[gentoo-commits] repo/gentoo:master commit in: net-analyzer/arpwatch/, net-analyzer/arpwatch/files/ - gentoo-commits

From:	Michael Orlitzky <mjo@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-analyzer/arpwatch/, net-analyzer/arpwatch/files/
Date:	Sun, 22 Oct 2017 17:41:49
Message-Id:	`1508694001.6739ee69e69a954bc27a3040ab59d46b82582229.mjo@gentoo`

1

commit:     6739ee69e69a954bc27a3040ab59d46b82582229

2

Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

3

AuthorDate: Sun Oct 22 17:22:30 2017 +0000

4

Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>

5

CommitDate: Sun Oct 22 17:40:01 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6739ee69

7

8

net-analyzer/arpwatch: new revision to fix privilege escalation.

9

10

In previous revisions, the init script for arpwatch called "chown" as

11

root on a location under /var/lib/arpwatch -- a path that is controlled

12

by the "arpwatch" user per its ebuild. That could be exploited by the

13

"arpwatch" user to take control of root-owned files.

14

15

This new revision comes with a new init script and conf.d file that

16

completely rework the way instances are created and run. The

17

"arpwatch" user is hard-coded, because as was mentioned, the ebuild

18

sets some important permissions for that user. Since it is not

19

possible to change that user, the need for "chown" is eliminated.

20

21

Separate instances are now created by symlinking the init script (like

22

our network interface scripts), rather than by enumerating them in a

23

single arpwatch init script. Upgraders will want to review their

24

configurations.

25

26

Bug: https://bugs.gentoo.org/602552

27

Package-Manager: Portage-2.3.8, Repoman-2.3.3

28

29

 net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild | 69 ++++++++++++++++++++++++

30

 net-analyzer/arpwatch/files/arpwatch.confd-r1    | 17 ++++++

31

 net-analyzer/arpwatch/files/arpwatch.initd-r1    | 27 ++++++++++

32

 3 files changed, 113 insertions(+)

33

34

diff --git a/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild

35

new file mode 100644

36

index 00000000000..986da0386f7

37

--- /dev/null

38

+++ b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild

39

@@ -0,0 +1,69 @@

40

+# Copyright 1999-2017 Gentoo Foundation

41

+# Distributed under the terms of the GNU General Public License v2

42

+

43

+EAPI=6

44

+inherit user versionator

45

+

46

+PATCH_VER="0.8"

47

+MY_P="${PN}-$(replace_version_separator 2 'a')"

48

+

49

+DESCRIPTION="An ethernet monitor program that keeps track of ethernet/IP address pairings"

50

+HOMEPAGE="http://ee.lbl.gov/"

51

+SRC_URI="

52

+	ftp://ftp.ee.lbl.gov/${MY_P}.tar.gz

53

+	https://dev.gentoo.org/~jer/arpwatch-patchset-${PATCH_VER}.tar.xz

54

+"

55

+

56

+LICENSE="BSD GPL-2"

57

+SLOT="0"

58

+KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86 ~x86-fbsd"

59

+IUSE="selinux"

60

+

61

+DEPEND="

62

+	net-libs/libpcap

63

+	sys-libs/ncurses:*

64

+"

65

+RDEPEND="

66

+	${DEPEND}

67

+	selinux? ( sec-policy/selinux-arpwatch )

68

+"

69

+

70

+S="${WORKDIR}/${MY_P}"

71

+

72

+pkg_setup() {

73

+	# We need to create /var/lib/arpwatch with this group, so it must

74

+	# exist during src_install.

75

+	enewgroup arpwatch

76

+}

77

+

78

+pkg_postinst() {

79

+	# The user, however, is not needed until runtime.

80

+	enewuser arpwatch -1 -1 -1 arpwatch

81

+}

82

+

83

+src_prepare() {

84

+	local patchdir="${WORKDIR}/arpwatch-patchset"

85

+

86

+	eapply "${patchdir}"/*.patch

87

+	eapply_user

88

+

89

+	cp "${patchdir}"/*.8 ./ || die "failed to copy man pages from ${patchdir}"

90

+}

91

+

92

+src_install () {

93

+	dosbin arpwatch arpsnmp arp2ethers massagevendor arpfetch bihourly.sh

94

+	doman arpwatch.8 arpsnmp.8 arp2ethers.8 massagevendor.8 arpfetch.8 bihourly.8

95

+

96

+	insinto /usr/share/arpwatch

97

+	doins ethercodes.dat

98

+

99

+	insinto /usr/share/arpwatch/awk

100

+	doins duplicates.awk euppertolower.awk p.awk e.awk d.awk

101

+

102

+	diropts --group=arpwatch --mode=770

103

+	dodir /var/lib/arpwatch

104

+	dodoc README CHANGES

105

+

106

+	newinitd "${FILESDIR}"/arpwatch.initd-r1 arpwatch

107

+	newconfd "${FILESDIR}"/arpwatch.confd-r1 arpwatch

108

+}

109

110

diff --git a/net-analyzer/arpwatch/files/arpwatch.confd-r1 b/net-analyzer/arpwatch/files/arpwatch.confd-r1

111

new file mode 100644

112

index 00000000000..a4da503406a

113

--- /dev/null

114

+++ b/net-analyzer/arpwatch/files/arpwatch.confd-r1

115

@@ -0,0 +1,17 @@

116

+# See arpwatch.8 for more information

117

+

118

+# Specify the interface for arpwatch to listen on here (default: lo).

119

+# If you need to listen on more than one interface, you should

120

+# run multiple arpwatch services; for example "arpwatch" and

121

+# "arpwatch.eth1". These additional services can be configured by

122

+# symlinking to the "arpwatch" service script, and by creating a new

123

+# conf.d file whose name matches the new service (symlink) name.

124

+#

125

+# Example:

126

+#

127

+# ARPWATCH_IFACE="eth0"

128

+#

129

+ARPWATCH_IFACE="lo"

130

+

131

+# Additional options to pass to arpwatch.

132

+ARPWATCH_OPTS="-N -p"

133

134

diff --git a/net-analyzer/arpwatch/files/arpwatch.initd-r1 b/net-analyzer/arpwatch/files/arpwatch.initd-r1

135

new file mode 100644

136

index 00000000000..ffe165205c6

137

--- /dev/null

138

+++ b/net-analyzer/arpwatch/files/arpwatch.initd-r1

139

@@ -0,0 +1,27 @@

140

+#!/sbin/openrc-run

141

+# Copyright 1999-2017 Gentoo Foundation

142

+# Distributed under the terms of the GNU General Public License v2

143

+

144

+# Default to "lo" for the interface, so that the init script will work

145

+# out-of-the-box.

146

+: ${ARPWATCH_IFACE:=lo}

147

+

148

+ARPWATCH_DATAFILE="/var/lib/arpwatch/${RC_SVCNAME}.dat"

149

+

150

+command="/usr/sbin/arpwatch"

151

+pidfile="/run/${RC_SVCNAME}.pid"

152

+command_args="-i ${ARPWATCH_IFACE}

153

+              -u arpwatch

154

+              -f ${ARPWATCH_DATAFILE}

155

+              -P ${pidfile}

156

+              ${ARPWATCH_OPTS}"

157

+

158

+depend() {

159

+    need "net.${ARPWATCH_IFACE}"

160

+}

161

+

162

+start_pre() {

163

+    # The "arpwatch" user must be a member of the "arpwatch" group for

164

+    # this to work.

165

+    checkpath --file --owner root:arpwatch --mode 0660 "${ARPWATCH_DATAFILE}"

166

+}

1	commit: 6739ee69e69a954bc27a3040ab59d46b82582229
2	Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
3	AuthorDate: Sun Oct 22 17:22:30 2017 +0000
4	Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
5	CommitDate: Sun Oct 22 17:40:01 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6739ee69
7
8	net-analyzer/arpwatch: new revision to fix privilege escalation.
9
10	In previous revisions, the init script for arpwatch called "chown" as
11	root on a location under /var/lib/arpwatch -- a path that is controlled
12	by the "arpwatch" user per its ebuild. That could be exploited by the
13	"arpwatch" user to take control of root-owned files.
14
15	This new revision comes with a new init script and conf.d file that
16	completely rework the way instances are created and run. The
17	"arpwatch" user is hard-coded, because as was mentioned, the ebuild
18	sets some important permissions for that user. Since it is not
19	possible to change that user, the need for "chown" is eliminated.
20
21	Separate instances are now created by symlinking the init script (like
22	our network interface scripts), rather than by enumerating them in a
23	single arpwatch init script. Upgraders will want to review their
24	configurations.
25
26	Bug: https://bugs.gentoo.org/602552
27	Package-Manager: Portage-2.3.8, Repoman-2.3.3
28
29	net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild \| 69 ++++++++++++++++++++++++
30	net-analyzer/arpwatch/files/arpwatch.confd-r1 \| 17 ++++++
31	net-analyzer/arpwatch/files/arpwatch.initd-r1 \| 27 ++++++++++
32	3 files changed, 113 insertions(+)
33
34	diff --git a/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild
35	new file mode 100644
36	index 00000000000..986da0386f7
37	--- /dev/null
38	+++ b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild
39	@@ -0,0 +1,69 @@
40	+# Copyright 1999-2017 Gentoo Foundation
41	+# Distributed under the terms of the GNU General Public License v2
42	+
43	+EAPI=6
44	+inherit user versionator
45	+
46	+PATCH_VER="0.8"
47	+MY_P="${PN}-$(replace_version_separator 2 'a')"
48	+
49	+DESCRIPTION="An ethernet monitor program that keeps track of ethernet/IP address pairings"
50	+HOMEPAGE="http://ee.lbl.gov/"
51	+SRC_URI="
52	+ ftp://ftp.ee.lbl.gov/${MY_P}.tar.gz
53	+ https://dev.gentoo.org/~jer/arpwatch-patchset-${PATCH_VER}.tar.xz
54	+"
55	+
56	+LICENSE="BSD GPL-2"
57	+SLOT="0"
58	+KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86 ~x86-fbsd"
59	+IUSE="selinux"
60	+
61	+DEPEND="
62	+ net-libs/libpcap
63	+ sys-libs/ncurses:*
64	+"
65	+RDEPEND="
66	+ ${DEPEND}
67	+ selinux? ( sec-policy/selinux-arpwatch )
68	+"
69	+
70	+S="${WORKDIR}/${MY_P}"
71	+
72	+pkg_setup() {
73	+ # We need to create /var/lib/arpwatch with this group, so it must
74	+ # exist during src_install.
75	+ enewgroup arpwatch
76	+}
77	+
78	+pkg_postinst() {
79	+ # The user, however, is not needed until runtime.
80	+ enewuser arpwatch -1 -1 -1 arpwatch
81	+}
82	+
83	+src_prepare() {
84	+ local patchdir="${WORKDIR}/arpwatch-patchset"
85	+
86	+ eapply "${patchdir}"/*.patch
87	+ eapply_user
88	+
89	+ cp "${patchdir}"/*.8 ./ \|\| die "failed to copy man pages from ${patchdir}"
90	+}
91	+
92	+src_install () {
93	+ dosbin arpwatch arpsnmp arp2ethers massagevendor arpfetch bihourly.sh
94	+ doman arpwatch.8 arpsnmp.8 arp2ethers.8 massagevendor.8 arpfetch.8 bihourly.8
95	+
96	+ insinto /usr/share/arpwatch
97	+ doins ethercodes.dat
98	+
99	+ insinto /usr/share/arpwatch/awk
100	+ doins duplicates.awk euppertolower.awk p.awk e.awk d.awk
101	+
102	+ diropts --group=arpwatch --mode=770
103	+ dodir /var/lib/arpwatch
104	+ dodoc README CHANGES
105	+
106	+ newinitd "${FILESDIR}"/arpwatch.initd-r1 arpwatch
107	+ newconfd "${FILESDIR}"/arpwatch.confd-r1 arpwatch
108	+}
109
110	diff --git a/net-analyzer/arpwatch/files/arpwatch.confd-r1 b/net-analyzer/arpwatch/files/arpwatch.confd-r1
111	new file mode 100644
112	index 00000000000..a4da503406a
113	--- /dev/null
114	+++ b/net-analyzer/arpwatch/files/arpwatch.confd-r1
115	@@ -0,0 +1,17 @@
116	+# See arpwatch.8 for more information
117	+
118	+# Specify the interface for arpwatch to listen on here (default: lo).
119	+# If you need to listen on more than one interface, you should
120	+# run multiple arpwatch services; for example "arpwatch" and
121	+# "arpwatch.eth1". These additional services can be configured by
122	+# symlinking to the "arpwatch" service script, and by creating a new
123	+# conf.d file whose name matches the new service (symlink) name.
124	+#
125	+# Example:
126	+#
127	+# ARPWATCH_IFACE="eth0"
128	+#
129	+ARPWATCH_IFACE="lo"
130	+
131	+# Additional options to pass to arpwatch.
132	+ARPWATCH_OPTS="-N -p"
133
134	diff --git a/net-analyzer/arpwatch/files/arpwatch.initd-r1 b/net-analyzer/arpwatch/files/arpwatch.initd-r1
135	new file mode 100644
136	index 00000000000..ffe165205c6
137	--- /dev/null
138	+++ b/net-analyzer/arpwatch/files/arpwatch.initd-r1
139	@@ -0,0 +1,27 @@
140	+#!/sbin/openrc-run
141	+# Copyright 1999-2017 Gentoo Foundation
142	+# Distributed under the terms of the GNU General Public License v2
143	+
144	+# Default to "lo" for the interface, so that the init script will work
145	+# out-of-the-box.
146	+: ${ARPWATCH_IFACE:=lo}
147	+
148	+ARPWATCH_DATAFILE="/var/lib/arpwatch/${RC_SVCNAME}.dat"
149	+
150	+command="/usr/sbin/arpwatch"
151	+pidfile="/run/${RC_SVCNAME}.pid"
152	+command_args="-i ${ARPWATCH_IFACE}
153	+ -u arpwatch
154	+ -f ${ARPWATCH_DATAFILE}
155	+ -P ${pidfile}
156	+ ${ARPWATCH_OPTS}"
157	+
158	+depend() {
159	+ need "net.${ARPWATCH_IFACE}"
160	+}
161	+
162	+start_pre() {
163	+ # The "arpwatch" user must be a member of the "arpwatch" group for
164	+ # this to work.
165	+ checkpath --file --owner root:arpwatch --mode 0660 "${ARPWATCH_DATAFILE}"
166	+}

Gentoo Archives: gentoo-commits