[hamradio-commits] [xastir] 01/01: Fix #185915 by adding a debconf option to set capabilities
Iain Learmonth
irl-guest at moszumanska.debian.org
Thu Apr 2 00:28:09 UTC 2015
This is an automated email from the git hooks/post-receive script.
irl-guest pushed a commit to branch master
in repository xastir.
commit aedcf2bda6138b05b42864cfc9ee6d542da398ff
Author: Iain R. Learmonth <irl at fsfe.org>
Date: Thu Apr 2 00:15:47 2015 +0100
Fix #185915 by adding a debconf option to set capabilities
* Add a debconf question to ask if setuid install is desirable.
* Create a xastir-ax25 group if needed.
- https://lists.debian.org/debian-devel/2015/04/msg00009.html
* Set capabilities for raw network access, but fall back to setuid if
not possible.
---
debian/README.Debian | 39 +++++++++++++++++++++++++++++++++++++++
debian/changelog | 12 ++++++++++++
debian/templates | 16 ++++++++++++++++
debian/xastir.config | 16 ++++++++++++++++
debian/xastir.postinst | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
debian/xastir.postrm | 20 ++++++++++++++++++++
6 files changed, 152 insertions(+)
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..4126ce0
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,39 @@
+
+Using native AX.25 on Linux
+===========================
+
+There are two ways of installing Xastir on Debian:
+
+1. Installing Xastir so that it must be run as root in order to allow the use
+ of native AX.25 interfaces in Linux. Only root will be able to use these
+ interfaces but other users may still use serial TNCs or APRS-IS servers.
+
+ This is the default on Debian systems.
+
+2. Members of the xastir-ax25 group will be able to use native AX.25 interfaces
+ in Linux. If you plan to use native AX.25 interfaces, this is the preferred
+ method of installation as the configuration system will attempt to limit
+ the privileges available to Xastir to only those required for using native
+ AX.25 interfaces, not provide full root privileges.
+
+ Note that no user will be added to group xastir-ax25 automatically, the
+ system administrator has to add them manually.
+
+ The additional privileges are provided using the Linux Capabilities
+ system where it is available and resort to setting the set-user-id bit
+ of the xastir binary as a fall-back, where the Linux Capabilities system
+ is not present (Debian GNU/kFreeBSD, Debian GNU/Hurd). As libax25 is not
+ available on these alternative architectures, this *should* never happen.
+
+ Linux kernels provided by Debian support Linux Capabilities, but custom
+ built kernels may lack this support. If the support for Linux
+ Capabilities is not present at the time of installing wireshark-common
+ package, the installer will fall back to set the set-user-id bit to
+ allow non-root users to use native AX.25 interfaces.
+
+ If installation succeeds with using Linux Capabilities, non-root users
+ will not be able to use native AX.25 interfaces while running kernels not
+ supporting Linux Capabilities.
+
+ The installation method can be changed any time by running:
+ dpkg-reconfigure xastir
diff --git a/debian/changelog b/debian/changelog
index 3e5d217..72cd330 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
xastir (2.0.6-2) UNRELEASED; urgency=medium
+ * Added a debconf option to allow non-root users to use native Linux AX.25
+ interfaces (Closes: #185915)
+ * Fixed build dependency issues for festival.
+ * Fixed the use of dh_autoreconf.
* debian/control:
- Fixed formatting with cme.
- Add automake as explicit build dependency.
@@ -11,6 +15,14 @@ xastir (2.0.6-2) UNRELEASED; urgency=medium
- Use dh_autoreconf.
- Stop configure being run twice by just using dh_auto_configure.
- Use dh_auto_clean to simplify clean target.
+ * debian/templates:
+ - Created with a single question for non-root users to use native Linux
+ AX.25 interfaces.
+ * debian/xastir.{config,post{inst,rm}}
+ - Created with debconf calls to handle non-root users to use native Linux
+ AX.25 interfaces. The question is not asked, and the default value of
+ false remains, when on a non-Linux platform where libax25 is not
+ available.
-- Iain R. Learmonth <irl at fsfe.org> Wed, 01 Apr 2015 19:55:56 +0100
diff --git a/debian/templates b/debian/templates
new file mode 100644
index 0000000..492785a
--- /dev/null
+++ b/debian/templates
@@ -0,0 +1,16 @@
+Template: xastir/install-setuid
+Type: boolean
+Default: false
+Description: Should non-superusers be able to use native AX.25 from Xastir?
+ Xastir can be installed in a way that allows members of the "xastir-ax25"
+ system group to use a native Linux AX.25 interface from within Xastir. This
+ is recommended over the alternative of running Xastir as root, as this
+ configuration will attempt to use Linux capabilities to limit the privileges
+ available to Xastir to only those required. Note that if Linux capabilities
+ are not available, the binary will be installed setuid.
+ .
+ For more detailed information please see
+ /usr/share/doc/xastir/README.Debian.
+ .
+ Enabling this feature may be a security risk, so it is disabled by
+ default. If in doubt, it is suggested to leave it disabled.
diff --git a/debian/xastir.config b/debian/xastir.config
new file mode 100644
index 0000000..8c420d2
--- /dev/null
+++ b/debian/xastir.config
@@ -0,0 +1,16 @@
+#! /bin/sh
+
+set -e
+
+. /usr/share/debconf/confmodule
+
+# We only care about installing setuid on Linux, as kFreeBSD/Hurd do not have
+# native AX.25 interfaces that libax25 can use.
+
+if [ `uname` = Linux ]; then
+ db_input high xastir/install-setuid || true
+ db_go
+fi
+
+exit 0
+
diff --git a/debian/xastir.postinst b/debian/xastir.postinst
new file mode 100644
index 0000000..17a11eb
--- /dev/null
+++ b/debian/xastir.postinst
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+# This file is based heavily on the wireshark-common postinst file with some
+# modifications.
+
+set -e
+
+. /usr/share/debconf/confmodule
+PROGRAM=/usr/bin/xastir
+GROUP=xastir-ax25
+
+# We only care about installing setuid on Linux, as kFreeBSD/Hurd do not have
+# native AX.25 interfaces that libax25 can use.
+
+if [ `uname` = Linux ]; then
+ if ! dpkg-statoverride --list $PROGRAM > /dev/null; then
+ db_get xastir/install-setuid
+ if [ -e "$PROGRAM" ]; then
+ if [ "$RET" = "false" ] ; then
+ chown root:root $PROGRAM
+ chmod u=rwx,go=rx $PROGRAM
+ else
+ if ! addgroup --quiet --system $GROUP; then
+ echo "Executing \"addgroup --quiet --system $GROUP\" failed."
+ echo "Most probably the $GROUP group exists, but is not a system group."
+ echo "Please delete the existing group or re-create it as a system group and try configuring xastir again."
+ exit 1
+ fi
+ chown root:$GROUP $PROGRAM
+ if which setcap > /dev/null ; then
+ chmod u=rwx,g=rx,o=r $PROGRAM
+ if ! setcap cap_net_raw,cap_net_admin=eip $PROGRAM; then
+ echo "Setting capabilities for xastir using Linux Capabilities failed."
+ echo "Falling back to setting set-user-id bit."
+ chmod u=rwxs,g=rx,o=r $PROGRAM
+ fi
+ else
+ chmod u=rwxs,g=rx,o=r $PROGRAM
+ fi
+ fi
+ fi
+ else
+ echo "Preserving owner and mode for $PROGRAM set by dpkg-statoverride:"
+ dpkg-statoverride --list $PROGRAM
+ fi
+fi
+
+#DEBHELPER#
+
diff --git a/debian/xastir.postrm b/debian/xastir.postrm
new file mode 100644
index 0000000..9dd8dbe
--- /dev/null
+++ b/debian/xastir.postrm
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# This file is based heavily on the wireshark-common postrm script with some
+# modifications.
+
+set -e
+
+GROUP=xastir-ax25
+
+if [ "$1" = "purge" ]; then
+ if getent group $GROUP >/dev/null; then
+ if [ -x /usr/sbin/delgroup ]; then
+ echo "Removing xastir-ax25 group..."
+ delgroup --system $GROUP || echo "Could not remove xastir-ax25 group."
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-hamradio/xastir.git
More information about the pkg-hamradio-commits
mailing list