRIV_USER=$with_unpriv_user])
++AC_DEFINE_UNQUOTED([UNPRIV_USER], ["${UNPRIV_USER}"], [Unprivileged user])
++
++AC_ARG_WITH([unpriv-group],
++ [AS_HELP_STRING([--with-unpriv-group=<group>],
++ [Group to drop privs to @<:@default: nogroup@:>@])])
++AS_CASE([$with_unpriv_group],
++ [""|yes|no], [UNPRIV_GROUP="nogroup"],
++ [*], [UNPRIV_GROUP=$with_unpriv_group])
++AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
++
++AC_MSG_RESULT(${UNPRIV_USER}:${UNPRIV_GROUP})
++
+ # Check for -lrt
+ AC_CHECK_LIB([rt], [clock_gettime], [
+ RT_LIB="-lrt"
+diff --git a/src/tlsdate.h b/src/tlsdate.h
+index 4db56c1..4c918cd 100644
+--- a/src/tlsdate.h
++++ b/src/tlsdate.h
+@@ -18,7 +18,6 @@
+ #include <time.h>
+ #include <unistd.h>
+
+-#define UNPRIV_USER "nobody"
+ #define DEFAULT_HOST "www.ptb.de"
+ #define DEFAULT_PORT "443"
+ #define DEFAULT_PROTOCOL "tlsv1"
+--
+1.8.0
+
diff --git a/net-misc/tlsdate/files/tlsdate.confd b/net-misc/tlsdate/files/tlsdate.confd
new file mode 100644
index 000000000000..2d7ed030de33
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdate.confd
@@ -0,0 +1,8 @@
+# config file for /etc/init.d/tlsdate
+
+# Command to execute to set the time.
+# This are some common tlsdate options:
+# -l: leap (set time regardless of difference)
+# -H: hostname to sync with
+# -x: proxy URL
+TLSDATE_OPTS="-l -H www.google.com"
diff --git a/net-misc/tlsdate/files/tlsdate.rc b/net-misc/tlsdate/files/tlsdate.rc
new file mode 100755
index 000000000000..95ee306745c6
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdate.rc
@@ -0,0 +1,17 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description="set time once when started"
+
+depend() {
+ use net
+}
+
+start() {
+ : ${TLSDATE_CMD:=tlsdate}
+ ebegin "Setting clock via tlsdate '${TLSDATE_CMD}'"
+ "${TLSDATE_CMD}" ${TLSDATE_OPTS}
+ eend $? "Failed to set clock"
+}
diff --git a/net-misc/tlsdate/files/tlsdated.confd b/net-misc/tlsdate/files/tlsdated.confd
new file mode 100644
index 000000000000..d257289cc58d
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdated.confd
@@ -0,0 +1,15 @@
+# config file for /etc/init.d/tlsdated
+
+# Command to execute to set the time.
+# This are some common tlsdate options:
+# -l: leap (set time regardless of difference)
+# -H: hostname to sync with
+# -x: proxy URL
+TLSDATED_CMD="/usr/bin/tlsdate -l -H www.google.com"
+
+# Additional options; see `man tlsdated` for reference.
+TLSDATED_OPTS=""
+
+# Cache dir. Probably don't need to change this.
+# It matches the compiled-in default.
+TLSDATED_CACHE_DIR="/var/cache/tlsdated"
diff --git a/net-misc/tlsdate/files/tlsdated.rc b/net-misc/tlsdate/files/tlsdated.rc
new file mode 100755
index 000000000000..cc56fbaa03ca
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdated.rc
@@ -0,0 +1,19 @@
+#!/sbin/runscript
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+description="start a daemon to continuously set time via a helper"
+
+command="tlsdated"
+command_args="${TLSDATED_OPTS} -- ${TLSDATED_CMD}"
+command_background="true"
+pidfile="/var/run/${SVCNAME}.pid"
+
+depend() {
+ use net
+}
+
+start_pre() {
+ checkpath -d -m 0700 -o tlsdate:tlsdate "${TLSDATED_CACHE_DIR}"
+}