| 1 |
commit: 34fde22d157226fb9bae167225265d6724588186 |
| 2 |
Author: Yixun Lan <dlan <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Sat Sep 26 15:05:20 2020 +0000 |
| 4 |
Commit: Yixun Lan <dlan <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Sep 27 08:14:10 2020 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34fde22d |
| 7 |
|
| 8 |
net-proxy/shadowsocks-libev: run as non-privilege user |
| 9 |
|
| 10 |
* fix security issue, run as non-root user |
| 11 |
* use systemd unit files from the package source |
| 12 |
|
| 13 |
Bug: https://bugs.gentoo.org/731058 |
| 14 |
Package-Manager: Portage-3.0.0, Repoman-2.3.23 |
| 15 |
Signed-off-by: Yixun Lan <dlan <AT> gentoo.org> |
| 16 |
|
| 17 |
.../files/shadowsocks-libev-local_at.service | 11 ----------- |
| 18 |
.../files/shadowsocks-libev-redir_at.service | 11 ----------- |
| 19 |
.../files/shadowsocks-libev-server_at.service | 11 ----------- |
| 20 |
.../files/shadowsocks-libev-tunnel_at.service | 11 ----------- |
| 21 |
net-proxy/shadowsocks-libev/files/shadowsocks.initd | 9 ++++++--- |
| 22 |
...s-libev-3.3.4.ebuild => shadowsocks-libev-3.3.4-r1.ebuild} | 11 ++++++----- |
| 23 |
6 files changed, 12 insertions(+), 52 deletions(-) |
| 24 |
|
| 25 |
diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service |
| 26 |
deleted file mode 100644 |
| 27 |
index af137178380..00000000000 |
| 28 |
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service |
| 29 |
+++ /dev/null |
| 30 |
@@ -1,11 +0,0 @@ |
| 31 |
-[Unit] |
| 32 |
-Description=Shadowsocks-Libev Client Service for %I |
| 33 |
-After=network.target |
| 34 |
- |
| 35 |
-[Service] |
| 36 |
-Type=simple |
| 37 |
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 38 |
-ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/%i.json |
| 39 |
- |
| 40 |
-[Install] |
| 41 |
-WantedBy=multi-user.target |
| 42 |
|
| 43 |
diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service |
| 44 |
deleted file mode 100644 |
| 45 |
index 1ced8f45440..00000000000 |
| 46 |
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service |
| 47 |
+++ /dev/null |
| 48 |
@@ -1,11 +0,0 @@ |
| 49 |
-[Unit] |
| 50 |
-Description=Shadowsocks-Libev Client Service Redir Mode for %I |
| 51 |
-After=network.target |
| 52 |
- |
| 53 |
-[Service] |
| 54 |
-Type=simple |
| 55 |
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 56 |
-ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks-libev/%i.json |
| 57 |
- |
| 58 |
-[Install] |
| 59 |
-WantedBy=multi-user.target |
| 60 |
|
| 61 |
diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service |
| 62 |
deleted file mode 100644 |
| 63 |
index 58d934bdb1d..00000000000 |
| 64 |
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service |
| 65 |
+++ /dev/null |
| 66 |
@@ -1,11 +0,0 @@ |
| 67 |
-[Unit] |
| 68 |
-Description=Shadowsocks-Libev Server Service for %I |
| 69 |
-After=network.target |
| 70 |
- |
| 71 |
-[Service] |
| 72 |
-Type=simple |
| 73 |
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 74 |
-ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json |
| 75 |
- |
| 76 |
-[Install] |
| 77 |
-WantedBy=multi-user.target |
| 78 |
|
| 79 |
diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service |
| 80 |
deleted file mode 100644 |
| 81 |
index 24b31d5a1cd..00000000000 |
| 82 |
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service |
| 83 |
+++ /dev/null |
| 84 |
@@ -1,11 +0,0 @@ |
| 85 |
-[Unit] |
| 86 |
-Description=Shadowsocks-Libev Client Service Tunnel Mode for %I |
| 87 |
-After=network.target |
| 88 |
- |
| 89 |
-[Service] |
| 90 |
-Type=simple |
| 91 |
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
| 92 |
-ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks-libev/%i.json |
| 93 |
- |
| 94 |
-[Install] |
| 95 |
-WantedBy=multi-user.target |
| 96 |
|
| 97 |
diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks.initd b/net-proxy/shadowsocks-libev/files/shadowsocks.initd |
| 98 |
index 2ccd114485b..994ba23e3b8 100644 |
| 99 |
--- a/net-proxy/shadowsocks-libev/files/shadowsocks.initd |
| 100 |
+++ b/net-proxy/shadowsocks-libev/files/shadowsocks.initd |
| 101 |
@@ -1,5 +1,5 @@ |
| 102 |
#!/sbin/openrc-run |
| 103 |
-# Copyright 1999-2019 Gentoo Authors |
| 104 |
+# Copyright 1999-2020 Gentoo Authors |
| 105 |
# Distributed under the terms of the GNU General Public License v2 |
| 106 |
|
| 107 |
SS_CONFIG="/etc/shadowsocks-libev/shadowsocks.json" |
| 108 |
@@ -49,13 +49,16 @@ start() { |
| 109 |
|
| 110 |
ebegin "Starting Shadowsocks: ${SS_SVCNAME} mode" |
| 111 |
start-stop-daemon --start --exec ${SS_COMMAND} \ |
| 112 |
- -- -c ${SS_CONFIG} -f ${SS_PIDFILE} >/dev/null 2>&1 & |
| 113 |
+ --user nobody --group nobody \ |
| 114 |
+ -- -c ${SS_CONFIG} -f ${SS_PIDFILE} >/dev/null 2>&1 & |
| 115 |
eend $? |
| 116 |
} |
| 117 |
|
| 118 |
stop() { |
| 119 |
ebegin "Stopping Shadowsocks" |
| 120 |
- start-stop-daemon --stop --pidfile ${SS_PIDFILE} |
| 121 |
+ start-stop-daemon --stop \ |
| 122 |
+ --user nobody --group nobody \ |
| 123 |
+ --pidfile ${SS_PIDFILE} |
| 124 |
eend $? |
| 125 |
} |
| 126 |
|
| 127 |
|
| 128 |
diff --git a/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild b/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild |
| 129 |
similarity index 82% |
| 130 |
rename from net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild |
| 131 |
rename to net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild |
| 132 |
index 353791fc263..e10f0e72b1a 100644 |
| 133 |
--- a/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild |
| 134 |
+++ b/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild |
| 135 |
@@ -40,8 +40,10 @@ PATCHES=( |
| 136 |
"${FILESDIR}/${P}-gcc10.patch" |
| 137 |
) |
| 138 |
src_prepare() { |
| 139 |
- sed -i 's|AC_CONFIG_FILES(\[libbloom/Makefile libcork/Makefile libipset/Makefile\])||' \ |
| 140 |
+ sed -i -e 's|AC_CONFIG_FILES(\[libbloom/Makefile libcork/Makefile libipset/Makefile\])||' \ |
| 141 |
configure.ac || die |
| 142 |
+ sed -i -e "/\[Service\]/a\\User=nobody" \ |
| 143 |
+ debian/shadowsocks-libev*.service || die |
| 144 |
default |
| 145 |
eautoreconf |
| 146 |
} |
| 147 |
@@ -71,10 +73,9 @@ src_install() { |
| 148 |
|
| 149 |
dodoc -r acl |
| 150 |
|
| 151 |
- systemd_newunit "${FILESDIR}/${PN}-local_at.service" "${PN}-local@.service" |
| 152 |
- systemd_newunit "${FILESDIR}/${PN}-server_at.service" "${PN}-server@.service" |
| 153 |
- systemd_newunit "${FILESDIR}/${PN}-redir_at.service" "${PN}-redir@.service" |
| 154 |
- systemd_newunit "${FILESDIR}/${PN}-tunnel_at.service" "${PN}-tunnel@.service" |
| 155 |
+ for i in debian/${PN}*.service; do |
| 156 |
+ systemd_newunit $i $(basename $i) |
| 157 |
+ done |
| 158 |
} |
| 159 |
|
| 160 |
pkg_setup() { |
Archives