Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-firewall/nftables/, net-firewall/nftables/files/libexec/
Date: Sat, 07 Sep 2019 21:24:22
Message-Id: 1567891451.73598a5e25d6583dde4f08a34df5073817c5a391.prometheanfire@gentoo
1 commit: 73598a5e25d6583dde4f08a34df5073817c5a391
2 Author: Francisco Blas (klondike) Izquierdo Riera <klondike <AT> gentoo <DOT> org>
3 AuthorDate: Sat Sep 7 20:38:38 2019 +0000
4 Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
5 CommitDate: Sat Sep 7 21:24:11 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73598a5e
7
8 net-firewall/nftables: Fix permissions for rules.save
9
10 Due to a bug, the rules.save file was created with the wrong
11 permissions which allowed all users to read the file with the
12 system rules although root privileges are usually required to
13 do so.
14
15 To fix this issue, the following measures have been taken:
16 * The umask on nftables-mk.sh is now correctly set to 177
17 * nftables.sh now also sets the umask before saving the rules
18 * The ebuilds will warn on post installation if the rules.save
19 has insecure permissions
20 * The ebuilds have been bumped to ensure these changes are
21 applied
22
23 Bug: https://bugs.gentoo.org/691326
24 Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike <AT> gentoo.org>
25 Package-Manager: Portage-2.3.69, Repoman-2.3.11
26 Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org>
27
28 net-firewall/nftables/files/libexec/nftables-mk.sh | 2 +-
29 net-firewall/nftables/files/libexec/nftables.sh | 1 +
30 ...ables-0.9.2.ebuild => nftables-0.9.0-r5.ebuild} | 87 +++++++---------------
31 ...ables-0.9.1.ebuild => nftables-0.9.1-r1.ebuild} | 10 ++-
32 ...ables-0.9.2.ebuild => nftables-0.9.2-r1.ebuild} | 10 ++-
33 5 files changed, 44 insertions(+), 66 deletions(-)
34
35 diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh
36 index b3d7db60d7f..27defe3c1c3 100644
37 --- a/net-firewall/nftables/files/libexec/nftables-mk.sh
38 +++ b/net-firewall/nftables/files/libexec/nftables-mk.sh
39 @@ -24,7 +24,7 @@ main() {
40 ;;
41 "store")
42 local tmp_save="${NFTABLES_SAVE}.tmp"
43 - umask 600;
44 + umask 177
45 (
46 printf '#!/sbin/nft -f\nflush ruleset\n'
47 nft ${SAVE_OPTIONS} list ruleset
48
49 diff --git a/net-firewall/nftables/files/libexec/nftables.sh b/net-firewall/nftables/files/libexec/nftables.sh
50 index cc55f856600..557b454a911 100755
51 --- a/net-firewall/nftables/files/libexec/nftables.sh
52 +++ b/net-firewall/nftables/files/libexec/nftables.sh
53 @@ -25,6 +25,7 @@ main() {
54 retval=$?
55 ;;
56 "store")
57 + umask 177
58 local tmp_save="${NFTABLES_SAVE}.tmp"
59 if ! use_legacy; then
60 nft ${SAVE_OPTIONS} list ruleset > ${tmp_save}
61
62 diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.0-r5.ebuild
63 similarity index 54%
64 copy from net-firewall/nftables/nftables-0.9.2.ebuild
65 copy to net-firewall/nftables/nftables-0.9.0-r5.ebuild
66 index 112b5f0b9af..d98c11e37e4 100644
67 --- a/net-firewall/nftables/nftables-0.9.2.ebuild
68 +++ b/net-firewall/nftables/nftables-0.9.0-r5.ebuild
69 @@ -1,54 +1,33 @@
70 # Copyright 1999-2019 Gentoo Authors
71 # Distributed under the terms of the GNU General Public License v2
72
73 -EAPI=7
74 +EAPI=6
75
76 -PYTHON_COMPAT=( python3_{5,6,7} )
77 -
78 -inherit autotools linux-info python-r1 systemd
79 +inherit autotools linux-info systemd
80
81 DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools"
82 HOMEPAGE="https://netfilter.org/projects/nftables/"
83 -#SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
84 -SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"
85 +SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz"
86
87 LICENSE="GPL-2"
88 SLOT="0"
89 -KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~sparc ~x86"
90 -IUSE="debug +doc +gmp json +modern_kernel python +readline static-libs xtables"
91 +KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~x86"
92 +IUSE="debug doc +gmp json +modern_kernel +readline"
93
94 -RDEPEND="
95 - >=net-libs/libmnl-1.0.3:0=
96 +RDEPEND=">=net-libs/libmnl-1.0.3:0=
97 gmp? ( dev-libs/gmp:0= )
98 json? ( dev-libs/jansson )
99 - python? ( ${PYTHON_DEPS} )
100 readline? ( sys-libs/readline:0= )
101 - >=net-libs/libnftnl-1.1.4:0=
102 - xtables? ( >=net-firewall/iptables-1.6.1 )
103 -"
104 -
105 -DEPEND="${RDEPEND}"
106 + >=net-libs/libnftnl-1.1.1:0="
107
108 -BDEPEND="
109 - doc? ( app-text/asciidoc )
110 +DEPEND="${RDEPEND}
111 >=app-text/docbook2X-0.8.8-r4
112 + doc? ( >=app-text/dblatex-0.3.7 )
113 sys-devel/bison
114 sys-devel/flex
115 - virtual/pkgconfig
116 -"
117 + virtual/pkgconfig"
118
119 -REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
120 -
121 -#S="${WORKDIR}/v${PV}"
122 -
123 -python_make() {
124 - emake \
125 - -C py \
126 - abs_builddir="${S}" \
127 - DESTDIR="${D}" \
128 - PYTHON_BIN="${PYTHON}" \
129 - ${@}
130 -}
131 +S="${WORKDIR}/v${PV}"
132
133 pkg_setup() {
134 if kernel_is ge 3 13; then
135 @@ -64,44 +43,26 @@ pkg_setup() {
136
137 src_prepare() {
138 default
139 -
140 - # fix installation path for doc stuff
141 - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}@' \
142 - -i files/nftables/Makefile.am || die
143 - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/osf@' \
144 - -i files/osf/Makefile.am || die
145 -
146 eautoreconf
147 }
148
149 src_configure() {
150 local myeconfargs=(
151 - # We handle python separately
152 - --disable-python
153 --sbindir="${EPREFIX}"/sbin
154 $(use_enable debug)
155 - $(use_enable doc man-doc)
156 + $(use_enable doc pdf-doc)
157 $(use_with !gmp mini_gmp)
158 $(use_with json)
159 $(use_with readline cli)
160 - $(use_enable static-libs static)
161 - $(use_with xtables)
162 )
163 econf "${myeconfargs[@]}"
164 }
165
166 -src_compile() {
167 - default
168 -
169 - if use python ; then
170 - python_foreach_impl python_make
171 - fi
172 -}
173 -
174 src_install() {
175 default
176
177 - local mksuffix="$(usex modern_kernel '-mk' '')"
178 + local mksuffix=""
179 + use modern_kernel && mksuffix="-mk"
180
181 exeinto /usr/libexec/${PN}
182 newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh
183 @@ -111,21 +72,25 @@ src_install() {
184
185 systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
186
187 - if use python ; then
188 - python_foreach_impl python_make install
189 - fi
190 -
191 - find "${ED}" -type f -name "*.la" -delete || die
192 + docinto /usr/share/doc/${PF}/skels
193 + dodoc "${D}"/etc/nftables/*
194 + rm -R "${D}"/etc/nftables
195 }
196
197 pkg_postinst() {
198 local save_file
199 - save_file="${EROOT}/var/lib/nftables/rules-save"
200 + save_file="${EROOT%/}/var/lib/nftables/rules-save"
201
202 # In order for the nftables-restore systemd service to start
203 # the save_file must exist.
204 - if [[ ! -f ${save_file} ]]; then
205 - touch ${save_file}
206 + if [[ ! -f "${save_file}" ]]; then
207 + touch "${save_file}"
208 + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
209 + ewarn "Your system has dangerous permissions for ${save_file}"
210 + ewarn "It is probably affected by bug #691326."
211 + ewarn "You may need to fix the permissions of the file. To do so,"
212 + ewarn "you can run the command in the line below as root."
213 + ewarn " 'chmod 600 \"${save_file}\"'"
214 fi
215
216 elog "If you wish to enable the firewall rules on boot (on systemd) you"
217
218 diff --git a/net-firewall/nftables/nftables-0.9.1.ebuild b/net-firewall/nftables/nftables-0.9.1-r1.ebuild
219 similarity index 88%
220 rename from net-firewall/nftables/nftables-0.9.1.ebuild
221 rename to net-firewall/nftables/nftables-0.9.1-r1.ebuild
222 index db6f707d58c..5752d73a1b9 100644
223 --- a/net-firewall/nftables/nftables-0.9.1.ebuild
224 +++ b/net-firewall/nftables/nftables-0.9.1-r1.ebuild
225 @@ -129,8 +129,14 @@ pkg_postinst() {
226
227 # In order for the nftables-restore systemd service to start
228 # the save_file must exist.
229 - if [[ ! -f ${save_file} ]]; then
230 - touch ${save_file}
231 + if [[ ! -f "${save_file}" ]]; then
232 + touch "${save_file}"
233 + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
234 + ewarn "Your system has dangerous permissions for ${save_file}"
235 + ewarn "It is probably affected by bug #691326."
236 + ewarn "You may need to fix the permissions of the file. To do so,"
237 + ewarn "you can run the command in the line below as root."
238 + ewarn " 'chmod 600 \"${save_file}\"'"
239 fi
240
241 elog "If you wish to enable the firewall rules on boot (on systemd) you"
242
243 diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.2-r1.ebuild
244 similarity index 88%
245 rename from net-firewall/nftables/nftables-0.9.2.ebuild
246 rename to net-firewall/nftables/nftables-0.9.2-r1.ebuild
247 index 112b5f0b9af..d3579794781 100644
248 --- a/net-firewall/nftables/nftables-0.9.2.ebuild
249 +++ b/net-firewall/nftables/nftables-0.9.2-r1.ebuild
250 @@ -124,8 +124,14 @@ pkg_postinst() {
251
252 # In order for the nftables-restore systemd service to start
253 # the save_file must exist.
254 - if [[ ! -f ${save_file} ]]; then
255 - touch ${save_file}
256 + if [[ ! -f "${save_file}" ]]; then
257 + touch "${save_file}"
258 + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
259 + ewarn "Your system has dangerous permissions for ${save_file}"
260 + ewarn "It is probably affected by bug #691326."
261 + ewarn "You may need to fix the permissions of the file. To do so,"
262 + ewarn "you can run the command in the line below as root."
263 + ewarn " 'chmod 600 \"${save_file}\"'"
264 fi
265
266 elog "If you wish to enable the firewall rules on boot (on systemd) you"
Report Message
Find on MARC Find on Google Groups