diff options
author | Yixun Lan <dlan@gentoo.org> | 2020-09-26 23:05:20 +0800 |
---|---|---|
committer | Yixun Lan <dlan@gentoo.org> | 2020-09-27 16:14:10 +0800 |
commit | 34fde22d157226fb9bae167225265d6724588186 (patch) | |
tree | 54a3defc411810115ae0e7fa30dc361dc5ad098d | |
parent | dev-perl/List-MoreUtils: keyword riscv (diff) | |
download | gentoo-34fde22d157226fb9bae167225265d6724588186.tar.gz gentoo-34fde22d157226fb9bae167225265d6724588186.tar.bz2 gentoo-34fde22d157226fb9bae167225265d6724588186.zip |
net-proxy/shadowsocks-libev: run as non-privilege user
* fix security issue, run as non-root user
* use systemd unit files from the package source
Bug: https://bugs.gentoo.org/731058
Package-Manager: Portage-3.0.0, Repoman-2.3.23
Signed-off-by: Yixun Lan <dlan@gentoo.org>
-rw-r--r-- | net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service | 11 | ||||
-rw-r--r-- | net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service | 11 | ||||
-rw-r--r-- | net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service | 11 | ||||
-rw-r--r-- | net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service | 11 | ||||
-rw-r--r-- | net-proxy/shadowsocks-libev/files/shadowsocks.initd | 9 | ||||
-rw-r--r-- | net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild (renamed from net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild) | 11 |
6 files changed, 12 insertions, 52 deletions
diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service deleted file mode 100644 index af137178380f..000000000000 --- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Shadowsocks-Libev Client Service for %I -After=network.target - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/%i.json - -[Install] -WantedBy=multi-user.target diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service deleted file mode 100644 index 1ced8f454408..000000000000 --- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Shadowsocks-Libev Client Service Redir Mode for %I -After=network.target - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks-libev/%i.json - -[Install] -WantedBy=multi-user.target diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service deleted file mode 100644 index 58d934bdb1d1..000000000000 --- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Shadowsocks-Libev Server Service for %I -After=network.target - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json - -[Install] -WantedBy=multi-user.target diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service deleted file mode 100644 index 24b31d5a1cd9..000000000000 --- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Shadowsocks-Libev Client Service Tunnel Mode for %I -After=network.target - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_BIND_SERVICE -ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks-libev/%i.json - -[Install] -WantedBy=multi-user.target diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks.initd b/net-proxy/shadowsocks-libev/files/shadowsocks.initd index 2ccd114485bb..994ba23e3b8b 100644 --- a/net-proxy/shadowsocks-libev/files/shadowsocks.initd +++ b/net-proxy/shadowsocks-libev/files/shadowsocks.initd @@ -1,5 +1,5 @@ #!/sbin/openrc-run -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 SS_CONFIG="/etc/shadowsocks-libev/shadowsocks.json" @@ -49,13 +49,16 @@ start() { ebegin "Starting Shadowsocks: ${SS_SVCNAME} mode" start-stop-daemon --start --exec ${SS_COMMAND} \ - -- -c ${SS_CONFIG} -f ${SS_PIDFILE} >/dev/null 2>&1 & + --user nobody --group nobody \ + -- -c ${SS_CONFIG} -f ${SS_PIDFILE} >/dev/null 2>&1 & eend $? } stop() { ebegin "Stopping Shadowsocks" - start-stop-daemon --stop --pidfile ${SS_PIDFILE} + start-stop-daemon --stop \ + --user nobody --group nobody \ + --pidfile ${SS_PIDFILE} eend $? } diff --git a/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild b/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild index 353791fc2639..e10f0e72b1ac 100644 --- a/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild +++ b/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild @@ -40,8 +40,10 @@ PATCHES=( "${FILESDIR}/${P}-gcc10.patch" ) src_prepare() { - sed -i 's|AC_CONFIG_FILES(\[libbloom/Makefile libcork/Makefile libipset/Makefile\])||' \ + sed -i -e 's|AC_CONFIG_FILES(\[libbloom/Makefile libcork/Makefile libipset/Makefile\])||' \ configure.ac || die + sed -i -e "/\[Service\]/a\\User=nobody" \ + debian/shadowsocks-libev*.service || die default eautoreconf } @@ -71,10 +73,9 @@ src_install() { dodoc -r acl - systemd_newunit "${FILESDIR}/${PN}-local_at.service" "${PN}-local@.service" - systemd_newunit "${FILESDIR}/${PN}-server_at.service" "${PN}-server@.service" - systemd_newunit "${FILESDIR}/${PN}-redir_at.service" "${PN}-redir@.service" - systemd_newunit "${FILESDIR}/${PN}-tunnel_at.service" "${PN}-tunnel@.service" + for i in debian/${PN}*.service; do + systemd_newunit $i $(basename $i) + done } pkg_setup() { |