diff options
Diffstat (limited to 'net-misc/tlsdate/files')
-rw-r--r-- | net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch | 72 | ||||
-rw-r--r-- | net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch | 66 | ||||
-rw-r--r-- | net-misc/tlsdate/files/tlsdate.confd | 8 | ||||
-rwxr-xr-x | net-misc/tlsdate/files/tlsdate.rc | 17 | ||||
-rw-r--r-- | net-misc/tlsdate/files/tlsdated.confd | 15 | ||||
-rwxr-xr-x | net-misc/tlsdate/files/tlsdated.rc | 19 |
6 files changed, 197 insertions, 0 deletions
diff --git a/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch b/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch new file mode 100644 index 000000000000..dbccaabe597f --- /dev/null +++ b/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch @@ -0,0 +1,72 @@ +fix in upstream now + +From 8b94e111e58fc5d8a2cf47effaaf410a6e4eca46 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Tue, 18 Dec 2012 15:38:51 -0500 +Subject: [PATCH] make hardened compiler flags optional + +First note: the default behavior is unchanged. + +For people building tlsdate themselves with a known toolchain env, the +checked flags can be redundant, or even harmful. A compile/link check +for PIE behavior for example might not catch the full supported status +for some architectures/C libraries. + +Further, the current code starts by throwing away the user's compiler +settings which can also be harmful. Those often times include settings +related to ABI or target cpu selection and ignoring them can produce an +unusable binary. + +So add a flag that people (including distros) can leverage to bypass +all of the checks. + +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + configure.ac | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 555ae28..f6efb0b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -67,19 +67,28 @@ AC_SUBST(RT_LIB) + + # Debug and hardening flags all in one shot + # Alwas do this at the end, otherwise you end up filtering system/other libraries ++AC_ARG_ENABLE([hardened-checks], ++ [AS_HELP_STRING([--disable-hardened-checks], ++ [Disable automatically enabling hardened toolchain options])]) + AC_DEFUN([LOCAL_CHECK_FLAGS],[ + AC_REQUIRE([AX_CHECK_LINK_FLAG]) + AC_REQUIRE([AX_APPEND_COMPILE_FLAGS]) + AC_LANG_PUSH([C]) +- CFLAGS= +- LIBS= +- AX_APPEND_COMPILE_FLAGS([-g -O1 -Wall]) +- AX_APPEND_COMPILE_FLAGS([-fno-strict-aliasing]) +- AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all]) +- AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector]) +- AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1]) +- AX_CHECK_LINK_FLAG([-z relro -z now]) +- AX_CHECK_LINK_FLAG([-pie]) ++ AS_IF([test "x$enable_hardened_checks" != xno], [ ++ CFLAGS= ++ LIBS= ++ AX_APPEND_COMPILE_FLAGS([-g -O1]) ++ ], [ ++ AC_MSG_WARN([using hardened flags is HIGHLY RECOMMENDED and disabling them is a BAD IDEA]) ++ ]) ++ AX_APPEND_COMPILE_FLAGS([-Wall -fno-strict-aliasing]) ++ AS_IF([test "x$enable_hardened_checks" != xno], [ ++ AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all]) ++ AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector]) ++ AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1]) ++ AX_CHECK_LINK_FLAG([-z relro -z now]) ++ AX_CHECK_LINK_FLAG([-pie]) ++ ]) + AC_LANG_POP + ]) + LOCAL_CHECK_FLAGS +-- +1.8.0 + diff --git a/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch b/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch new file mode 100644 index 000000000000..8cd2472cf44e --- /dev/null +++ b/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch @@ -0,0 +1,66 @@ +From e6edd1f581b59dffbc1e21d2221af049a5f0b38a Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Wed, 19 Dec 2012 15:48:22 -0500 +Subject: [PATCH] add configure flags for setting droppriv user/group + +In order to override the default user/group, you have to append your +CPPFLAGS before compiling. Since you also have to pass along double +quotes, it can get ugly/messy fast in shell (due to the escaping). +Plus, the existing code always defines UNPRIV_USER to "nobody" which +leads to compile time warnings. + +Add dedicated configure flags to make the interface simple for people +to control. + +Signed-off-by: Mike Frysinger <vapier@gentoo.org> +--- + configure.ac | 20 ++++++++++++++++++++ + src/tlsdate.h | 1 - + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index f6efb0b..c95090e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -57,6 +57,26 @@ AC_CHECK_HEADERS([unistd.h], ,[AC_MSG_ERROR([Required headers missing; compilati + AC_CHECK_FUNCS([setresuid]) + AC_CHECK_FUNCS([gettimeofday]) + ++AC_MSG_CHECKING([user/group to drop privs to]) ++ ++AC_ARG_WITH([unpriv-user], ++ [AS_HELP_STRING([--with-unpriv-user=<user>], ++ [User to drop privs to @<:@default: nobody@:>@])]) ++AS_CASE([$with_unpriv_user], ++ [""|yes|no], [UNPRIV_USER="nobody"], ++ [*], [UNPRIV_USER=$with_unpriv_user]) ++AC_DEFINE_UNQUOTED([UNPRIV_USER], ["${UNPRIV_USER}"], [Unprivileged user]) ++ ++AC_ARG_WITH([unpriv-group], ++ [AS_HELP_STRING([--with-unpriv-group=<group>], ++ [Group to drop privs to @<:@default: nogroup@:>@])]) ++AS_CASE([$with_unpriv_group], ++ [""|yes|no], [UNPRIV_GROUP="nogroup"], ++ [*], [UNPRIV_GROUP=$with_unpriv_group]) ++AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group]) ++ ++AC_MSG_RESULT(${UNPRIV_USER}:${UNPRIV_GROUP}) ++ + # Check for -lrt + AC_CHECK_LIB([rt], [clock_gettime], [ + RT_LIB="-lrt" +diff --git a/src/tlsdate.h b/src/tlsdate.h +index 4db56c1..4c918cd 100644 +--- a/src/tlsdate.h ++++ b/src/tlsdate.h +@@ -18,7 +18,6 @@ + #include <time.h> + #include <unistd.h> + +-#define UNPRIV_USER "nobody" + #define DEFAULT_HOST "www.ptb.de" + #define DEFAULT_PORT "443" + #define DEFAULT_PROTOCOL "tlsv1" +-- +1.8.0 + diff --git a/net-misc/tlsdate/files/tlsdate.confd b/net-misc/tlsdate/files/tlsdate.confd new file mode 100644 index 000000000000..2d7ed030de33 --- /dev/null +++ b/net-misc/tlsdate/files/tlsdate.confd @@ -0,0 +1,8 @@ +# config file for /etc/init.d/tlsdate + +# Command to execute to set the time. +# This are some common tlsdate options: +# -l: leap (set time regardless of difference) +# -H: hostname to sync with +# -x: proxy URL +TLSDATE_OPTS="-l -H www.google.com" diff --git a/net-misc/tlsdate/files/tlsdate.rc b/net-misc/tlsdate/files/tlsdate.rc new file mode 100755 index 000000000000..95ee306745c6 --- /dev/null +++ b/net-misc/tlsdate/files/tlsdate.rc @@ -0,0 +1,17 @@ +#!/sbin/runscript +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +description="set time once when started" + +depend() { + use net +} + +start() { + : ${TLSDATE_CMD:=tlsdate} + ebegin "Setting clock via tlsdate '${TLSDATE_CMD}'" + "${TLSDATE_CMD}" ${TLSDATE_OPTS} + eend $? "Failed to set clock" +} diff --git a/net-misc/tlsdate/files/tlsdated.confd b/net-misc/tlsdate/files/tlsdated.confd new file mode 100644 index 000000000000..d257289cc58d --- /dev/null +++ b/net-misc/tlsdate/files/tlsdated.confd @@ -0,0 +1,15 @@ +# config file for /etc/init.d/tlsdated + +# Command to execute to set the time. +# This are some common tlsdate options: +# -l: leap (set time regardless of difference) +# -H: hostname to sync with +# -x: proxy URL +TLSDATED_CMD="/usr/bin/tlsdate -l -H www.google.com" + +# Additional options; see `man tlsdated` for reference. +TLSDATED_OPTS="" + +# Cache dir. Probably don't need to change this. +# It matches the compiled-in default. +TLSDATED_CACHE_DIR="/var/cache/tlsdated" diff --git a/net-misc/tlsdate/files/tlsdated.rc b/net-misc/tlsdate/files/tlsdated.rc new file mode 100755 index 000000000000..cc56fbaa03ca --- /dev/null +++ b/net-misc/tlsdate/files/tlsdated.rc @@ -0,0 +1,19 @@ +#!/sbin/runscript +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +description="start a daemon to continuously set time via a helper" + +command="tlsdated" +command_args="${TLSDATED_OPTS} -- ${TLSDATED_CMD}" +command_background="true" +pidfile="/var/run/${SVCNAME}.pid" + +depend() { + use net +} + +start_pre() { + checkpath -d -m 0700 -o tlsdate:tlsdate "${TLSDATED_CACHE_DIR}" +} |