[packages/incron] config changes to make incron install more secure

glen glen at pld-linux.org
Sun Oct 21 17:31:32 CEST 2012


commit ab2e9ca9bb2d87c3bd0ff272819704dc7e19c99d
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Sun Oct 21 18:30:24 2012 +0300

    config changes to make incron install more secure
    
    - add allow any deny files, by default allow only root
    - use private dir for config (/etc/incron)

 configdir.patch | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 incron.allow    |   5 +++
 incron.deny     |   4 ++
 incron.spec     |  17 +++++++--
 4 files changed, 134 insertions(+), 4 deletions(-)
---
diff --git a/incron.spec b/incron.spec
index 0fcbd67..75f7bae 100644
--- a/incron.spec
+++ b/incron.spec
@@ -11,9 +11,12 @@ Source0:	http://inotify.aiken.cz/download/incron/%{name}-%{version}.tar.bz2
 # Source0-md5:	038190dc64568883a206f3d58269b850
 Source1:	%{name}.init
 Source2:	%{name}.service
+Source3:	%{name}.allow
+Source4:	%{name}.deny
 Patch0:		%{name}-DESTDIR.patch
 Patch1:		%{name}-gcc47.patch
 Patch2:		%{name}-man_bugs.patch
+Patch3:		configdir.patch
 URL:		http://incron.aiken.cz/
 BuildRequires:	rpmbuild(macros) >= 1.644
 Requires:	systemd-units >= 38
@@ -41,6 +44,7 @@ rather than time periods.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 %{__make} \
@@ -51,7 +55,7 @@ rather than time periods.
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT/etc/{rc.d/init.d,incron.d} \
+install -d $RPM_BUILD_ROOT{/etc/rc.d/init.d,%{_sysconfdir}/{%{name},%{name}.d}} \
 	$RPM_BUILD_ROOT{/var/spool/%{name},%{systemdunitdir}}
 
 %{__make} install \
@@ -59,8 +63,10 @@ install -d $RPM_BUILD_ROOT/etc/{rc.d/init.d,incron.d} \
 	PREFIX=%{_prefix}
 
 install -p %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
-cp -p incron.conf.example $RPM_BUILD_ROOT%{_sysconfdir}/incron.conf
+cp -p incron.conf.example $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/%{name}.conf
 cp -p %{SOURCE2} $RPM_BUILD_ROOT%{systemdunitdir}
+cp -p %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}
+cp -p %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -91,12 +97,15 @@ fi
 %files
 %defattr(644,root,root,755)
 %doc CHANGELOG COPYING README TODO
-%attr(640,root,crontab) %config(noreplace) %{_sysconfdir}/incron.conf
+%attr(750,root,crontab) %dir %{_sysconfdir}/%{name}
+%attr(640,root,crontab) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%attr(640,root,crontab) %config(noreplace,missingok) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/%{name}.allow
+%attr(640,root,crontab) %config(noreplace,missingok) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/%{name}.deny
 %attr(754,root,root) /etc/rc.d/init.d/%{name}
 %{systemdunitdir}/%{name}.service
 %attr(755,root,root) %{_sbindir}/incrond
 %attr(4755,root,crontab) %{_bindir}/incrontab
-%dir %attr(751,root,crontab) %{_sysconfdir}/incron.d
+%dir %attr(751,root,crontab) %{_sysconfdir}/%{name}.d
 %{_mandir}/man1/incrontab.1*
 %{_mandir}/man5/incron.conf.5*
 %{_mandir}/man5/incrontab.5*
diff --git a/configdir.patch b/configdir.patch
new file mode 100644
index 0000000..45fa93a
--- /dev/null
+++ b/configdir.patch
@@ -0,0 +1,112 @@
+--- incron-0.5.10/incroncfg.cpp~	2012-04-07 01:19:27.000000000 +0300
++++ incron-0.5.10/incroncfg.cpp	2012-10-21 17:28:00.359046585 +0300
+@@ -39,8 +39,8 @@
+ {
+   m_defaults.insert(CFG_MAP::value_type("system_table_dir", "/etc/incron.d"));
+   m_defaults.insert(CFG_MAP::value_type("user_table_dir", "/var/spool/incron"));
+-  m_defaults.insert(CFG_MAP::value_type("allowed_users", "/etc/incron.allow"));
+-  m_defaults.insert(CFG_MAP::value_type("denied_users", "/etc/incron.deny"));
++  m_defaults.insert(CFG_MAP::value_type("allowed_users", "/etc/incron/incron.allow"));
++  m_defaults.insert(CFG_MAP::value_type("denied_users", "/etc/incron/incron.deny"));
+   m_defaults.insert(CFG_MAP::value_type("lockfile_dir", "/var/run"));
+   m_defaults.insert(CFG_MAP::value_type("lockfile_name", "incrond"));
+   m_defaults.insert(CFG_MAP::value_type("editor", ""));
+--- incron-0.5.10/incrond.8~	2012-04-07 01:19:27.000000000 +0300
++++ incron-0.5.10/incrond.8	2012-10-21 17:32:18.844200777 +0300
+@@ -9,13 +9,13 @@
+ 
+ \fIincrond\fR can be started from /etc/rc, /etc/rc.local and so on. It daemonizes itself (returns immediately) and doesn't need to be started with & and through \fInohup\fR(1). It can be run on foreground too.
+ 
+-\fIincrond\fR uses two categories of tables \fIincrontab\fR(5). System tables are usually located in /etc/incron.d and are maintained outside of incron (e.g. by various applications). These tables work on root rights level and thus any file may be watched and commands are executed with root privileges.
++\fIincrond\fR uses two categories of tables \fIincrontab\fR(5). System tables are usually located in /etc/incron/incron.d and are maintained outside of incron (e.g. by various applications). These tables work on root rights level and thus any file may be watched and commands are executed with root privileges.
+ 
+ User tables are located in /var/spool/incron by default and have names based on user accounts. These tables use users' access rights, thus only files which the user may access are watched. Commands are executed with users' privileges.
+ 
+ If a table (incrontab) is changed \fIincrond\fR reacts immediately and reloads the table. Currently running child processes (commands) are not affected.
+ 
+-There are two files determining whether an user is allowed to use incron. These files have very simple syntax \- one user name per line. If /etc/incron.allow exists the user must be noted there to be allowed to use incron. Otherwise if /etc/incron.deny exists the user must not be noted there to use incron. If none of these files exists there is no other restriction whether anybody may use incron. Location of these files can be changed in the configuration.
++There are two files determining whether an user is allowed to use incron. These files have very simple syntax \- one user name per line. If /etc/incron/incron.allow exists the user must be noted there to be allowed to use incron. Otherwise if /etc/incron/incron.deny exists the user must not be noted there to use incron. If none of these files exists there is no other restriction whether anybody may use incron. Location of these files can be changed in the configuration.
+ 
+ The daemon itself is currently not protected against looping. If a command executed due to an event causes the same event it leads to an infinite loop unless a flag mask containing IN_NO_LOOP is specified. Please beware of this and do not allow permission for use incron to unreliable users.
+ 
+@@ -24,7 +24,7 @@
+ 
+ \fB\-k\fR (or \fB\-\-kill\fR) option terminates a running instance of \fBincrond\fR.
+ 
+-\fB\-f <FILE>\fR (or \fB\-\-config=<FILE>\fR) option specifies another location for the configuration file (/etc/incron.conf is used by default).
++\fB\-f <FILE>\fR (or \fB\-\-config=<FILE>\fR) option specifies another location for the configuration file (/etc/incron/incron.conf is used by default).
+ 
+ \fBEnvironment variables:\fR For system tables, the default (the same as for incrond itself) environment variable set is used. The same applies to root's table. For non\-root user tables, the whole environment is cleared and then only these variables are set: LOGNAME, USER, USERNAME, SHELL, HOME and PATH. The variables (except PATH) take values from the user database (e.g. /etc/passwd). The PATH variable is set to /usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin.
+ .SH "SEE ALSO"
+--- incron-0.5.10/incron.conf.example~	2012-04-07 01:19:27.000000000 +0300
++++ incron-0.5.10/incron.conf.example	2012-10-21 17:32:44.912059560 +0300
+@@ -26,19 +26,19 @@
+ # Parameter:   allowed_users
+ # Meaning:     allowed users list file
+ # Description: This file contains users allowed to use incron.
+-# Default:     /etc/incron.allow
++# Default:     /etc/incron/incron.allow
+ #
+ # Example:
+-# allowed_users = /etc/incron/allow
++# allowed_users = /etc/incron/incron.allow
+ 
+ 
+ # Parameter:   denied_users
+ # Meaning:     denied users list file
+ # Description: This file contains users denied to use incron.
+-# Default:     /etc/incron.deny
++# Default:     /etc/incron/incron.deny
+ #
+ # Example:
+-# denied_users = /etc/incron/deny
++# denied_users = /etc/incron/incron.deny
+ 
+ 
+ # Parameter:   lockfile_dir
+--- incron-0.5.10/./incron.conf.5~	2012-04-07 01:19:27.000000000 +0300
++++ incron-0.5.10/./incron.conf.5	2012-10-21 18:26:32.645980593 +0300
+@@ -1,8 +1,8 @@
+ .TH "incron.conf" "5" "0.5.10" "Lukas Jelinek" "incron documentation"
+ .SH "NAME"
+-/etc/incron.conf \- main config file for inotify cron (incron)
++/etc/incron/incron.conf \- main config file for inotify cron (incron)
+ .SH "DESCRIPTION"
+-The file \fI/etc/incron.conf\fR contains default settings for the program
++The file \fI/etc/incron.d/incron.conf\fR contains default settings for the program
+ .BR incrond.
+ Each line holds a single value pair in the form \fIoption\fR = \fIvalue\fR.
+ Comment lines must have a hash sign (#) in the first line.
+--- incron-0.5.10/./incrontab.1~	2012-10-21 18:26:19.000000000 +0300
++++ incron-0.5.10/./incrontab.1	2012-10-21 18:27:00.410583705 +0300
+@@ -30,7 +30,7 @@
+ 
+ \fB\-d\fR (or \fB\-\-reload\fR) option causes reloading the current table by \fIincrond\fR(8). It is done through "touching" the table (writing into it without modifying it). This feature is intended e.g. for creating watches on newly created files (with already existing rules) or for rearming IN_ONESHOT watches.
+ 
+-\fB\-f <FILE>\fR (or \fB\-\-config=<FILE>\fR) option specifies another location for the configuration file (/etc/incron.conf is used by default). This feature requires root privileges.
++\fB\-f <FILE>\fR (or \fB\-\-config=<FILE>\fR) option specifies another location for the configuration file (/etc/incron/incron.conf is used by default). This feature requires root privileges.
+ 
+ There is a few complex algorithm how to determine which editor will be user for editing. If any of the following rule succeeds the appropriate editor is used:
+ 
+--- incron-0.5.10/./incroncfg.cpp~	2012-10-21 18:26:19.000000000 +0300
++++ incron-0.5.10/./incroncfg.cpp	2012-10-21 18:27:35.458853260 +0300
+@@ -24,7 +24,7 @@
+ #include "incroncfg.h"
+ 
+ 
+-#define INCRON_CFG_DEFAULT "/etc/incron.conf"
++#define INCRON_CFG_DEFAULT "/etc/incron/incron.conf"
+ 
+ 
+ typedef std::map<std::string, std::string> CFG_MAP;
+--- incron-0.5.10/./incron.h~	2012-04-07 01:19:27.000000000 +0300
++++ incron-0.5.10/./incron.h	2012-10-21 18:27:51.552922634 +0300
+@@ -33,7 +33,7 @@
+ #define INCRON_BUG_ADDRESS "<bugs at aiken.cz>"
+ 
+ /// Default configuration file
+-#define INCRON_CONFIG "/etc/incron.conf"
++#define INCRON_CONFIG "/etc/incron/incron.conf"
+ 
+ 
+ #endif //_INCRON_H_
diff --git a/incron.allow b/incron.allow
new file mode 100644
index 0000000..a20b541
--- /dev/null
+++ b/incron.allow
@@ -0,0 +1,5 @@
+# This file describes the names of the users which are
+# allowed to use the local incron daemon
+# See incrond(8) for details
+#
+root
diff --git a/incron.deny b/incron.deny
new file mode 100644
index 0000000..cb7667a
--- /dev/null
+++ b/incron.deny
@@ -0,0 +1,4 @@
+# This file describes the names of the users which are
+# NOT allowed to use the local incron daemon
+# See incrond(8) for details
+#
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/incron.git/commitdiff/ab2e9ca9bb2d87c3bd0ff272819704dc7e19c99d



More information about the pld-cvs-commit mailing list