[gentoo-commits] repo/gentoo:master commit in: net-proxy/shadowsocks-libev/, net-proxy/shadowsocks-libev/files/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Yixun Lan" <dlan@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-proxy/shadowsocks-libev/, net-proxy/shadowsocks-libev/files/
Date: Sun, 27 Sep 2020 08:23:37 +0000 (UTC)	[thread overview]
Message-ID: <1601194450.34fde22d157226fb9bae167225265d6724588186.dlan@gentoo> (raw)

commit:     34fde22d157226fb9bae167225265d6724588186
Author:     Yixun Lan <dlan <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 26 15:05:20 2020 +0000
Commit:     Yixun Lan <dlan <AT> gentoo <DOT> org>
CommitDate: Sun Sep 27 08:14:10 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34fde22d

net-proxy/shadowsocks-libev: run as non-privilege user

* fix security issue, run as non-root user
* use systemd unit files from the package source

Bug: https://bugs.gentoo.org/731058
Package-Manager: Portage-3.0.0, Repoman-2.3.23
Signed-off-by: Yixun Lan <dlan <AT> gentoo.org>

 .../files/shadowsocks-libev-local_at.service                  | 11 -----------
 .../files/shadowsocks-libev-redir_at.service                  | 11 -----------
 .../files/shadowsocks-libev-server_at.service                 | 11 -----------
 .../files/shadowsocks-libev-tunnel_at.service                 | 11 -----------
 net-proxy/shadowsocks-libev/files/shadowsocks.initd           |  9 ++++++---
 ...s-libev-3.3.4.ebuild => shadowsocks-libev-3.3.4-r1.ebuild} | 11 ++++++-----
 6 files changed, 12 insertions(+), 52 deletions(-)

diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service
deleted file mode 100644
index af137178380..00000000000
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-local_at.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Shadowsocks-Libev Client Service for %I
-After=network.target
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/%i.json
-
-[Install]
-WantedBy=multi-user.target

diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service
deleted file mode 100644
index 1ced8f45440..00000000000
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-redir_at.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Shadowsocks-Libev Client Service Redir Mode for %I
-After=network.target
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks-libev/%i.json
-
-[Install]
-WantedBy=multi-user.target

diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service
deleted file mode 100644
index 58d934bdb1d..00000000000
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-server_at.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Shadowsocks-Libev Server Service for %I
-After=network.target
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json
-
-[Install]
-WantedBy=multi-user.target

diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service b/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service
deleted file mode 100644
index 24b31d5a1cd..00000000000
--- a/net-proxy/shadowsocks-libev/files/shadowsocks-libev-tunnel_at.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Shadowsocks-Libev Client Service Tunnel Mode for %I
-After=network.target
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks-libev/%i.json
-
-[Install]
-WantedBy=multi-user.target

diff --git a/net-proxy/shadowsocks-libev/files/shadowsocks.initd b/net-proxy/shadowsocks-libev/files/shadowsocks.initd
index 2ccd114485b..994ba23e3b8 100644
--- a/net-proxy/shadowsocks-libev/files/shadowsocks.initd
+++ b/net-proxy/shadowsocks-libev/files/shadowsocks.initd
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 SS_CONFIG="/etc/shadowsocks-libev/shadowsocks.json"
@@ -49,13 +49,16 @@ start() {
 
     ebegin "Starting Shadowsocks: ${SS_SVCNAME} mode"
     start-stop-daemon --start --exec ${SS_COMMAND} \
-    -- -c ${SS_CONFIG} -f ${SS_PIDFILE} >/dev/null 2>&1 &
+	--user nobody --group nobody \
+	-- -c ${SS_CONFIG} -f ${SS_PIDFILE} >/dev/null 2>&1 &
     eend $?
 }
 
 stop() {
     ebegin "Stopping Shadowsocks"
-    start-stop-daemon --stop --pidfile ${SS_PIDFILE}
+    start-stop-daemon --stop \
+	--user nobody --group nobody \
+	--pidfile ${SS_PIDFILE}
     eend $?
 }
 

diff --git a/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild b/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild
similarity index 82%
rename from net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild
rename to net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild
index 353791fc263..e10f0e72b1a 100644
--- a/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4.ebuild
+++ b/net-proxy/shadowsocks-libev/shadowsocks-libev-3.3.4-r1.ebuild
@@ -40,8 +40,10 @@ PATCHES=(
 	"${FILESDIR}/${P}-gcc10.patch"
 )
 src_prepare() {
-	sed -i 's|AC_CONFIG_FILES(\[libbloom/Makefile libcork/Makefile libipset/Makefile\])||' \
+	sed -i -e 's|AC_CONFIG_FILES(\[libbloom/Makefile libcork/Makefile libipset/Makefile\])||' \
 		configure.ac || die
+	sed -i -e "/\[Service\]/a\\User=nobody" \
+		debian/shadowsocks-libev*.service || die
 	default
 	eautoreconf
 }
@@ -71,10 +73,9 @@ src_install() {
 
 	dodoc -r acl
 
-	systemd_newunit "${FILESDIR}/${PN}-local_at.service" "${PN}-local@.service"
-	systemd_newunit "${FILESDIR}/${PN}-server_at.service" "${PN}-server@.service"
-	systemd_newunit "${FILESDIR}/${PN}-redir_at.service" "${PN}-redir@.service"
-	systemd_newunit "${FILESDIR}/${PN}-tunnel_at.service" "${PN}-tunnel@.service"
+	for i in debian/${PN}*.service; do
+		systemd_newunit $i $(basename $i)
+	done
 }
 
 pkg_setup() {

next             reply	other threads:[~2020-09-27  8:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-27  8:23 Yixun Lan [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-06-01  2:38 [gentoo-commits] repo/gentoo:master commit in: net-proxy/shadowsocks-libev/, net-proxy/shadowsocks-libev/files/ Yixun Lan
2019-06-24  9:27 Yixun Lan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:af13717838 dfblob:1ced8f4544 dfblob:58d934bdb1
dfblob:24b31d5a1c dfblob:2ccd114485 dfblob:994ba23e3b dfblob:353791fc26
dfblob:e10f0e72b1 )
 OR (
bs:"[gentoo-commits] repo/gentoo:master commit in: net-proxy/shadowsocks-libev/, net-proxy/shadowsocks-libev/files/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1601194450.34fde22d157226fb9bae167225265d6724588186.dlan@gentoo \
    --to=dlan@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox