diff options
Diffstat (limited to 'source/n')
| -rwxr-xr-x | source/n/NetworkManager/NetworkManager.SlackBuild | 2 | ||||
| -rw-r--r-- | source/n/NetworkManager/conf.d/00-dhcp-client.conf | 23 | ||||
| -rwxr-xr-x | source/n/bind/bind.SlackBuild | 8 | ||||
| -rw-r--r-- | source/n/bind/default.named | 15 | ||||
| -rw-r--r-- | source/n/bind/doinst.sh | 6 | ||||
| -rw-r--r-- | source/n/bind/rc.bind | 58 | ||||
| -rwxr-xr-x | source/n/dhcpcd/dhcpcd.SlackBuild | 30 |
7 files changed, 88 insertions, 54 deletions
diff --git a/source/n/NetworkManager/NetworkManager.SlackBuild b/source/n/NetworkManager/NetworkManager.SlackBuild index fb108b5bf..3cfd061d4 100755 --- a/source/n/NetworkManager/NetworkManager.SlackBuild +++ b/source/n/NetworkManager/NetworkManager.SlackBuild @@ -27,7 +27,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=NetworkManager VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} # Automatically determine the architecture we're building on: MARCH=$( uname -m ) diff --git a/source/n/NetworkManager/conf.d/00-dhcp-client.conf b/source/n/NetworkManager/conf.d/00-dhcp-client.conf index 8f4356924..53e30c85d 100644 --- a/source/n/NetworkManager/conf.d/00-dhcp-client.conf +++ b/source/n/NetworkManager/conf.d/00-dhcp-client.conf @@ -1,9 +1,22 @@ [main] # Choose a DHCP client below. Upstream recommends internal, but results may vary. -# dhcpcd is the DHCP client usually used by Slackware. The --noconfigure -# option must be used or the network will not return after suspend/resume: -dhcp=dhcpcd --noconfigure +# +# This is a simple DHCP client that is built into NetworkManager: +dhcp=internal +# # dhclient is the ISC reference DHCP client, part of the dhcp package: #dhcp=dhclient -# This is a simple DHCP client that is built into NetworkManager: -#dhcp=internal +# +# dhcpcd is the DHCP client usually used by Slackware. However, it is built +# with --enable-privsep, and a side-effect of this when used with +# NetworkManager is that the network will not return properly after a +# suspend/resume cycle. If you don't require this functionality, dhcpcd will +# work fine otherwise. If you do require it and don't want to use one of the +# other two options here, there are some workarounds. +# You may force NetworkManager to reload the network by killing dhcpcd: +# killall -9 dhcpcd +# Otherwise, you may rebuild the dhcpcd package without privilege separation +# using the following command in the dhcpcd source directory: +# PRIVSEP=no ./dhcpcd.SlackBuild +# The resulting dhcpcd package will work fine with NetworkManager. +#dhcp=dhcpcd diff --git a/source/n/bind/bind.SlackBuild b/source/n/bind/bind.SlackBuild index 783ef548a..45dbf08ed 100755 --- a/source/n/bind/bind.SlackBuild +++ b/source/n/bind/bind.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=bind VERSION=${VERSION:-$(echo ${PKGNAM}-[0-9]*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -121,6 +121,10 @@ mkdir -p $PKG/etc/rc.d cp -a $CWD/rc.bind $PKG/etc/rc.d/rc.bind.new chmod 644 $PKG/etc/rc.d/rc.bind.new +# Install default options file for named: +mkdir $PKG/etc/default +cat $CWD/default.named > $PKG/etc/default/named.new + # Fix library perms: chmod 755 $PKG/usr/lib${LIBDIRSUFFIX}/* diff --git a/source/n/bind/default.named b/source/n/bind/default.named new file mode 100644 index 000000000..2983934f4 --- /dev/null +++ b/source/n/bind/default.named @@ -0,0 +1,15 @@ +# User to run named as: +BIND_USER=named + +# By default, named will also run as the primary group of $BIND_USER. +# We will determine this now for the purpose of also chowning /run/named +# and /var/named to this group. You may also comment this section out and +# set BIND_GROUP manually if desired. +BIND_GROUP="$(groups $BIND_USER | cut -f 3 -d " ")" +# Fallback if there's no primary group for $BIND_USER: +if [ -z "$BIND_GROUP" ]; then + BIND_GROUP=wheel +fi + +# Options to run named with: +NAMED_OPTIONS="-u $BIND_USER" diff --git a/source/n/bind/doinst.sh b/source/n/bind/doinst.sh index afeff946f..0e90be641 100644 --- a/source/n/bind/doinst.sh +++ b/source/n/bind/doinst.sh @@ -18,6 +18,7 @@ if [ -e etc/rc.d/rc.bind ]; then mv etc/rc.d/rc.bind.new.incoming etc/rc.d/rc.bind.new fi +config etc/default/named.new config etc/named.conf.new config etc/rc.d/rc.bind.new @@ -28,9 +29,10 @@ if [ ! -d var/named ]; then fi # Generate /etc/rndc.key if there's none there, -# and there also no /etc/rndc.conf (the other +# and there's also no /etc/rndc.conf (the other # way to set this up). if [ ! -r etc/rndc.key -a ! -r /etc/rndc.conf ]; then chroot . /sbin/ldconfig - chroot . /usr/sbin/rndc-confgen -r /dev/urandom -a 2> /dev/null + chroot . /usr/sbin/rndc-confgen -a 2> /dev/null + chroot . /bin/chown named:named /etc/rndc.key 2> /dev/null fi diff --git a/source/n/bind/rc.bind b/source/n/bind/rc.bind index cab751634..7886a2543 100644 --- a/source/n/bind/rc.bind +++ b/source/n/bind/rc.bind @@ -1,19 +1,8 @@ #!/bin/sh # Start/stop/restart the BIND name server daemon (named). -# Start BIND. In the past it was more secure to run BIND as a non-root -# user (for example, with '-u daemon'), but the modern version of BIND -# knows how to use the kernel's capability mechanism to drop all root -# privileges except the ability to bind() to a privileged port and set -# process resource limits, so running as a non-root user is not needed. -# But if you want to run as a non-root user anyway, the command options -# can be set like this in /etc/default/named: -# NAMED_OPTIONS="-u daemon" -# So you will not have to edit this script. -# -# Please note that if you run BIND as a non-root user, your files in -# /var/named may need to be chowned to this user or else named will -# refuse to start. +# Start BIND. By default this will run with user "named". If you'd like to +# change this or other options, see: /etc/default/named # You might also consider running BIND in a "chroot jail", # a discussion of which may be found in @@ -27,6 +16,17 @@ if [ -f /etc/default/named ] ; then . /etc/default/named ; fi if [ -f /etc/default/rndc ] ; then . /etc/default/rndc ; fi +# In case /etc/default/named was missing: +if [ -z "$BIND_USER" ]; then + BIND_USER="named" +fi +if [ -z "$BIND_GROUP" ]; then + BIND_GROUP="named" +fi +if [ -z "$BIND_OPTIONS" ]; then + BIND_OPTIONS="-u $BIND_USER" +fi + # Sanity check. If /usr/sbin/named is missing then it # doesn't make much sense to try to run this script: if [ ! -x /usr/sbin/named ]; then @@ -34,40 +34,16 @@ if [ ! -x /usr/sbin/named ]; then exit 1 fi -# Function to find the user BIND is running as in $NAMED_OPTIONS: -find_bind_user() { - if echo $NAMED_OPTIONS | grep -wq "\-u" ; then - unset BIND_USER USER_FOUND - echo $NAMED_OPTIONS | tr ' ' '\n' | while read element ; do - if [ "$USER_FOUND" = "true" ]; then - BIND_USER="$element" - echo $BIND_USER - break - elif [ "$element" = "-u" ]; then - USER_FOUND="true" - fi - done - else - echo "root" - fi -} - # Start BIND. As many times as you like. ;-) # Seriously, don't run "rc.bind start" if BIND is already # running or you'll get more than one copy running. bind_start() { # Make sure /var/run/named exists: mkdir -p /var/run/named - # If we are running as a non-root user, we'll need to be sure that - # /var/run/named is chowned properly to that user. Your files in - # /var/named may need to be chowned as well, but that will be up to - # the sysadmin to do. - BIND_USER="$(find_bind_user)" - if [ ! "$BIND_USER" = "root" ]; then - chown -R $BIND_USER /var/run/named - else # prevent error if switching back to running as root: - chown -R root /var/run/named - fi + # Make sure that /var/run/named has correct ownership: + chown -R ${BIND_USER}:${BIND_GROUP} /var/run/named + # Make sure that /var/named has correct ownership: + chown -R ${BIND_USER}:${BIND_GROUP} /var/named # Start named: if [ -x /usr/sbin/named ]; then echo "Starting BIND: /usr/sbin/named $NAMED_OPTIONS" diff --git a/source/n/dhcpcd/dhcpcd.SlackBuild b/source/n/dhcpcd/dhcpcd.SlackBuild index 2027e5b6d..53cf1be4a 100755 --- a/source/n/dhcpcd/dhcpcd.SlackBuild +++ b/source/n/dhcpcd/dhcpcd.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2008, 2009, 2010, 2013, 2014, 2017, 2018, 2020 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2008, 2009, 2010, 2013, 2014, 2017, 2018, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -26,6 +26,21 @@ PKGNAM=dhcpcd VERSION=${VERSION:-$(echo dhcpcd-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} BUILD=${BUILD:-1} +# By default, Slackware builds dhcpcd with privilege separation, which improves +# security by ensuring that any security vulnerabilies such as buffer overflows +# or shell metacharacter insertion would gain access to an unprivileged user +# (the dhcpcd user) rather than the root user. However, this creates issues +# when using dhcpcd with NetworkManager. With privilege separation enabled, +# the network won't return properly after suspend/resume. +# +# If you use dhcpcd with NetworkManager and this functionality is important to +# you, rebuild dhcpcd with this command: +# +# PRIVSEP=no ./dhcpcd.SlackBuild +# +# Then upgrade to the generated package. +PRIVSEP=${PRIVSEP:-yes} + NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} # Automatically determine the architecture we're building on: @@ -85,6 +100,15 @@ patch -p1 --verbose < $CWD/patches/dhcpcd.conf-request_ntp_server_by_default.pat # /etc/rc.d/rc.S, and /var should not be on a network filesystem. As such, # we'll use the FHS layout instead of putting things in /etc/dhcpc +# Set options to build with or without privsep: +if [ "$PRIVSEP" = "yes" ]; then + PRIVSEP_OPTIONS="--enable-privsep --privsepuser=dhcpcd" + unset TAG +else + PRIVSEP_OPTIONS="--disable-privsep" + TAG="_noprivsep" +fi + # Yes, /lib/dhcpcd is correct, even on x86_64. CFLAGS="$SLKCFLAGS" \ ./configure \ @@ -96,6 +120,7 @@ CFLAGS="$SLKCFLAGS" \ --libexecdir=/lib/dhcpcd \ --mandir=/usr/man \ --rundir=/run \ + $PRIVSEP_OPTIONS \ --build=$ARCH-slackware-linux || exit 1 make $NUMJOBS || make || exit 1 @@ -138,5 +163,4 @@ cat $CWD/slack-desc > $PKG/install/slack-desc zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh cd $PKG -/sbin/makepkg -l y -c n $TMP/dhcpcd-$VERSION-$ARCH-$BUILD.txz - +/sbin/makepkg -l y -c n $TMP/dhcpcd-$VERSION-$ARCH-$BUILD$TAG.txz |