commit: 3dbd8e0a71b7aabceedf523c71fe2461cb9edc33
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 22 00:23:04 2017 +0000
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Tue Aug 22 00:23:27 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3dbd8e0a
app-admin/logsurfer+: new revision to prevent PID file manipulation.
Previous versions of the logsurfer init script used start-stop-daemon
to run logsurfer as the "logsurfer" user, but let the daemon create
its own PID file. As a result, the "logsurfer" user needed to be able
to write to its PID file, and therein lies a minor security
vulnerability: if the daemon is compromised, the "logsurfer" user can
write an arbitrary PID into the file, later to be SIGKILLed by root
when he attempts to stop the service.
Since logsurfer cannot drop privileges on its own, the new init script
fixes this by running it in the foreground, and letting OpenRC manage
the PID file.
Gentoo-Bug: 628560
Package-Manager: Portage-2.3.6, Repoman-2.3.1
app-admin/logsurfer+/files/logsurfer-1.8.initd-r1 | 32 ++++++++++++++++++
app-admin/logsurfer+/logsurfer+-1.8-r3.ebuild | 40 +++++++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/app-admin/logsurfer+/files/logsurfer-1.8.initd-r1
b/app-admin/logsurfer+/files/logsurfer-1.8.initd-r1
new file mode 100644
index 00000000000..03b87a4868f
--- /dev/null
+++ b/app-admin/logsurfer+/files/logsurfer-1.8.initd-r1
@@ -0,0 +1,32 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+pidfile="/run/logsurfer.pid"
+command="/usr/bin/logsurfer"
+command_args="${LOGSURFER_OPTS}"
+command_user="logsurfer"
+command_background=true
+extra_started_commands="reload dump"
+
+depend() {
+ use logger
+}
+
+start_pre() {
+ # logsurfer won't start without a config file, but
+ # it doesn't mind an empty one.
+ checkpath --file /etc/logsurfer.conf
+}
+
+reload() {
+ ebegin "Reloading ${RC_SVCNAME}"
+ start-stop-daemon --signal HUP --pidfile "${pidfile}"
+ eend $? "Failed to reload ${RC_SVCNAME}"
+}
+
+dump() {
+ ebegin "Dumping ${RC_SVCNAME} internal state"
+ start-stop-daemon --signal USR1 --pidfile "${pidfile}"
+ eend $? "Failed to dump ${RC_SVCNAME} internal state"
+}
diff --git a/app-admin/logsurfer+/logsurfer+-1.8-r3.ebuild
b/app-admin/logsurfer+/logsurfer+-1.8-r3.ebuild
new file mode 100644
index 00000000000..0ec693d2ea5
--- /dev/null
+++ b/app-admin/logsurfer+/logsurfer+-1.8-r3.ebuild
@@ -0,0 +1,40 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit toolchain-funcs user
+
+MY_P="logsurfer-${PV}"
+DESCRIPTION="Real Time Log Monitoring and Alerting"
+HOMEPAGE="http://www.crypt.gen.nz/logsurfer/";
+SRC_URI="http://kerryt.orcon.net.nz/${MY_P}.tar.gz
+ http://www.crypt.gen.nz/logsurfer/${MY_P}.tar.gz";
+
+LICENSE="freedist GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+RESTRICT="bindist" #444330
+
+S="${WORKDIR}/${MY_P}"
+
+src_configure() {
+ econf --with-etcdir=/etc
+}
+
+src_compile() {
+ emake CC="$(tc-getCC)"
+}
+
+src_install() {
+ dobin src/logsurfer
+ doman man/logsurfer.1 man/logsurfer.conf.4
+
+ newinitd "${FILESDIR}"/logsurfer-1.8.initd-r1 logsurfer
+ newconfd "${FILESDIR}"/logsurfer.confd logsurfer
+ dodoc ChangeLog README TODO
+}
+
+pkg_postinst() {
+ enewuser logsurfer -1 -1 -1 daemon
+}
