From f1801aa7be2329c07c4c2bd7522e03522b34c437 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 3 Mar 2024 05:42:21 +0000 Subject: gentoo auto-resync : 03:03:2024 - 05:42:20 --- net-analyzer/ndoutils/Manifest | 3 +- .../files/secure-install-permissions.patch | 183 +++++++++++++++++++++ net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild | 90 ---------- net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild | 102 ++++++++++++ 4 files changed, 287 insertions(+), 91 deletions(-) create mode 100644 net-analyzer/ndoutils/files/secure-install-permissions.patch delete mode 100644 net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild create mode 100644 net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild (limited to 'net-analyzer/ndoutils') diff --git a/net-analyzer/ndoutils/Manifest b/net-analyzer/ndoutils/Manifest index 1270180b58fd..3c206de98ee9 100644 --- a/net-analyzer/ndoutils/Manifest +++ b/net-analyzer/ndoutils/Manifest @@ -2,6 +2,7 @@ AUX format-security.patch 3858 BLAKE2B 97170827cc167ec2c1377dd99fff562cbe717dd90 AUX ndoutils-2.0.0-asprintf.patch 438 BLAKE2B 2d32a25467123281f8593b464362a66345ce1c138b897a2ddf4597770f3ae4897efb19765ca81ef29c6e3bd5079b14ec34f36138ce3853c4749b7adccc1404bb SHA512 78fe5b2004bba81b3956a96ad569b6e05e2eb20e203020d2c07e780dfc78f5f68450fb20a62388ec7ccdc37544cd896f29238dd9590cd474db1f73e101dcb9e6 AUX openrc-init.patch 3296 BLAKE2B f07c1c0fda7a0d2e1c3f2b9cbae60568f743d82454179bcb3ee367d8a022a406dd1bf0c775fc9b339524cc5c64e4af6aacb8df8a866809104e39f39d11531f26 SHA512 4beb0e72712909554deaa93aa3fe959e80bed3465f4f0a2153f8b4e994538e6d508e303451cc14425ecb5210845308e9a113f491900a977526327a2701b00eb7 AUX sample-config-piddir.patch 1098 BLAKE2B 467fab110ef030010acf8e130d91ba1f97424c611ef75ed0a7806d5034f1c8a5ecce2c64832a295347fb3e323342f3afc5f5d1fbbc3584f26bd2f3b226cbf3af SHA512 bae06d6571aa55c5b9f0103d9af861f50b31668f06dc9b9a29cdf961741455384d8c762338dbfb3c75e10bacba360ac5a706b6251a6ef5cec8fa0def4c679344 +AUX secure-install-permissions.patch 6866 BLAKE2B fbc323daf1152226ea94bc99059be9ab4893f2d011b8cac187a0bced78152815516a7a3b822a26035015f9440cb27a47db106be88e5df50aeb6856fb36011182 SHA512 a1e00ebb805cb0c4e3606477f1dd494447177863065a50aff43bdfbeddf5a9335c29529691805fe0bdc0b3ee459896324c43dc80a32caa7ac523ac048a8809d0 DIST ndoutils-2.1.3.tar.gz 2182999 BLAKE2B 390548b9018d4434d5d0f69abee1d1a11f4e240150941f7f2f9e2662eb2cdb2f29b24244e094d5bdf8bfaf6c3be7bc8ebd9e6d510d66edad8bc9cf3245d5c2c3 SHA512 727f2051876ff32cafaf9993a69b721ae4ea81031fade12262dbb4c5399c601f3c1af362d9d550e1d6d56fac8fe044d515dc10fc43e7d4d3e981bc9a89db88de -EBUILD ndoutils-2.1.3-r3.ebuild 2573 BLAKE2B 7bcd8d99544612439dc7d29b6b92d3d6acb9171031132171a49af359622d9b332cbb6bdb858c8fa888699ebc911af5e072e31735aa795f7c817082b51984b896 SHA512 9fe667c562f1602c50ca10bf98d3d18a7979031dc3e065b51d17f0fd4f24c7c6d06dfd828c16bbecbf80f2b7f410a5286cb621d3be6f640230cbdcd8e3620f5e +EBUILD ndoutils-2.1.3-r4.ebuild 2892 BLAKE2B 00989cb0d6e01252c85df3d7cdaf6c1e452863b5e3bd2da009ddf084e8f59849a1a5136b5e15ad1f331f85395170e44a72621b4cb749384eb404b34740335793 SHA512 0858596f9532446717f657818bc90d7d1e2cbb26fa8bb9103d9257dea7d2cec48cc64550f1636d0858dc8e27007e68f321eea4018cb510d18b59805b28c8f847 MISC metadata.xml 447 BLAKE2B be8b56cbd5627725f06feabb9438129f934e90ee93448dd3154edabc9a32cbe65d0b64c1c2f8c1b9d102b20d21d0a1fb0e10ee5ba96965c239f13439f7ca88b6 SHA512 c712854168abe638e5bbcd7c135ccc2906fe665bc8062fd11caa0a3003c5b6d5ec3e959c8295a74cf471025b0c6b88186261e32d37778222fcb3d72d78badb43 diff --git a/net-analyzer/ndoutils/files/secure-install-permissions.patch b/net-analyzer/ndoutils/files/secure-install-permissions.patch new file mode 100644 index 000000000000..a4c50ab6cedc --- /dev/null +++ b/net-analyzer/ndoutils/files/secure-install-permissions.patch @@ -0,0 +1,183 @@ +From 18ef12037f4a68772d6840cbaa08aa2da07d2891 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Sat, 2 Mar 2024 19:30:54 -0500 +Subject: [PATCH 1/2] configure.ac: don't install binaries as + ndo2db_user:ndo2db_group + +In configure.ac we were adding two flags to INSTALL_OPTS that change +the owner:group of all installed files to ndo2db_user:ndo2db_group. +This is often a security vulnerability, since executables (we have a +few) are typically installed into everyone's PATH. If root ever +executes them, the ndo2db_user can take advantage of the situation to +run malicious code as root. + +Fortunately the change in ownership is not really needed. We simply +drop the INSTALL_OPTS, which are used for nothing else, allowing our +files to be installed as the user who is doing the installing. When +installing to one of the system PATHs, that will almost always be +root. +--- + Makefile.in | 9 ++++----- + configure.ac | 2 -- + docs/docbook/en-en/Makefile.in | 1 - + src/Makefile.in | 31 +++++++++++++++---------------- + 4 files changed, 19 insertions(+), 24 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 58c9f0f..68774c2 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -37,7 +37,6 @@ INSTALL=@INSTALL@ + GREP=@GREP@ + EGREP=@EGREP@ + +-INSTALL_OPTS=@INSTALL_OPTS@ + OPSYS=@opsys@ + DIST=@dist_type@ + +@@ -98,10 +97,10 @@ install: + @echo "" + + install-config: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 644 $(INSTALL_OPTS) config/ndo2db.cfg-sample $(DESTDIR)$(CFGDIR) +- $(INSTALL) -m 644 $(INSTALL_OPTS) config/ndomod.cfg-sample $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 644 config/ndo2db.cfg-sample $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 644 config/ndomod.cfg-sample $(DESTDIR)$(CFGDIR) + @echo "" + @echo "*** Config files installed ***" + @echo "" +diff --git a/configure.ac b/configure.ac +index 58b47a4..3279397 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -317,8 +317,6 @@ AC_ARG_WITH(ndo2db_user,AC_HELP_STRING([--with-ndo2db-user=],[sets user na + AC_ARG_WITH(ndo2db_group,AC_HELP_STRING([--with-ndo2db-group=],[sets group name to run NDO2DB]),ndo2db_group=$withval,ndo2db_group=nagios) + AC_SUBST(ndo2db_user) + AC_SUBST(ndo2db_group) +-INSTALL_OPTS="-o $ndo2db_user -g $ndo2db_group" +-AC_SUBST(INSTALL_OPTS) + + + dnl Does the user want to check for systemd? +diff --git a/docs/docbook/en-en/Makefile.in b/docs/docbook/en-en/Makefile.in +index d72b68c..29e1e1e 100644 +--- a/docs/docbook/en-en/Makefile.in ++++ b/docs/docbook/en-en/Makefile.in +@@ -13,7 +13,6 @@ BINDIR=@bindir@ + LIBEXECDIR=@libexecdir@ + DATAROOTDIR=@datarootdir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ + + + all: +diff --git a/src/Makefile.in b/src/Makefile.in +index 532cc82..352a768 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -26,7 +26,6 @@ exec_prefix=@exec_prefix@ + PIPEDIR=@localstatedir@ + BINDIR=@bindir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ + + CC=@CC@ + +@@ -126,9 +125,9 @@ distclean: clean + devclean: distclean + + install: install-4x +- $(INSTALL) -m 774 $(INSTALL_OPTS) file2sock $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 $(INSTALL_OPTS) log2ndo $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 $(INSTALL_OPTS) sockdebug $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 774 file2sock $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 774 log2ndo $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 774 sockdebug $(DESTDIR)$(BINDIR) + @echo "" + @echo " Hint: NDOUtils Installation against Nagios v4.x" + @echo " completed." +@@ -147,20 +146,20 @@ install: install-4x + @echo "" + + install-2x: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-2x $(DESTDIR)$(BINDIR)/ndo2db +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-2x.o $(DESTDIR)$(BINDIR)/ndomod.o ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 ndo2db-2x $(DESTDIR)$(BINDIR)/ndo2db ++ $(INSTALL) -m 755 ndomod-2x.o $(DESTDIR)$(BINDIR)/ndomod.o + + install-3x: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-3x $(DESTDIR)$(BINDIR)/ndo2db +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-3x.o $(DESTDIR)$(BINDIR)/ndomod.o ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 ndo2db-3x $(DESTDIR)$(BINDIR)/ndo2db ++ $(INSTALL) -m 755 ndomod-3x.o $(DESTDIR)$(BINDIR)/ndomod.o + + install-4x: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-4x $(DESTDIR)$(BINDIR)/ndo2db +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-4x.o $(DESTDIR)$(BINDIR)/ndomod.o ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 ndo2db-4x $(DESTDIR)$(BINDIR)/ndo2db ++ $(INSTALL) -m 755 ndomod-4x.o $(DESTDIR)$(BINDIR)/ndomod.o + +-- +2.43.0 + +From 69a80d6a9bf1196ffcfffa7f756633bb13a62b5f Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky +Date: Sat, 2 Mar 2024 19:52:47 -0500 +Subject: [PATCH 2/2] src/Makefile.in: install all executables with mode 0755 + +Three executables -- file2sock, log2ndo, and sockdebug -- are +currently being installed group-writable but not +world-executable. This is in contrast with the other two executables, +ndo2db and ndomod.o, that are installed mode 0755. + +Having recently removed the INSTALL_OPTS that were altering the +owner:group of these files, there is no longer any security risk to +mode 0774. However, 0755 is more consistent with both the rest of our +executables, and with the typical permissions on /usr/bin that arise +from the (extremely common) umask of 0022. + +We change these three to 0755 for a little bit of extra peace of mind. + +changes. Lines starting # with '#' will be ignored, and an empty +message aborts the commit. # # Date: Sat Mar 2 19:52:47 2024 -0500 # +src/Makefile.in # +--- + src/Makefile.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.in b/src/Makefile.in +index 352a768..e6a1816 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -125,9 +125,9 @@ distclean: clean + devclean: distclean + + install: install-4x +- $(INSTALL) -m 774 file2sock $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 log2ndo $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 sockdebug $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 file2sock $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 log2ndo $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 sockdebug $(DESTDIR)$(BINDIR) + @echo "" + @echo " Hint: NDOUtils Installation against Nagios v4.x" + @echo " completed." +-- +2.43.0 + diff --git a/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild b/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild deleted file mode 100644 index 044cb36975f4..000000000000 --- a/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit systemd - -DESCRIPTION="Nagios addon to store Nagios data in a MySQL database" -HOMEPAGE="https://www.nagios.org/" -SRC_URI="https://github.com/NagiosEnterprises/${PN}/archive/${P}.tar.gz" -S="${WORKDIR}/${PN}-${P}" - -LICENSE="GPL-2" -SLOT="0" -KEYWORDS="~amd64 ~ppc ~x86" - -# We require the "nagios" user from net-analyzer/nagios-core at build -# time. -DEPEND=" - dev-db/mysql-connector-c - dev-perl/DBD-mysql - dev-perl/DBI - >=net-analyzer/nagios-core-4.4.5" -RDEPEND="${DEPEND} - virtual/mysql" - -PATCHES=( - "${FILESDIR}"/format-security.patch - "${FILESDIR}"/ndoutils-2.0.0-asprintf.patch - "${FILESDIR}"/sample-config-piddir.patch - "${FILESDIR}"/openrc-init.patch -) - -src_configure() { - # The localstatedir is where our socket will be created by the - # nagios daemon, so we put it in /var/lib/nagios where the "nagios" - # user will be able to write. - # - # And normally, we would use /run for the pid file, but the daemon - # drops permissions before creating it, so the piddir also needs - # to be writable by the nagios user. - econf --enable-mysql \ - --localstatedir=/var/lib/nagios \ - --sysconfdir=/etc/nagios \ - --with-piddir=/var/lib/nagios -} - -src_compile() { - # Avoid "emake all" so that we don't build the stuff for nagios-2.x - # and nagios-3.x, some of which throws QA warnings. We don't use it - # anyway. - emake -C src file2sock log2ndo ndo2db-4x ndomod-4x.o sockdebug -} - -src_install() { - # The documentation isn't installed by the build system - HTML_DOCS=( docs/html/. ) - default - - dodoc Changelog UPGRADING \ - "docs/NDOUTILS DB Model.pdf" "docs/NDOUtils Documentation.pdf" - - systemd_newunit startup/default-service ndoutils.service - - insinto /etc/nagios - newins config/ndo2db.cfg-sample ndo2db.cfg - newins config/ndomod.cfg-sample ndomod.cfg - newinitd startup/openrc-init ndo2db - newconfd startup/openrc-conf ndo2db - - insinto /usr/share/ndoutils - doins -r db - - # These need to be executable... - exeinto /usr/share/ndoutils/db - doexe db/{installdb,prepsql,upgradedb} - - # Use symlinks because the installdb/upgradedb scripts use relative - # paths to the SQL queries. - dosym ../share/ndoutils/db/installdb /usr/bin/ndoutils-installdb - dosym ../share/ndoutils/db/upgradedb /usr/bin/ndoutils-upgradedb - - keepdir /var/lib/nagios -} - -pkg_postinst() { - elog "To include NDO in your Nagios setup, you'll need to activate" - elog "the NDO broker module in /etc/nagios/nagios.cfg:" - elog " broker_module=/usr/bin/ndomod.o config_file=/etc/nagios/ndomod.cfg" -} diff --git a/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild b/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild new file mode 100644 index 000000000000..32d8d3bd8c57 --- /dev/null +++ b/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild @@ -0,0 +1,102 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools systemd + +DESCRIPTION="Nagios addon to store Nagios data in a database" +HOMEPAGE="https://github.com/NagiosEnterprises/ndoutils" +SRC_URI="https://github.com/NagiosEnterprises/${PN}/archive/${P}.tar.gz" +S="${WORKDIR}/${PN}-${P}" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~x86" + +DEPEND=" + dev-db/mysql-connector-c + dev-perl/DBD-mysql + dev-perl/DBI" + +# The default value of the --with-ndo2db-{user,group} flag is "nagios". +# For unrelated reasons, we actually patch out the build-time dependency +# on the user/group, but it should still be there at runtime. +RDEPEND="${DEPEND} + acct-user/nagios + acct-group/nagios + virtual/mysql" + +PATCHES=( + "${FILESDIR}"/format-security.patch + "${FILESDIR}"/ndoutils-2.0.0-asprintf.patch + "${FILESDIR}"/sample-config-piddir.patch + "${FILESDIR}"/openrc-init.patch + "${FILESDIR}"/secure-install-permissions.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # The localstatedir is where our socket will be created by the + # nagios daemon, so we put it in /var/lib/nagios where the "nagios" + # user will be able to write. + # + # And normally, we would use /run for the pid file, but the daemon + # drops permissions before creating it, so the piddir also needs + # to be writable by the nagios user. + # + # Oh, and the build fails without --enable-mysql, so don't try. + # + econf --enable-mysql \ + --localstatedir=/var/lib/nagios \ + --sysconfdir=/etc/nagios \ + --with-piddir=/var/lib/nagios +} + +src_compile() { + # Avoid "emake all" so that we don't build the stuff for nagios-2.x + # and nagios-3.x, some of which throws QA warnings. We don't use it + # anyway. + emake -C src file2sock log2ndo ndo2db-4x ndomod-4x.o sockdebug +} + +src_install() { + # The documentation isn't installed by the build system + HTML_DOCS=( docs/html/. ) + default + + dodoc Changelog UPGRADING \ + "docs/NDOUTILS DB Model.pdf" "docs/NDOUtils Documentation.pdf" + + systemd_newunit startup/default-service ndoutils.service + + insinto /etc/nagios + newins config/ndo2db.cfg-sample ndo2db.cfg + newins config/ndomod.cfg-sample ndomod.cfg + newinitd startup/openrc-init ndo2db + newconfd startup/openrc-conf ndo2db + + insinto /usr/share/ndoutils + doins -r db + + # These need to be executable... + exeinto /usr/share/ndoutils/db + doexe db/{installdb,prepsql,upgradedb} + + # Use symlinks because the installdb/upgradedb scripts use relative + # paths to the SQL queries. + dosym ../share/ndoutils/db/installdb /usr/bin/ndoutils-installdb + dosym ../share/ndoutils/db/upgradedb /usr/bin/ndoutils-upgradedb + + keepdir /var/lib/nagios +} + +pkg_postinst() { + elog "To include NDO in your Nagios setup, you'll need to activate" + elog "the NDO broker module in /etc/nagios/nagios.cfg:" + elog " broker_module=/usr/bin/ndomod.o config_file=/etc/nagios/ndomod.cfg" +} -- cgit v1.2.3