From 2e5098140868ad5d1749653652df1d1fcd34a38d Mon Sep 17 00:00:00 2001 From: Jason Rhinelander Date: Tue, 14 Jan 2020 17:16:12 -0400 Subject: [PATCH] Use systemd service capabilities instead of setcap Setcap causes problems (like issue #1007), so stop using it (and undo the permission override on upgrade) and instead set capabilities via the systemd services. (This also fixes some AssertFileNotEmpty declarations that were in the wrong places). --- debian/lokinet-bin.postinst | 18 ++++++++++-------- debian/lokinet-router.lokinet-router.service | 4 +++- ...kinet-router.lokinet-testnet-router.service | 4 +++- debian/lokinet.lokinet-testnet.service | 4 +++- debian/lokinet.lokinet.service | 4 +++- 5 files changed, 22 insertions(+), 12 deletions(-) diff --git a/debian/lokinet-bin.postinst b/debian/lokinet-bin.postinst index b697b30fb..1b2ed4f2c 100644 --- a/debian/lokinet-bin.postinst +++ b/debian/lokinet-bin.postinst @@ -18,15 +18,17 @@ if [ "$1" = configure ]; then adduser --force-badname --quiet _lokinet _loki fi - if ! dpkg-statoverride --list /usr/bin/lokinet >/dev/null 2>&1; then - dpkg-statoverride --update --add root _loki 750 /usr/bin/lokinet + # Before 0.6.2-3 the deb's setcap'ed the binary and used restrictive permissions and ownership + # to protect invocation; from 0.6.2-3 onwards we do the capabilities via the systemd service + # file, so if we are upgrading from an older version remove the stat override. (Otherwise do + # nothing in case the local admin does a statoverride). + if dpkg --compare-versions "$2" lt '0.6.2-3~'; then + if dpkg-statoverride --list /usr/bin/lokinet >/dev/null 2>&1; then + dpkg-statoverride --remove /usr/bin/lokinet + chown root:root /usr/bin/lokinet + chmod 755 /usr/bin/lokinet + fi fi - - if ! setcap cap_net_admin,cap_net_bind_service=+eip /usr/bin/lokinet; then - echo "failed to setcap lokinet" >&2 - exit 1 - fi - fi #DEBHELPER# diff --git a/debian/lokinet-router.lokinet-router.service b/debian/lokinet-router.lokinet-router.service index 3a1f846da..eaaf8231e 100644 --- a/debian/lokinet-router.lokinet-router.service +++ b/debian/lokinet-router.lokinet-router.service @@ -1,5 +1,6 @@ [Unit] Description=LokiNET: Anonymous Network layer thingydoo, router +AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed Wants=network-online.target After=network-online.target @@ -7,7 +8,8 @@ After=network-online.target User=_lokinet SyslogIdentifier=lokinet-router WorkingDirectory=/var/lib/lokinet/router -AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/lokinet /var/lib/lokinet/router/lokinet.ini Environment=LOKINET_NETID=lokinet Restart=always diff --git a/debian/lokinet-router.lokinet-testnet-router.service b/debian/lokinet-router.lokinet-testnet-router.service index 7cdf4f55f..fd5fa5694 100644 --- a/debian/lokinet-router.lokinet-testnet-router.service +++ b/debian/lokinet-router.lokinet-testnet-router.service @@ -1,13 +1,15 @@ [Unit] Description=LokiNET: Anonymous Network layer thingydoo, router (testnet) +AssertFileNotEmpty=/var/lib/lokinet/testnet/bootstrap.signed Wants=network-online.target After=network-online.target -AssertFileNotEmpty=/var/lib/lokinet/testnet/bootstrap.signed [Service] User=_lokinet SyslogIdentifier=lokinet-router WorkingDirectory=/var/lib/lokinet/testnet-router +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/lokinet /var/lib/lokinet/testnet-router/lokinet.ini Environment=LOKINET_NETID=gamma Restart=always diff --git a/debian/lokinet.lokinet-testnet.service b/debian/lokinet.lokinet-testnet.service index 3e457f80b..1f504e9c5 100644 --- a/debian/lokinet.lokinet-testnet.service +++ b/debian/lokinet.lokinet-testnet.service @@ -1,5 +1,6 @@ [Unit] Description=LokiNET: Anonymous Network layer thingydoo, client +AssertFileNotEmpty=/var/lib/lokinet/testnet/bootstrap.signed Wants=network-online.target After=network-online.target @@ -7,7 +8,8 @@ After=network-online.target User=_lokinet SyslogIdentifier=lokinet WorkingDirectory=/var/lib/lokinet -AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/lokinet /var/lib/lokinet/lokinet.ini ExecStartPost=+/usr/sbin/lokinet-resolvconf add /var/lib/lokinet/lokinet.ini ExecStopPost=+/usr/sbin/lokinet-resolvconf remove /var/lib/lokinet/lokinet.ini diff --git a/debian/lokinet.lokinet.service b/debian/lokinet.lokinet.service index b3d3c5593..5fee62799 100644 --- a/debian/lokinet.lokinet.service +++ b/debian/lokinet.lokinet.service @@ -1,13 +1,15 @@ [Unit] Description=LokiNET: Anonymous Network layer thingydoo, client +AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed Wants=network-online.target After=network-online.target -AssertFileNotEmpty=/var/lib/lokinet/bootstrap.signed [Service] User=_lokinet SyslogIdentifier=lokinet WorkingDirectory=/var/lib/lokinet +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/lokinet /var/lib/lokinet/lokinet.ini ExecStartPost=+/usr/sbin/lokinet-resolvconf add /var/lib/lokinet/lokinet.ini ExecStopPost=+/usr/sbin/lokinet-resolvconf remove /var/lib/lokinet/lokinet.ini