commit: 73598a5e25d6583dde4f08a34df5073817c5a391 Author: Francisco Blas (klondike) Izquierdo Riera <klondike <AT> gentoo <DOT> org> AuthorDate: Sat Sep 7 20:38:38 2019 +0000 Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> CommitDate: Sat Sep 7 21:24:11 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73598a5e
net-firewall/nftables: Fix permissions for rules.save Due to a bug, the rules.save file was created with the wrong permissions which allowed all users to read the file with the system rules although root privileges are usually required to do so. To fix this issue, the following measures have been taken: * The umask on nftables-mk.sh is now correctly set to 177 * nftables.sh now also sets the umask before saving the rules * The ebuilds will warn on post installation if the rules.save has insecure permissions * The ebuilds have been bumped to ensure these changes are applied Bug: https://bugs.gentoo.org/691326 Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike <AT> gentoo.org> Package-Manager: Portage-2.3.69, Repoman-2.3.11 Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org> net-firewall/nftables/files/libexec/nftables-mk.sh | 2 +- net-firewall/nftables/files/libexec/nftables.sh | 1 + ...ables-0.9.2.ebuild => nftables-0.9.0-r5.ebuild} | 87 +++++++--------------- ...ables-0.9.1.ebuild => nftables-0.9.1-r1.ebuild} | 10 ++- ...ables-0.9.2.ebuild => nftables-0.9.2-r1.ebuild} | 10 ++- 5 files changed, 44 insertions(+), 66 deletions(-) diff --git a/net-firewall/nftables/files/libexec/nftables-mk.sh b/net-firewall/nftables/files/libexec/nftables-mk.sh index b3d7db60d7f..27defe3c1c3 100644 --- a/net-firewall/nftables/files/libexec/nftables-mk.sh +++ b/net-firewall/nftables/files/libexec/nftables-mk.sh @@ -24,7 +24,7 @@ main() { ;; "store") local tmp_save="${NFTABLES_SAVE}.tmp" - umask 600; + umask 177 ( printf '#!/sbin/nft -f\nflush ruleset\n' nft ${SAVE_OPTIONS} list ruleset diff --git a/net-firewall/nftables/files/libexec/nftables.sh b/net-firewall/nftables/files/libexec/nftables.sh index cc55f856600..557b454a911 100755 --- a/net-firewall/nftables/files/libexec/nftables.sh +++ b/net-firewall/nftables/files/libexec/nftables.sh @@ -25,6 +25,7 @@ main() { retval=$? ;; "store") + umask 177 local tmp_save="${NFTABLES_SAVE}.tmp" if ! use_legacy; then nft ${SAVE_OPTIONS} list ruleset > ${tmp_save} diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.0-r5.ebuild similarity index 54% copy from net-firewall/nftables/nftables-0.9.2.ebuild copy to net-firewall/nftables/nftables-0.9.0-r5.ebuild index 112b5f0b9af..d98c11e37e4 100644 --- a/net-firewall/nftables/nftables-0.9.2.ebuild +++ b/net-firewall/nftables/nftables-0.9.0-r5.ebuild @@ -1,54 +1,33 @@ # Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=6 -PYTHON_COMPAT=( python3_{5,6,7} ) - -inherit autotools linux-info python-r1 systemd +inherit autotools linux-info systemd DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/"; -#SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" -SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2"; +SRC_URI="https://git.netfilter.org/nftables/snapshot/v${PV}.tar.gz -> ${P}.tar.gz" LICENSE="GPL-2" SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~sparc ~x86" -IUSE="debug +doc +gmp json +modern_kernel python +readline static-libs xtables" +KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~x86" +IUSE="debug doc +gmp json +modern_kernel +readline" -RDEPEND=" - >=net-libs/libmnl-1.0.3:0= +RDEPEND=">=net-libs/libmnl-1.0.3:0= gmp? ( dev-libs/gmp:0= ) json? ( dev-libs/jansson ) - python? ( ${PYTHON_DEPS} ) readline? ( sys-libs/readline:0= ) - >=net-libs/libnftnl-1.1.4:0= - xtables? ( >=net-firewall/iptables-1.6.1 ) -" - -DEPEND="${RDEPEND}" + >=net-libs/libnftnl-1.1.1:0=" -BDEPEND=" - doc? ( app-text/asciidoc ) +DEPEND="${RDEPEND} >=app-text/docbook2X-0.8.8-r4 + doc? ( >=app-text/dblatex-0.3.7 ) sys-devel/bison sys-devel/flex - virtual/pkgconfig -" + virtual/pkgconfig" -REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" - -#S="${WORKDIR}/v${PV}" - -python_make() { - emake \ - -C py \ - abs_builddir="${S}" \ - DESTDIR="${D}" \ - PYTHON_BIN="${PYTHON}" \ - ${@} -} +S="${WORKDIR}/v${PV}" pkg_setup() { if kernel_is ge 3 13; then @@ -64,44 +43,26 @@ pkg_setup() { src_prepare() { default - - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/osf@' \ - -i files/osf/Makefile.am || die - eautoreconf } src_configure() { local myeconfargs=( - # We handle python separately - --disable-python --sbindir="${EPREFIX}"/sbin $(use_enable debug) - $(use_enable doc man-doc) + $(use_enable doc pdf-doc) $(use_with !gmp mini_gmp) $(use_with json) $(use_with readline cli) - $(use_enable static-libs static) - $(use_with xtables) ) econf "${myeconfargs[@]}" } -src_compile() { - default - - if use python ; then - python_foreach_impl python_make - fi -} - src_install() { default - local mksuffix="$(usex modern_kernel '-mk' '')" + local mksuffix="" + use modern_kernel && mksuffix="-mk" exeinto /usr/libexec/${PN} newexe "${FILESDIR}"/libexec/${PN}${mksuffix}.sh ${PN}.sh @@ -111,21 +72,25 @@ src_install() { systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service - if use python ; then - python_foreach_impl python_make install - fi - - find "${ED}" -type f -name "*.la" -delete || die + docinto /usr/share/doc/${PF}/skels + dodoc "${D}"/etc/nftables/* + rm -R "${D}"/etc/nftables } pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT%/}/var/lib/nftables/rules-save" # In order for the nftables-restore systemd service to start # the save_file must exist. - if [[ ! -f ${save_file} ]]; then - touch ${save_file} + if [[ ! -f "${save_file}" ]]; then + touch "${save_file}" + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" fi elog "If you wish to enable the firewall rules on boot (on systemd) you" diff --git a/net-firewall/nftables/nftables-0.9.1.ebuild b/net-firewall/nftables/nftables-0.9.1-r1.ebuild similarity index 88% rename from net-firewall/nftables/nftables-0.9.1.ebuild rename to net-firewall/nftables/nftables-0.9.1-r1.ebuild index db6f707d58c..5752d73a1b9 100644 --- a/net-firewall/nftables/nftables-0.9.1.ebuild +++ b/net-firewall/nftables/nftables-0.9.1-r1.ebuild @@ -129,8 +129,14 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. - if [[ ! -f ${save_file} ]]; then - touch ${save_file} + if [[ ! -f "${save_file}" ]]; then + touch "${save_file}" + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" fi elog "If you wish to enable the firewall rules on boot (on systemd) you" diff --git a/net-firewall/nftables/nftables-0.9.2.ebuild b/net-firewall/nftables/nftables-0.9.2-r1.ebuild similarity index 88% rename from net-firewall/nftables/nftables-0.9.2.ebuild rename to net-firewall/nftables/nftables-0.9.2-r1.ebuild index 112b5f0b9af..d3579794781 100644 --- a/net-firewall/nftables/nftables-0.9.2.ebuild +++ b/net-firewall/nftables/nftables-0.9.2-r1.ebuild @@ -124,8 +124,14 @@ pkg_postinst() { # In order for the nftables-restore systemd service to start # the save_file must exist. - if [[ ! -f ${save_file} ]]; then - touch ${save_file} + if [[ ! -f "${save_file}" ]]; then + touch "${save_file}" + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" fi elog "If you wish to enable the firewall rules on boot (on systemd) you"
