From 1cc9a7d0c5b62ab36e04c724f5fa6877fb09a88f Mon Sep 17 00:00:00 2001 From: Thomas Deutschmann Date: Mon, 17 Feb 2020 19:38:11 +0100 Subject: net-misc/oidentd: security cleanup (#709454) Bug: https://bugs.gentoo.org/709454 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann --- net-misc/oidentd/Manifest | 1 - net-misc/oidentd/files/oidentd-2.0.7-confd | 4 -- .../files/oidentd-2.0.8-bind-to-ipv6-too.patch | 17 ------ net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch | 25 --------- .../files/oidentd-2.0.8-log-conntrack-fails.patch | 52 ------------------ .../oidentd/files/oidentd-2.0.8-masquerading.patch | 43 --------------- .../oidentd-2.0.8-no-conntrack-masquerading.patch | 41 -------------- net-misc/oidentd/files/oidentd.conf | 22 -------- net-misc/oidentd/files/oidentd.service | 9 ---- net-misc/oidentd/files/oidentd.socket | 10 ---- net-misc/oidentd/files/oidentd_at.service | 7 --- net-misc/oidentd/files/oidentd_masq.conf | 10 ---- net-misc/oidentd/oidentd-2.0.8-r6.ebuild | 63 ---------------------- 13 files changed, 304 deletions(-) delete mode 100644 net-misc/oidentd/files/oidentd-2.0.7-confd delete mode 100644 net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch delete mode 100644 net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch delete mode 100644 net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch delete mode 100644 net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch delete mode 100644 net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch delete mode 100644 net-misc/oidentd/files/oidentd.conf delete mode 100644 net-misc/oidentd/files/oidentd.service delete mode 100644 net-misc/oidentd/files/oidentd.socket delete mode 100644 net-misc/oidentd/files/oidentd_at.service delete mode 100644 net-misc/oidentd/files/oidentd_masq.conf delete mode 100644 net-misc/oidentd/oidentd-2.0.8-r6.ebuild diff --git a/net-misc/oidentd/Manifest b/net-misc/oidentd/Manifest index 4639109ca442..6d1c2163397c 100644 --- a/net-misc/oidentd/Manifest +++ b/net-misc/oidentd/Manifest @@ -1,2 +1 @@ -DIST oidentd-2.0.8.tar.gz 212354 BLAKE2B 46f4c4478822e832885f5f38a2ab5b2132ff5c1e5071fd1dc6050e55992d50bd96be096064996853af69d16316e6aff648c5320714b53b60c038cc9aaedfedda SHA512 86229a4ef9892121c25a7140616e180f862ca34b73ea3ad9f0fbb008f657abb17e9f14c2c25ae14c14bfc14bf1ea10b50fd68318631a9c52227bbfd6e6d43288 DIST oidentd-2.4.0.tar.xz 188280 BLAKE2B e7a6cdcc78ae61b103b81335d6a4802bbc301adad256dbe9461245e7a2839e1f4786cf3bf7206df2f8fc6414351c4bb8f92c87d16d69f678e0793b9a760ee966 SHA512 3dc6f8ba1c374c21bbc721516f83c5b825d5bc75dbda390d5e5e0e72ceac31495380a6025c626edcec4f8685a009f5be9571606c50e28fc28dc9f73a20f1b2d0 diff --git a/net-misc/oidentd/files/oidentd-2.0.7-confd b/net-misc/oidentd/files/oidentd-2.0.7-confd deleted file mode 100644 index 3116889e67e2..000000000000 --- a/net-misc/oidentd/files/oidentd-2.0.7-confd +++ /dev/null @@ -1,4 +0,0 @@ -# oidentd start-up options -USER="nobody" -GROUP="nobody" -OPTIONS="" diff --git a/net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch b/net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch deleted file mode 100644 index 2652622cdd4f..000000000000 --- a/net-misc/oidentd/files/oidentd-2.0.8-bind-to-ipv6-too.patch +++ /dev/null @@ -1,17 +0,0 @@ -Patch to bind to ipv6 socket as well -Patch supplied by Fabian Knittel ---- oidentd-2.0.8/src/oidentd_inet_util.c 2006-05-22 02:31:19.000000000 +0200 -+++ oidentd-2.0.8.new/src/oidentd_inet_util.c 2010-03-01 20:26:11.000000000 +0100 -@@ -60,6 +60,12 @@ - #ifdef WANT_IPV6 - case AF_INET6: - SIN6(ai->ai_addr)->sin6_port = listen_port; -+ -+ if (setsockopt(listenfd, IPPROTO_IPV6, IPV6_V6ONLY, &one, -+ sizeof(one)) != 0) { -+ debug("setsockopt IPV6_V6ONLY: %s", strerror(errno)); -+ return (-1); -+ } - break; - #endif - diff --git a/net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch b/net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch deleted file mode 100644 index a401a65d9bc6..000000000000 --- a/net-misc/oidentd/files/oidentd-2.0.8-gcc5.patch +++ /dev/null @@ -1,25 +0,0 @@ -Description: Fix a failure to build with gcc5. -Bug: http://bugs.debian.org/778035 - ---- a/src/oidentd_util.c 2015-07-03 05:56:24.000000000 -0400 -+++ b/src/oidentd_util.c 2015-07-03 05:56:47.671378000 -0400 -@@ -75,7 +75,7 @@ - ** PRNG functions on systems whose libraries provide them.) - */ - --inline int randval(int i) { -+extern __attribute__ ((gnu_inline)) int randval(int i) { - /* Per _Numerical Recipes in C_: */ - return ((double) i * rand() / (RAND_MAX+1.0)); - } ---- a/src/oidentd_util.h 2015-07-03 05:56:32.000000000 -0400 -+++ b/src/oidentd_util.h 2015-07-03 05:56:53.835378000 -0400 -@@ -58,7 +58,7 @@ - int find_group(const char *temp_group, gid_t *gid); - - int random_seed(void); --inline int randval(int i); -+extern __attribute__ ((gnu_inline)) int randval(int i); - - #ifndef HAVE_SNPRINTF - int snprintf(char *str, size_t n, char const *fmt, ...); diff --git a/net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch b/net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch deleted file mode 100644 index d29479ec0284..000000000000 --- a/net-misc/oidentd/files/oidentd-2.0.8-log-conntrack-fails.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 612f1d85dd59fc39b124392df38586769ebc8add Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 11 Mar 2016 10:00:59 +0100 -Subject: [PATCH] Log Linux core_init failures as normal error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Opening Linux conntracking table file failure for different reason than -missing the file is fatal for deamon initizalization. But the failure -was logged inly in debugging build. - -This patch makes the fatal error visible in normal log. - -https://bugzilla.redhat.com/show_bug.cgi?id=1316308 -Signed-off-by: Petr Písař ---- - src/kernel/linux.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/kernel/linux.c b/src/kernel/linux.c -index 8bf265f..9103dbf 100644 ---- a/src/kernel/linux.c -+++ b/src/kernel/linux.c -@@ -73,21 +73,21 @@ bool core_init(void) { - masq_fp = fopen(MASQFILE, "r"); - if (masq_fp == NULL) { - if (errno != ENOENT) { -- debug("fopen: %s: %s", MASQFILE, strerror(errno)); -+ o_log(NORMAL, "fopen: %s: %s", MASQFILE, strerror(errno)); - return false; - } - - masq_fp = fopen(CONNTRACK, "r"); - if (masq_fp == NULL) { - if (errno != ENOENT) { -- debug("fopen: %s: %s", CONNTRACK, strerror(errno)); -+ o_log(NORMAL, "fopen: %s: %s", CONNTRACK, strerror(errno)); - return false; - } - - masq_fp = fopen(NFCONNTRACK, "r"); - if (masq_fp == NULL) { - if (errno != ENOENT) { -- debug("fopen: %s: %s", NFCONNTRACK, strerror(errno)); -+ o_log(NORMAL, "fopen: %s: %s", NFCONNTRACK, strerror(errno)); - return false; - } - masq_fp = fopen("/dev/null", "r"); --- -2.5.0 - diff --git a/net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch b/net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch deleted file mode 100644 index 191e9b95e64d..000000000000 --- a/net-misc/oidentd/files/oidentd-2.0.8-masquerading.patch +++ /dev/null @@ -1,43 +0,0 @@ ---- oidentd.orig/src/kernel/linux.c 2006-05-22 06:58:53.000000000 +0300 -+++ oidentd-2.0.8/src/kernel/linux.c 2007-07-11 21:28:56.000000000 +0300 -@@ -48,6 +48,7 @@ - #define CFILE6 "/proc/net/tcp6" - #define MASQFILE "/proc/net/ip_masquerade" - #define CONNTRACK "/proc/net/ip_conntrack" -+#define NFCONNTRACK "/proc/net/nf_conntrack" - - static int netlink_sock; - extern struct sockaddr_storage proxy; -@@ -82,7 +83,15 @@ - debug("fopen: %s: %s", CONNTRACK, strerror(errno)); - return false; - } -- masq_fp = fopen("/dev/null", "r"); -+ -+ masq_fp = fopen(NFCONNTRACK, "r"); -+ if (masq_fp == NULL) { -+ if (errno != ENOENT) { -+ debug("fopen: %s: %s", NFCONNTRACK, strerror(errno)); -+ return false; -+ } -+ masq_fp = fopen("/dev/null", "r"); -+ } - } - - netfilter = true; -@@ -367,6 +376,15 @@ - &nport_temp, &mport_temp); - } - -+ if (ret != 21) { -+ ret = sscanf(buf, -+ "%*15s %*d %15s %*d %*d ESTABLISHED src=%d.%d.%d.%d dst=%d.%d.%d.%d sport=%d dport=%d packets=%*d bytes=%*d src=%d.%d.%d.%d dst=%d.%d.%d.%d sport=%d dport=%d", -+ proto, &l1, &l2, &l3, &l4, &r1, &r2, &r3, &r4, -+ &masq_lport_temp, &masq_fport_temp, -+ &nl1, &nl2, &nl3, &nl4, &nr1, &nr2, &nr3, &nr4, -+ &nport_temp, &mport_temp); -+ } -+ - if (ret != 21) - continue; - diff --git a/net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch b/net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch deleted file mode 100644 index 92ef02523160..000000000000 --- a/net-misc/oidentd/files/oidentd-2.0.8-no-conntrack-masquerading.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 20a63ad8a90c36397cceedd34887298890dbafa3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 11 Mar 2016 10:38:10 +0100 -Subject: [PATCH] Linux: Do not open conntracking table if masquerading is not - enabled -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The contracking table was always opened. This is unnecessary because -the table is used only when masquerading feature is requested on run -time. - -This patch skips opening the conntracking table on Linux if -masquerading is not requested. - -https://bugzilla.redhat.com/show_bug.cgi?id=1316308 -Signed-off-by: Petr Písař ---- - src/kernel/linux.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/kernel/linux.c b/src/kernel/linux.c -index 9103dbf..859f554 100644 ---- a/src/kernel/linux.c -+++ b/src/kernel/linux.c -@@ -70,6 +70,11 @@ bool netfilter; - */ - bool core_init(void) { - #ifdef MASQ_SUPPORT -+ if (!opt_enabled(MASQ)) { -+ masq_fp = NULL; -+ return true; -+ } -+ - masq_fp = fopen(MASQFILE, "r"); - if (masq_fp == NULL) { - if (errno != ENOENT) { --- -2.5.0 - diff --git a/net-misc/oidentd/files/oidentd.conf b/net-misc/oidentd/files/oidentd.conf deleted file mode 100644 index 03b28d827802..000000000000 --- a/net-misc/oidentd/files/oidentd.conf +++ /dev/null @@ -1,22 +0,0 @@ -# Configuration for oidentd -# see oidentd.conf(5) -# -default { - default { - deny spoof - deny spoof_all - deny spoof_privport - allow random - allow random_numeric - allow numeric - deny hide - } -} - -# you may want to hide root connections -#user "root" { -# default { -# force reply "UNKNOWN" -# } -#} - diff --git a/net-misc/oidentd/files/oidentd.service b/net-misc/oidentd/files/oidentd.service deleted file mode 100644 index bf159d855b8d..000000000000 --- a/net-misc/oidentd/files/oidentd.service +++ /dev/null @@ -1,9 +0,0 @@ -[Unit] -Description=TCP/IP IDENT protocol server - -[Service] -ExecStart=/usr/sbin/oidentd -i -S -u nobody -g nobody -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/net-misc/oidentd/files/oidentd.socket b/net-misc/oidentd/files/oidentd.socket deleted file mode 100644 index 63df7036e543..000000000000 --- a/net-misc/oidentd/files/oidentd.socket +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Ident (RFC 1413) socket -Conflicts=oidentd.service - -[Socket] -ListenStream=113 -Accept=yes - -[Install] -WantedBy=sockets.target diff --git a/net-misc/oidentd/files/oidentd_at.service b/net-misc/oidentd/files/oidentd_at.service deleted file mode 100644 index ac03a94d6c8a..000000000000 --- a/net-misc/oidentd/files/oidentd_at.service +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Ident (RFC 1413) per-connection server - -[Service] -ExecStart=/usr/sbin/oidentd -I -S -u nobody -g nobody -ExecReload=/bin/kill -HUP $MAINPID -StandardInput=socket diff --git a/net-misc/oidentd/files/oidentd_masq.conf b/net-misc/oidentd/files/oidentd_masq.conf deleted file mode 100644 index 6811288ff4cf..000000000000 --- a/net-misc/oidentd/files/oidentd_masq.conf +++ /dev/null @@ -1,10 +0,0 @@ -# oident masquarded connections configuration - -# use this file if your host is masquarading connections for several -# hosts and you want to return a reply based on the hostname of -# the originating machine -# add "-f" to OIDENT_OPTIONS in /etc/conf.d/oidentd if you want -# to forward ident requests to the real host - -# add hosts in the following format, see oidentd_masq.conf(5) for details: -# [/mask] diff --git a/net-misc/oidentd/oidentd-2.0.8-r6.ebuild b/net-misc/oidentd/oidentd-2.0.8-r6.ebuild deleted file mode 100644 index aa6c386da6e5..000000000000 --- a/net-misc/oidentd/oidentd-2.0.8-r6.ebuild +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit linux-info systemd - -DESCRIPTION="Another (RFC1413 compliant) ident daemon" -HOMEPAGE="https://oidentd.janikrabe.com/" -SRC_URI="mirror://sourceforge/ojnk/${P}.tar.gz" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86" -IUSE="debug ipv6 masquerade selinux" - -DEPEND="" - -RDEPEND="${DEPEND} - selinux? ( sec-policy/selinux-oident )" - -DOCS=( AUTHORS ChangeLog README TODO NEWS "${FILESDIR}"/${PN}_masq.conf "${FILESDIR}"/${PN}.conf ) - -PATCHES=( - "${FILESDIR}/${P}-masquerading.patch" - "${FILESDIR}/${P}-bind-to-ipv6-too.patch" - "${FILESDIR}/${P}-gcc5.patch" - "${FILESDIR}/${P}-log-conntrack-fails.patch" - "${FILESDIR}/${P}-no-conntrack-masquerading.patch" -) - -pkg_setup() { - local CONFIG_CHECK="~INET_TCP_DIAG" - - if use kernel_linux; then - linux-info_pkg_setup - fi -} - -src_configure() { - econf \ - $(use_enable debug) \ - $(use_enable ipv6) \ - $(use_enable masquerade masq) \ - $(use_enable masquerade nat) -} - -src_install() { - default - - newinitd "${FILESDIR}"/${PN}-2.0.7-init ${PN} - newconfd "${FILESDIR}"/${PN}-2.0.7-confd ${PN} - - systemd_newunit "${FILESDIR}"/${PN}_at.service ${PN}@.service - systemd_dounit "${FILESDIR}"/${PN}.socket - systemd_dounit "${FILESDIR}"/${PN}.service -} - -pkg_postinst() { - echo - elog "Example configuration files are in /usr/share/doc/${PF}" - echo -} -- cgit v1.2.3-65-gdbad