diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2021-09-16 02:52:54 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2021-09-16 09:04:01 +0200 |
commit | 9a67067c0e13f99bafe0557cc6ff14eff5fdeccd (patch) | |
tree | 7d2487ea4479f700e2761af53aca28b1e92cb66c /source/n | |
parent | 8f7b6e56d5075e27771a02fbbcfe954c91ecb893 (diff) | |
download | current-9a67067c0e13f99bafe0557cc6ff14eff5fdeccd.tar.gz |
Thu Sep 16 02:52:54 UTC 202120210916025254
a/etc-15.0-x86_64-17.txz: Rebuilt.
Added named:named (53:53) user and group.
a/kernel-firmware-20210915_198ac65-noarch-1.txz: Upgraded.
a/kernel-generic-5.14.4-x86_64-1.txz: Upgraded.
a/kernel-huge-5.14.4-x86_64-1.txz: Upgraded.
a/kernel-modules-5.14.4-x86_64-1.txz: Upgraded.
ap/sudo-1.9.8-x86_64-1.txz: Upgraded.
d/kernel-headers-5.14.4-x86-1.txz: Upgraded.
k/kernel-source-5.14.4-noarch-1.txz: Upgraded.
kde/breeze-icons-5.85.0-noarch-2.txz: Rebuilt.
Patched with upstream commit to allow using this icon theme with Xfce.
l/fluidsynth-2.2.3-x86_64-1.txz: Upgraded.
l/python-charset-normalizer-2.0.5-x86_64-1.txz: Upgraded.
l/qca-2.3.4-x86_64-1.txz: Upgraded.
n/NetworkManager-1.32.10-x86_64-3.txz: Rebuilt.
Switch to dhcp=internal to avoid problems swimming upstream.
For those looking for a fix to continue using dhcpcd, a PRIVSEP build
variable was added to the SlackBuild, and you may produce a fully
NetworkManager compatible dhcpcd package with this command:
PRIVSEP=no ./dhcpcd.SlackBuild
Privilege separation remains the dhcpcd package default as we don't want
to weaken security for those using rc.inet1 along with dhcpcd.
Some additional comments about this were added to 00-dhcp-client.conf
mentioning this and the workaround of killing dhcpcd manually when
resuming with the stock dhcpcd package.
n/bind-9.16.21-x86_64-1.txz: Upgraded.
Fixed call to rndc-confgen in the install script.
Make /etc/rndc.key owned by named:named.
Run named as named:named by default (configurable in /etc/default/named).
rc.bind: chown /run/named and /var/named to configured user:group.
Thanks to Ressy for prompting this cleanup. :)
n/curl-7.79.0-x86_64-1.txz: Upgraded.
This update fixes security issues:
clear the leftovers pointer when sending succeeds.
do not ignore --ssl-reqd.
reject STARTTLS server response pipelining.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947
(* Security fix *)
n/links-2.24-x86_64-1.txz: Upgraded.
n/wireguard-tools-1.0.20210914-x86_64-1.txz: Upgraded.
x/libinput-1.19.0-x86_64-1.txz: Upgraded.
xap/gimp-2.10.28-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/n')
-rwxr-xr-x | source/n/NetworkManager/NetworkManager.SlackBuild | 2 | ||||
-rw-r--r-- | source/n/NetworkManager/conf.d/00-dhcp-client.conf | 23 | ||||
-rwxr-xr-x | source/n/bind/bind.SlackBuild | 8 | ||||
-rw-r--r-- | source/n/bind/default.named | 15 | ||||
-rw-r--r-- | source/n/bind/doinst.sh | 6 | ||||
-rw-r--r-- | source/n/bind/rc.bind | 58 | ||||
-rwxr-xr-x | source/n/dhcpcd/dhcpcd.SlackBuild | 30 |
7 files changed, 88 insertions, 54 deletions
diff --git a/source/n/NetworkManager/NetworkManager.SlackBuild b/source/n/NetworkManager/NetworkManager.SlackBuild index fb108b5b..3cfd061d 100755 --- a/source/n/NetworkManager/NetworkManager.SlackBuild +++ b/source/n/NetworkManager/NetworkManager.SlackBuild @@ -27,7 +27,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=NetworkManager VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} # Automatically determine the architecture we're building on: MARCH=$( uname -m ) diff --git a/source/n/NetworkManager/conf.d/00-dhcp-client.conf b/source/n/NetworkManager/conf.d/00-dhcp-client.conf index 8f435692..53e30c85 100644 --- a/source/n/NetworkManager/conf.d/00-dhcp-client.conf +++ b/source/n/NetworkManager/conf.d/00-dhcp-client.conf @@ -1,9 +1,22 @@ [main] # Choose a DHCP client below. Upstream recommends internal, but results may vary. -# dhcpcd is the DHCP client usually used by Slackware. The --noconfigure -# option must be used or the network will not return after suspend/resume: -dhcp=dhcpcd --noconfigure +# +# This is a simple DHCP client that is built into NetworkManager: +dhcp=internal +# # dhclient is the ISC reference DHCP client, part of the dhcp package: #dhcp=dhclient -# This is a simple DHCP client that is built into NetworkManager: -#dhcp=internal +# +# dhcpcd is the DHCP client usually used by Slackware. However, it is built +# with --enable-privsep, and a side-effect of this when used with +# NetworkManager is that the network will not return properly after a +# suspend/resume cycle. If you don't require this functionality, dhcpcd will +# work fine otherwise. If you do require it and don't want to use one of the +# other two options here, there are some workarounds. +# You may force NetworkManager to reload the network by killing dhcpcd: +# killall -9 dhcpcd +# Otherwise, you may rebuild the dhcpcd package without privilege separation +# using the following command in the dhcpcd source directory: +# PRIVSEP=no ./dhcpcd.SlackBuild +# The resulting dhcpcd package will work fine with NetworkManager. +#dhcp=dhcpcd diff --git a/source/n/bind/bind.SlackBuild b/source/n/bind/bind.SlackBuild index 783ef548..45dbf08e 100755 --- a/source/n/bind/bind.SlackBuild +++ b/source/n/bind/bind.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=bind VERSION=${VERSION:-$(echo ${PKGNAM}-[0-9]*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -121,6 +121,10 @@ mkdir -p $PKG/etc/rc.d cp -a $CWD/rc.bind $PKG/etc/rc.d/rc.bind.new chmod 644 $PKG/etc/rc.d/rc.bind.new +# Install default options file for named: +mkdir $PKG/etc/default +cat $CWD/default.named > $PKG/etc/default/named.new + # Fix library perms: chmod 755 $PKG/usr/lib${LIBDIRSUFFIX}/* diff --git a/source/n/bind/default.named b/source/n/bind/default.named new file mode 100644 index 00000000..2983934f --- /dev/null +++ b/source/n/bind/default.named @@ -0,0 +1,15 @@ +# User to run named as: +BIND_USER=named + +# By default, named will also run as the primary group of $BIND_USER. +# We will determine this now for the purpose of also chowning /run/named +# and /var/named to this group. You may also comment this section out and +# set BIND_GROUP manually if desired. +BIND_GROUP="$(groups $BIND_USER | cut -f 3 -d " ")" +# Fallback if there's no primary group for $BIND_USER: +if [ -z "$BIND_GROUP" ]; then + BIND_GROUP=wheel +fi + +# Options to run named with: +NAMED_OPTIONS="-u $BIND_USER" diff --git a/source/n/bind/doinst.sh b/source/n/bind/doinst.sh index afeff946..0e90be64 100644 --- a/source/n/bind/doinst.sh +++ b/source/n/bind/doinst.sh @@ -18,6 +18,7 @@ if [ -e etc/rc.d/rc.bind ]; then mv etc/rc.d/rc.bind.new.incoming etc/rc.d/rc.bind.new fi +config etc/default/named.new config etc/named.conf.new config etc/rc.d/rc.bind.new @@ -28,9 +29,10 @@ if [ ! -d var/named ]; then fi # Generate /etc/rndc.key if there's none there, -# and there also no /etc/rndc.conf (the other +# and there's also no /etc/rndc.conf (the other # way to set this up). if [ ! -r etc/rndc.key -a ! -r /etc/rndc.conf ]; then chroot . /sbin/ldconfig - chroot . /usr/sbin/rndc-confgen -r /dev/urandom -a 2> /dev/null + chroot . /usr/sbin/rndc-confgen -a 2> /dev/null + chroot . /bin/chown named:named /etc/rndc.key 2> /dev/null fi diff --git a/source/n/bind/rc.bind b/source/n/bind/rc.bind index cab75163..7886a254 100644 --- a/source/n/bind/rc.bind +++ b/source/n/bind/rc.bind @@ -1,19 +1,8 @@ #!/bin/sh # Start/stop/restart the BIND name server daemon (named). -# Start BIND. In the past it was more secure to run BIND as a non-root -# user (for example, with '-u daemon'), but the modern version of BIND -# knows how to use the kernel's capability mechanism to drop all root -# privileges except the ability to bind() to a privileged port and set -# process resource limits, so running as a non-root user is not needed. -# But if you want to run as a non-root user anyway, the command options -# can be set like this in /etc/default/named: -# NAMED_OPTIONS="-u daemon" -# So you will not have to edit this script. -# -# Please note that if you run BIND as a non-root user, your files in -# /var/named may need to be chowned to this user or else named will -# refuse to start. +# Start BIND. By default this will run with user "named". If you'd like to +# change this or other options, see: /etc/default/named # You might also consider running BIND in a "chroot jail", # a discussion of which may be found in @@ -27,6 +16,17 @@ if [ -f /etc/default/named ] ; then . /etc/default/named ; fi if [ -f /etc/default/rndc ] ; then . /etc/default/rndc ; fi +# In case /etc/default/named was missing: +if [ -z "$BIND_USER" ]; then + BIND_USER="named" +fi +if [ -z "$BIND_GROUP" ]; then + BIND_GROUP="named" +fi +if [ -z "$BIND_OPTIONS" ]; then + BIND_OPTIONS="-u $BIND_USER" +fi + # Sanity check. If /usr/sbin/named is missing then it # doesn't make much sense to try to run this script: if [ ! -x /usr/sbin/named ]; then @@ -34,40 +34,16 @@ if [ ! -x /usr/sbin/named ]; then exit 1 fi -# Function to find the user BIND is running as in $NAMED_OPTIONS: -find_bind_user() { - if echo $NAMED_OPTIONS | grep -wq "\-u" ; then - unset BIND_USER USER_FOUND - echo $NAMED_OPTIONS | tr ' ' '\n' | while read element ; do - if [ "$USER_FOUND" = "true" ]; then - BIND_USER="$element" - echo $BIND_USER - break - elif [ "$element" = "-u" ]; then - USER_FOUND="true" - fi - done - else - echo "root" - fi -} - # Start BIND. As many times as you like. ;-) # Seriously, don't run "rc.bind start" if BIND is already # running or you'll get more than one copy running. bind_start() { # Make sure /var/run/named exists: mkdir -p /var/run/named - # If we are running as a non-root user, we'll need to be sure that - # /var/run/named is chowned properly to that user. Your files in - # /var/named may need to be chowned as well, but that will be up to - # the sysadmin to do. - BIND_USER="$(find_bind_user)" - if [ ! "$BIND_USER" = "root" ]; then - chown -R $BIND_USER /var/run/named - else # prevent error if switching back to running as root: - chown -R root /var/run/named - fi + # Make sure that /var/run/named has correct ownership: + chown -R ${BIND_USER}:${BIND_GROUP} /var/run/named + # Make sure that /var/named has correct ownership: + chown -R ${BIND_USER}:${BIND_GROUP} /var/named # Start named: if [ -x /usr/sbin/named ]; then echo "Starting BIND: /usr/sbin/named $NAMED_OPTIONS" diff --git a/source/n/dhcpcd/dhcpcd.SlackBuild b/source/n/dhcpcd/dhcpcd.SlackBuild index 2027e5b6..53cf1be4 100755 --- a/source/n/dhcpcd/dhcpcd.SlackBuild +++ b/source/n/dhcpcd/dhcpcd.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2008, 2009, 2010, 2013, 2014, 2017, 2018, 2020 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2008, 2009, 2010, 2013, 2014, 2017, 2018, 2020, 2021 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -26,6 +26,21 @@ PKGNAM=dhcpcd VERSION=${VERSION:-$(echo dhcpcd-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} BUILD=${BUILD:-1} +# By default, Slackware builds dhcpcd with privilege separation, which improves +# security by ensuring that any security vulnerabilies such as buffer overflows +# or shell metacharacter insertion would gain access to an unprivileged user +# (the dhcpcd user) rather than the root user. However, this creates issues +# when using dhcpcd with NetworkManager. With privilege separation enabled, +# the network won't return properly after suspend/resume. +# +# If you use dhcpcd with NetworkManager and this functionality is important to +# you, rebuild dhcpcd with this command: +# +# PRIVSEP=no ./dhcpcd.SlackBuild +# +# Then upgrade to the generated package. +PRIVSEP=${PRIVSEP:-yes} + NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} # Automatically determine the architecture we're building on: @@ -85,6 +100,15 @@ patch -p1 --verbose < $CWD/patches/dhcpcd.conf-request_ntp_server_by_default.pat # /etc/rc.d/rc.S, and /var should not be on a network filesystem. As such, # we'll use the FHS layout instead of putting things in /etc/dhcpc +# Set options to build with or without privsep: +if [ "$PRIVSEP" = "yes" ]; then + PRIVSEP_OPTIONS="--enable-privsep --privsepuser=dhcpcd" + unset TAG +else + PRIVSEP_OPTIONS="--disable-privsep" + TAG="_noprivsep" +fi + # Yes, /lib/dhcpcd is correct, even on x86_64. CFLAGS="$SLKCFLAGS" \ ./configure \ @@ -96,6 +120,7 @@ CFLAGS="$SLKCFLAGS" \ --libexecdir=/lib/dhcpcd \ --mandir=/usr/man \ --rundir=/run \ + $PRIVSEP_OPTIONS \ --build=$ARCH-slackware-linux || exit 1 make $NUMJOBS || make || exit 1 @@ -138,5 +163,4 @@ cat $CWD/slack-desc > $PKG/install/slack-desc zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh cd $PKG -/sbin/makepkg -l y -c n $TMP/dhcpcd-$VERSION-$ARCH-$BUILD.txz - +/sbin/makepkg -l y -c n $TMP/dhcpcd-$VERSION-$ARCH-$BUILD$TAG.txz |