1 |
commit: 73598a5e25d6583dde4f08a34df5073817c5a391 |
2 |
Author: Francisco Blas (klondike) Izquierdo Riera <klondike <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Sep 7 20:38:38 2019 +0000 |
4 |
Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 7 21:24:11 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73598a5e |
7 |
|
8 |
net-firewall/nftables: Fix permissions for rules.save |
9 |
|
10 |
Due to a bug, the rules.save file was created with the wrong |
11 |
permissions which allowed all users to read the file with the |
12 |
system rules although root privileges are usually required to |
13 |
do so. |
14 |
|
15 |
To fix this issue, the following measures have been taken: |
16 |
* The umask on nftables-mk.sh is now correctly set to 177 |
17 |
* nftables.sh now also sets the umask before saving the rules |
18 |
* The ebuilds will warn on post installation if the rules.save |
19 |
has insecure permissions |
20 |
* The ebuilds have been bumped to ensure these changes are |
21 |
applied |
22 |
|
23 |
Bug: https://bugs.gentoo.org/691326 |
24 |
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike <AT> gentoo.org> |
25 |
Package-Manager: Portage-2.3.69, Repoman-2.3.11 |
26 |
Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org> |
27 |
|
28 |
net-firewall/nftables/files/libexec/nftables-mk.sh | 2 +- |
29 |
net-firewall/nftables/files/libexec/nftables.sh | 1 + |
30 |
...ables-0.9.2.ebuild => nftables-0.9.0-r5.ebuild} | 87 +++++++--------------- |
31 |
...ables-0.9.1.ebuild => nftables-0.9.1-r1.ebuild} | 10 ++- |
32 |
...ables-0.9.2.ebuild => nftables-0.9.2-r1.ebuild} | 10 ++- |
33 |
5 files changed, 44 insertions(+), 66 deletions(-) |
34 |
|
35 |
diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh |
36 |
index b3d7db60d7f..27defe3c1c3 100644 |
37 |
--- a/net-firewall/nftables/files/libexec/nftables-mk.sh |
38 |
+++ b/net-firewall/nftables/files/libexec/nftables-mk.sh |
39 |
@@ -24,7 +24,7 @@ main() { |
40 |
;; |
41 |
"store") |
42 |
local tmp_save="${NFTABLES_SAVE}.tmp" |
43 |
- umask 600; |
44 |
+ umask 177 |
45 |
( |
46 |
printf '#!/sbin/nft -f\nflush ruleset\n' |
47 |
nft ${SAVE_OPTIONS} list ruleset |
48 |
|
49 |
diff --git a/net-firewall/nftables/files/libexec/nftables.sh b/net-firewall/nftables/files/libexec/nftables.sh |
50 |
index cc55f856600..557b454a911 100755 |
51 |
--- a/net-firewall/nftables/files/libexec/nftables.sh |
52 |
+++ b/net-firewall/nftables/files/libexec/nftables.sh |
53 |
@@ -25,6 +25,7 @@ main() { |
54 |
retval=$? |
55 |
;; |
56 |
"store") |
57 |
+ umask 177 |
58 |
local tmp_save="${NFTABLES_SAVE}.tmp" |
59 |
if ! use_legacy; then |
60 |
nft ${SAVE_OPTIONS} list ruleset > ${tmp_save} |
61 |
|
62 |
diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.0-r5.ebuild |
63 |
similarity index 54% |
64 |
copy from net-firewall/nftables/nftables-0.9.2.ebuild |
65 |
copy to net-firewall/nftables/nftables-0.9.0-r5.ebuild |
66 |
index 112b5f0b9af..d98c11e37e4 100644 |
67 |
--- a/net-firewall/nftables/nftables-0.9.2.ebuild |
68 |
+++ b/net-firewall/nftables/nftables-0.9.0-r5.ebuild |
69 |
@@ -1,54 +1,33 @@ |
70 |
# Copyright 1999-2019 Gentoo Authors |
71 |
# Distributed under the terms of the GNU General Public License v2 |
72 |
|
73 |
-EAPI=7 |
74 |
+EAPI=6 |
75 |
|
76 |
-PYTHON_COMPAT=( python3_{5,6,7} ) |
77 |
- |
78 |
-inherit autotools linux-info python-r1 systemd |
79 |
+inherit autotools linux-info systemd |
80 |
|
81 |
DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" |
82 |
HOMEPAGE="https://netfilter.org/projects/nftables/" |
83 |
-#SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" |
84 |
-SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2" |
85 |
+SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" |
86 |
|
87 |
LICENSE="GPL-2" |
88 |
SLOT="0" |
89 |
-KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~sparc ~x86" |
90 |
-IUSE="debug +doc +gmp json +modern_kernel python +readline static-libs xtables" |
91 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~x86" |
92 |
+IUSE="debug doc +gmp json +modern_kernel +readline" |
93 |
|
94 |
-RDEPEND=" |
95 |
- >=net-libs/libmnl-1.0.3:0= |
96 |
+RDEPEND=">=net-libs/libmnl-1.0.3:0= |
97 |
gmp? ( dev-libs/gmp:0= ) |
98 |
json? ( dev-libs/jansson ) |
99 |
- python? ( ${PYTHON_DEPS} ) |
100 |
readline? ( sys-libs/readline:0= ) |
101 |
- >=net-libs/libnftnl-1.1.4:0= |
102 |
- xtables? ( >=net-firewall/iptables-1.6.1 ) |
103 |
-" |
104 |
- |
105 |
-DEPEND="${RDEPEND}" |
106 |
+ >=net-libs/libnftnl-1.1.1:0=" |
107 |
|
108 |
-BDEPEND=" |
109 |
- doc? ( app-text/asciidoc ) |
110 |
+DEPEND="${RDEPEND} |
111 |
>=app-text/docbook2X-0.8.8-r4 |
112 |
+ doc? ( >=app-text/dblatex-0.3.7 ) |
113 |
sys-devel/bison |
114 |
sys-devel/flex |
115 |
- virtual/pkgconfig |
116 |
-" |
117 |
+ virtual/pkgconfig" |
118 |
|
119 |
-REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" |
120 |
- |
121 |
-#S="${WORKDIR}/v${PV}" |
122 |
- |
123 |
-python_make() { |
124 |
- emake \ |
125 |
- -C py \ |
126 |
- abs_builddir="${S}" \ |
127 |
- DESTDIR="${D}" \ |
128 |
- PYTHON_BIN="${PYTHON}" \ |
129 |
- ${@} |
130 |
-} |
131 |
+S="${WORKDIR}/v${PV}" |
132 |
|
133 |
pkg_setup() { |
134 |
if kernel_is ge 3 13; then |
135 |
@@ -64,44 +43,26 @@ pkg_setup() { |
136 |
|
137 |
src_prepare() { |
138 |
default |
139 |
- |
140 |
- # fix installation path for doc stuff |
141 |
- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}@' \ |
142 |
- -i files/nftables/Makefile.am || die |
143 |
- sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/osf@' \ |
144 |
- -i files/osf/Makefile.am || die |
145 |
- |
146 |
eautoreconf |
147 |
} |
148 |
|
149 |
src_configure() { |
150 |
local myeconfargs=( |
151 |
- # We handle python separately |
152 |
- --disable-python |
153 |
--sbindir="${EPREFIX}"/sbin |
154 |
$(use_enable debug) |
155 |
- $(use_enable doc man-doc) |
156 |
+ $(use_enable doc pdf-doc) |
157 |
$(use_with !gmp mini_gmp) |
158 |
$(use_with json) |
159 |
$(use_with readline cli) |
160 |
- $(use_enable static-libs static) |
161 |
- $(use_with xtables) |
162 |
) |
163 |
econf "${myeconfargs[@]}" |
164 |
} |
165 |
|
166 |
-src_compile() { |
167 |
- default |
168 |
- |
169 |
- if use python ; then |
170 |
- python_foreach_impl python_make |
171 |
- fi |
172 |
-} |
173 |
- |
174 |
src_install() { |
175 |
default |
176 |
|
177 |
- local mksuffix="$(usex modern_kernel '-mk' '')" |
178 |
+ local mksuffix="" |
179 |
+ use modern_kernel && mksuffix="-mk" |
180 |
|
181 |
exeinto /usr/libexec/${PN} |
182 |
newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh |
183 |
@@ -111,21 +72,25 @@ src_install() { |
184 |
|
185 |
systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service |
186 |
|
187 |
- if use python ; then |
188 |
- python_foreach_impl python_make install |
189 |
- fi |
190 |
- |
191 |
- find "${ED}" -type f -name "*.la" -delete || die |
192 |
+ docinto /usr/share/doc/${PF}/skels |
193 |
+ dodoc "${D}"/etc/nftables/* |
194 |
+ rm -R "${D}"/etc/nftables |
195 |
} |
196 |
|
197 |
pkg_postinst() { |
198 |
local save_file |
199 |
- save_file="${EROOT}/var/lib/nftables/rules-save" |
200 |
+ save_file="${EROOT%/}/var/lib/nftables/rules-save" |
201 |
|
202 |
# In order for the nftables-restore systemd service to start |
203 |
# the save_file must exist. |
204 |
- if [[ ! -f ${save_file} ]]; then |
205 |
- touch ${save_file} |
206 |
+ if [[ ! -f "${save_file}" ]]; then |
207 |
+ touch "${save_file}" |
208 |
+ elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then |
209 |
+ ewarn "Your system has dangerous permissions for ${save_file}" |
210 |
+ ewarn "It is probably affected by bug #691326." |
211 |
+ ewarn "You may need to fix the permissions of the file. To do so," |
212 |
+ ewarn "you can run the command in the line below as root." |
213 |
+ ewarn " 'chmod 600 \"${save_file}\"'" |
214 |
fi |
215 |
|
216 |
elog "If you wish to enable the firewall rules on boot (on systemd) you" |
217 |
|
218 |
diff --git a/net-firewall/nftables/nftables-0.9.1.ebuild b/net-firewall/nftables/nftables-0.9.1-r1.ebuild |
219 |
similarity index 88% |
220 |
rename from net-firewall/nftables/nftables-0.9.1.ebuild |
221 |
rename to net-firewall/nftables/nftables-0.9.1-r1.ebuild |
222 |
index db6f707d58c..5752d73a1b9 100644 |
223 |
--- a/net-firewall/nftables/nftables-0.9.1.ebuild |
224 |
+++ b/net-firewall/nftables/nftables-0.9.1-r1.ebuild |
225 |
@@ -129,8 +129,14 @@ pkg_postinst() { |
226 |
|
227 |
# In order for the nftables-restore systemd service to start |
228 |
# the save_file must exist. |
229 |
- if [[ ! -f ${save_file} ]]; then |
230 |
- touch ${save_file} |
231 |
+ if [[ ! -f "${save_file}" ]]; then |
232 |
+ touch "${save_file}" |
233 |
+ elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then |
234 |
+ ewarn "Your system has dangerous permissions for ${save_file}" |
235 |
+ ewarn "It is probably affected by bug #691326." |
236 |
+ ewarn "You may need to fix the permissions of the file. To do so," |
237 |
+ ewarn "you can run the command in the line below as root." |
238 |
+ ewarn " 'chmod 600 \"${save_file}\"'" |
239 |
fi |
240 |
|
241 |
elog "If you wish to enable the firewall rules on boot (on systemd) you" |
242 |
|
243 |
diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.2-r1.ebuild |
244 |
similarity index 88% |
245 |
rename from net-firewall/nftables/nftables-0.9.2.ebuild |
246 |
rename to net-firewall/nftables/nftables-0.9.2-r1.ebuild |
247 |
index 112b5f0b9af..d3579794781 100644 |
248 |
--- a/net-firewall/nftables/nftables-0.9.2.ebuild |
249 |
+++ b/net-firewall/nftables/nftables-0.9.2-r1.ebuild |
250 |
@@ -124,8 +124,14 @@ pkg_postinst() { |
251 |
|
252 |
# In order for the nftables-restore systemd service to start |
253 |
# the save_file must exist. |
254 |
- if [[ ! -f ${save_file} ]]; then |
255 |
- touch ${save_file} |
256 |
+ if [[ ! -f "${save_file}" ]]; then |
257 |
+ touch "${save_file}" |
258 |
+ elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then |
259 |
+ ewarn "Your system has dangerous permissions for ${save_file}" |
260 |
+ ewarn "It is probably affected by bug #691326." |
261 |
+ ewarn "You may need to fix the permissions of the file. To do so," |
262 |
+ ewarn "you can run the command in the line below as root." |
263 |
+ ewarn " 'chmod 600 \"${save_file}\"'" |
264 |
fi |
265 |
|
266 |
elog "If you wish to enable the firewall rules on boot (on systemd) you" |