1 |
commit: 6739ee69e69a954bc27a3040ab59d46b82582229 |
2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Oct 22 17:22:30 2017 +0000 |
4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 22 17:40:01 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6739ee69 |
7 |
|
8 |
net-analyzer/arpwatch: new revision to fix privilege escalation. |
9 |
|
10 |
In previous revisions, the init script for arpwatch called "chown" as |
11 |
root on a location under /var/lib/arpwatch -- a path that is controlled |
12 |
by the "arpwatch" user per its ebuild. That could be exploited by the |
13 |
"arpwatch" user to take control of root-owned files. |
14 |
|
15 |
This new revision comes with a new init script and conf.d file that |
16 |
completely rework the way instances are created and run. The |
17 |
"arpwatch" user is hard-coded, because as was mentioned, the ebuild |
18 |
sets some important permissions for that user. Since it is not |
19 |
possible to change that user, the need for "chown" is eliminated. |
20 |
|
21 |
Separate instances are now created by symlinking the init script (like |
22 |
our network interface scripts), rather than by enumerating them in a |
23 |
single arpwatch init script. Upgraders will want to review their |
24 |
configurations. |
25 |
|
26 |
Bug: https://bugs.gentoo.org/602552 |
27 |
Package-Manager: Portage-2.3.8, Repoman-2.3.3 |
28 |
|
29 |
net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild | 69 ++++++++++++++++++++++++ |
30 |
net-analyzer/arpwatch/files/arpwatch.confd-r1 | 17 ++++++ |
31 |
net-analyzer/arpwatch/files/arpwatch.initd-r1 | 27 ++++++++++ |
32 |
3 files changed, 113 insertions(+) |
33 |
|
34 |
diff --git a/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild |
35 |
new file mode 100644 |
36 |
index 00000000000..986da0386f7 |
37 |
--- /dev/null |
38 |
+++ b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild |
39 |
@@ -0,0 +1,69 @@ |
40 |
+# Copyright 1999-2017 Gentoo Foundation |
41 |
+# Distributed under the terms of the GNU General Public License v2 |
42 |
+ |
43 |
+EAPI=6 |
44 |
+inherit user versionator |
45 |
+ |
46 |
+PATCH_VER="0.8" |
47 |
+MY_P="${PN}-$(replace_version_separator 2 'a')" |
48 |
+ |
49 |
+DESCRIPTION="An ethernet monitor program that keeps track of ethernet/IP address pairings" |
50 |
+HOMEPAGE="http://ee.lbl.gov/" |
51 |
+SRC_URI=" |
52 |
+ ftp://ftp.ee.lbl.gov/${MY_P}.tar.gz |
53 |
+ https://dev.gentoo.org/~jer/arpwatch-patchset-${PATCH_VER}.tar.xz |
54 |
+" |
55 |
+ |
56 |
+LICENSE="BSD GPL-2" |
57 |
+SLOT="0" |
58 |
+KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86 ~x86-fbsd" |
59 |
+IUSE="selinux" |
60 |
+ |
61 |
+DEPEND=" |
62 |
+ net-libs/libpcap |
63 |
+ sys-libs/ncurses:* |
64 |
+" |
65 |
+RDEPEND=" |
66 |
+ ${DEPEND} |
67 |
+ selinux? ( sec-policy/selinux-arpwatch ) |
68 |
+" |
69 |
+ |
70 |
+S="${WORKDIR}/${MY_P}" |
71 |
+ |
72 |
+pkg_setup() { |
73 |
+ # We need to create /var/lib/arpwatch with this group, so it must |
74 |
+ # exist during src_install. |
75 |
+ enewgroup arpwatch |
76 |
+} |
77 |
+ |
78 |
+pkg_postinst() { |
79 |
+ # The user, however, is not needed until runtime. |
80 |
+ enewuser arpwatch -1 -1 -1 arpwatch |
81 |
+} |
82 |
+ |
83 |
+src_prepare() { |
84 |
+ local patchdir="${WORKDIR}/arpwatch-patchset" |
85 |
+ |
86 |
+ eapply "${patchdir}"/*.patch |
87 |
+ eapply_user |
88 |
+ |
89 |
+ cp "${patchdir}"/*.8 ./ || die "failed to copy man pages from ${patchdir}" |
90 |
+} |
91 |
+ |
92 |
+src_install () { |
93 |
+ dosbin arpwatch arpsnmp arp2ethers massagevendor arpfetch bihourly.sh |
94 |
+ doman arpwatch.8 arpsnmp.8 arp2ethers.8 massagevendor.8 arpfetch.8 bihourly.8 |
95 |
+ |
96 |
+ insinto /usr/share/arpwatch |
97 |
+ doins ethercodes.dat |
98 |
+ |
99 |
+ insinto /usr/share/arpwatch/awk |
100 |
+ doins duplicates.awk euppertolower.awk p.awk e.awk d.awk |
101 |
+ |
102 |
+ diropts --group=arpwatch --mode=770 |
103 |
+ dodir /var/lib/arpwatch |
104 |
+ dodoc README CHANGES |
105 |
+ |
106 |
+ newinitd "${FILESDIR}"/arpwatch.initd-r1 arpwatch |
107 |
+ newconfd "${FILESDIR}"/arpwatch.confd-r1 arpwatch |
108 |
+} |
109 |
|
110 |
diff --git a/net-analyzer/arpwatch/files/arpwatch.confd-r1 b/net-analyzer/arpwatch/files/arpwatch.confd-r1 |
111 |
new file mode 100644 |
112 |
index 00000000000..a4da503406a |
113 |
--- /dev/null |
114 |
+++ b/net-analyzer/arpwatch/files/arpwatch.confd-r1 |
115 |
@@ -0,0 +1,17 @@ |
116 |
+# See arpwatch.8 for more information |
117 |
+ |
118 |
+# Specify the interface for arpwatch to listen on here (default: lo). |
119 |
+# If you need to listen on more than one interface, you should |
120 |
+# run multiple arpwatch services; for example "arpwatch" and |
121 |
+# "arpwatch.eth1". These additional services can be configured by |
122 |
+# symlinking to the "arpwatch" service script, and by creating a new |
123 |
+# conf.d file whose name matches the new service (symlink) name. |
124 |
+# |
125 |
+# Example: |
126 |
+# |
127 |
+# ARPWATCH_IFACE="eth0" |
128 |
+# |
129 |
+ARPWATCH_IFACE="lo" |
130 |
+ |
131 |
+# Additional options to pass to arpwatch. |
132 |
+ARPWATCH_OPTS="-N -p" |
133 |
|
134 |
diff --git a/net-analyzer/arpwatch/files/arpwatch.initd-r1 b/net-analyzer/arpwatch/files/arpwatch.initd-r1 |
135 |
new file mode 100644 |
136 |
index 00000000000..ffe165205c6 |
137 |
--- /dev/null |
138 |
+++ b/net-analyzer/arpwatch/files/arpwatch.initd-r1 |
139 |
@@ -0,0 +1,27 @@ |
140 |
+#!/sbin/openrc-run |
141 |
+# Copyright 1999-2017 Gentoo Foundation |
142 |
+# Distributed under the terms of the GNU General Public License v2 |
143 |
+ |
144 |
+# Default to "lo" for the interface, so that the init script will work |
145 |
+# out-of-the-box. |
146 |
+: ${ARPWATCH_IFACE:=lo} |
147 |
+ |
148 |
+ARPWATCH_DATAFILE="/var/lib/arpwatch/${RC_SVCNAME}.dat" |
149 |
+ |
150 |
+command="/usr/sbin/arpwatch" |
151 |
+pidfile="/run/${RC_SVCNAME}.pid" |
152 |
+command_args="-i ${ARPWATCH_IFACE} |
153 |
+ -u arpwatch |
154 |
+ -f ${ARPWATCH_DATAFILE} |
155 |
+ -P ${pidfile} |
156 |
+ ${ARPWATCH_OPTS}" |
157 |
+ |
158 |
+depend() { |
159 |
+ need "net.${ARPWATCH_IFACE}" |
160 |
+} |
161 |
+ |
162 |
+start_pre() { |
163 |
+ # The "arpwatch" user must be a member of the "arpwatch" group for |
164 |
+ # this to work. |
165 |
+ checkpath --file --owner root:arpwatch --mode 0660 "${ARPWATCH_DATAFILE}" |
166 |
+} |