1 |
commit: 5eefb61d11a77c123475fec73db819fa6121b7f2 |
2 |
Author: Sam James (sam_c) <sam <AT> cmpct <DOT> info> |
3 |
AuthorDate: Wed Mar 4 04:49:58 2020 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 30 18:36:43 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eefb61d |
7 |
|
8 |
net-misc/chrony: Run as non-root when USE=caps, revbump |
9 |
|
10 |
When caps is enabled, drop to the user ntp (acct-user/ntp), |
11 |
as opposed to remaining root. |
12 |
|
13 |
Adds a tmpfile.d entry for /run/chrony to ensure correct permissions. |
14 |
|
15 |
Closes: https://bugs.gentoo.org/711058 |
16 |
Signed-off-by: Sam James (sam_c) <sam <AT> cmpct.info> |
17 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
18 |
|
19 |
.../{chrony-9999.ebuild => chrony-3.5-r3.ebuild} | 45 +++++++++++++++++----- |
20 |
net-misc/chrony/chrony-9999.ebuild | 29 ++++++++++++-- |
21 |
net-misc/chrony/files/chronyd.conf | 2 +- |
22 |
3 files changed, 63 insertions(+), 13 deletions(-) |
23 |
|
24 |
diff --git a/net-misc/chrony/chrony-9999.ebuild b/net-misc/chrony/chrony-3.5-r3.ebuild |
25 |
similarity index 70% |
26 |
copy from net-misc/chrony/chrony-9999.ebuild |
27 |
copy to net-misc/chrony/chrony-3.5-r3.ebuild |
28 |
index e939129a01a..3f11f8dd951 100644 |
29 |
--- a/net-misc/chrony/chrony-9999.ebuild |
30 |
+++ b/net-misc/chrony/chrony-3.5-r3.ebuild |
31 |
@@ -1,16 +1,16 @@ |
32 |
-# Copyright 1999-2019 Gentoo Authors |
33 |
+# Copyright 1999-2020 Gentoo Authors |
34 |
# Distributed under the terms of the GNU General Public License v2 |
35 |
|
36 |
EAPI=7 |
37 |
-inherit git-r3 systemd toolchain-funcs |
38 |
+inherit systemd tmpfiles toolchain-funcs |
39 |
|
40 |
DESCRIPTION="NTP client and server programs" |
41 |
HOMEPAGE="https://chrony.tuxfamily.org/" |
42 |
-EGIT_REPO_URI="https://git.tuxfamily.org/chrony/chrony.git/" |
43 |
+SRC_URI="https://download.tuxfamily.org/${PN}/${P/_/-}.tar.gz" |
44 |
LICENSE="GPL-2" |
45 |
SLOT="0" |
46 |
|
47 |
-KEYWORDS="" |
48 |
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~ppc64 ~sparc ~x86" |
49 |
IUSE=" |
50 |
+adns caps +cmdmon html ipv6 libedit +ntp +phc pps readline +refclock +rtc |
51 |
seccomp selinux |
52 |
@@ -27,14 +27,17 @@ CDEPEND=" |
53 |
" |
54 |
DEPEND=" |
55 |
${CDEPEND} |
56 |
- dev-ruby/asciidoctor |
57 |
+ caps? ( acct-group/ntp acct-user/ntp ) |
58 |
+ html? ( dev-ruby/asciidoctor ) |
59 |
pps? ( net-misc/pps-tools ) |
60 |
" |
61 |
RDEPEND=" |
62 |
${CDEPEND} |
63 |
selinux? ( sec-policy/selinux-chronyd ) |
64 |
" |
65 |
+ |
66 |
RESTRICT=test |
67 |
+ |
68 |
S="${WORKDIR}/${P/_/-}" |
69 |
|
70 |
PATCHES=( |
71 |
@@ -47,6 +50,16 @@ src_prepare() { |
72 |
sed -i \ |
73 |
-e 's:/etc/chrony\.conf:/etc/chrony/chrony.conf:g' \ |
74 |
doc/* examples/* || die |
75 |
+ |
76 |
+ # Copy for potential user fixup |
77 |
+ cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf |
78 |
+ |
79 |
+ # Set config for privdrop |
80 |
+ if ! use caps; then |
81 |
+ sed -i \ |
82 |
+ -e 's/-u ntp//' \ |
83 |
+ "${T}"/chronyd.conf || die |
84 |
+ fi |
85 |
} |
86 |
|
87 |
src_configure() { |
88 |
@@ -95,14 +108,14 @@ src_configure() { |
89 |
} |
90 |
|
91 |
src_compile() { |
92 |
- emake all docs |
93 |
+ emake all docs $(usex html '' 'ADOC=true') |
94 |
} |
95 |
|
96 |
src_install() { |
97 |
default |
98 |
|
99 |
newinitd "${FILESDIR}"/chronyd.init-r2 chronyd |
100 |
- newconfd "${FILESDIR}"/chronyd.conf chronyd |
101 |
+ newconfd "${T}"/chronyd.conf chronyd |
102 |
|
103 |
insinto /etc/${PN} |
104 |
newins examples/chrony.conf.example1 chrony.conf |
105 |
@@ -110,8 +123,12 @@ src_install() { |
106 |
docinto examples |
107 |
dodoc examples/*.example* |
108 |
|
109 |
- docinto html |
110 |
- dodoc doc/*.html |
111 |
+ newtmpfiles - chronyd.conf <<<"d /run/chrony 0750 $(usex caps 'ntp ntp' 'root root')" |
112 |
+ |
113 |
+ if use html; then |
114 |
+ docinto html |
115 |
+ dodoc doc/*.html |
116 |
+ fi |
117 |
|
118 |
keepdir /var/{lib,log}/chrony |
119 |
|
120 |
@@ -121,3 +138,13 @@ src_install() { |
121 |
systemd_dounit examples/{chronyd,chrony-wait}.service |
122 |
systemd_enable_ntpunit 50-chrony chronyd.service |
123 |
} |
124 |
+ |
125 |
+pkg_preinst() { |
126 |
+ if use caps && has_version net-misc/chrony[-caps]; then |
127 |
+ elog "/run/chronyd needs ntp:ntp permissions; please check." |
128 |
+ elog "The safest option is reboot, but you may chown manually." |
129 |
+ elif ! use caps && has_version net-misc/chrony[caps]; then |
130 |
+ elog "/run/chronyd needs root:root permissions; please check." |
131 |
+ elog "The safest option is reboot, but you may chown manually." |
132 |
+ fi |
133 |
+} |
134 |
|
135 |
diff --git a/net-misc/chrony/chrony-9999.ebuild b/net-misc/chrony/chrony-9999.ebuild |
136 |
index e939129a01a..5b03ec4fe42 100644 |
137 |
--- a/net-misc/chrony/chrony-9999.ebuild |
138 |
+++ b/net-misc/chrony/chrony-9999.ebuild |
139 |
@@ -1,8 +1,8 @@ |
140 |
-# Copyright 1999-2019 Gentoo Authors |
141 |
+# Copyright 1999-2020 Gentoo Authors |
142 |
# Distributed under the terms of the GNU General Public License v2 |
143 |
|
144 |
EAPI=7 |
145 |
-inherit git-r3 systemd toolchain-funcs |
146 |
+inherit git-r3 tmpfiles systemd toolchain-funcs |
147 |
|
148 |
DESCRIPTION="NTP client and server programs" |
149 |
HOMEPAGE="https://chrony.tuxfamily.org/" |
150 |
@@ -27,6 +27,7 @@ CDEPEND=" |
151 |
" |
152 |
DEPEND=" |
153 |
${CDEPEND} |
154 |
+ caps? ( acct-group/ntp acct-user/ntp ) |
155 |
dev-ruby/asciidoctor |
156 |
pps? ( net-misc/pps-tools ) |
157 |
" |
158 |
@@ -47,6 +48,16 @@ src_prepare() { |
159 |
sed -i \ |
160 |
-e 's:/etc/chrony\.conf:/etc/chrony/chrony.conf:g' \ |
161 |
doc/* examples/* || die |
162 |
+ |
163 |
+ # Copy for potential user fixup |
164 |
+ cp "${FILESDIR}"/chronyd.conf "$T"/chronyd.conf |
165 |
+ |
166 |
+ # Set config for privdrop |
167 |
+ if ! use caps; then |
168 |
+ sed -i \ |
169 |
+ -e 's/-u ntp//' \ |
170 |
+ "${T}"/chronyd.conf || die |
171 |
+ fi |
172 |
} |
173 |
|
174 |
src_configure() { |
175 |
@@ -102,7 +113,7 @@ src_install() { |
176 |
default |
177 |
|
178 |
newinitd "${FILESDIR}"/chronyd.init-r2 chronyd |
179 |
- newconfd "${FILESDIR}"/chronyd.conf chronyd |
180 |
+ newconfd "${T}"/chronyd.conf chronyd |
181 |
|
182 |
insinto /etc/${PN} |
183 |
newins examples/chrony.conf.example1 chrony.conf |
184 |
@@ -110,6 +121,8 @@ src_install() { |
185 |
docinto examples |
186 |
dodoc examples/*.example* |
187 |
|
188 |
+ newtmpfiles - chronyd.conf <<<"d /run/chrony 0750 $(usex caps 'ntp ntp' 'root root')" |
189 |
+ |
190 |
docinto html |
191 |
dodoc doc/*.html |
192 |
|
193 |
@@ -121,3 +134,13 @@ src_install() { |
194 |
systemd_dounit examples/{chronyd,chrony-wait}.service |
195 |
systemd_enable_ntpunit 50-chrony chronyd.service |
196 |
} |
197 |
+ |
198 |
+pkg_preinst() { |
199 |
+ if use caps && has_version net-misc/chrony[-caps]; then |
200 |
+ elog "/run/chronyd needs ntp:ntp permissions; please check." |
201 |
+ elog "The safest option is reboot, but you may chown manually." |
202 |
+ elif ! use caps && has_version net-misc/chrony[caps]; then |
203 |
+ elog "/run/chronyd needs root:root permissions; please check." |
204 |
+ elog "The safest option is reboot, but you may chown manually." |
205 |
+ fi |
206 |
+} |
207 |
|
208 |
diff --git a/net-misc/chrony/files/chronyd.conf b/net-misc/chrony/files/chronyd.conf |
209 |
index fc43a95c40f..c641d985e56 100644 |
210 |
--- a/net-misc/chrony/files/chronyd.conf |
211 |
+++ b/net-misc/chrony/files/chronyd.conf |
212 |
@@ -9,4 +9,4 @@ CFGFILE="/etc/chrony/chrony.conf" |
213 |
# The combination of "-s -r" allows chronyd to perform long term averaging of |
214 |
# the gain or loss rate across system reboots and shutdowns. |
215 |
|
216 |
-ARGS="" |
217 |
+ARGS="-u ntp" |