[ports] finding an orphan to maintain

Roland Smith rsmith at xs4all.nl
Sat Jan 14 01:33:43 UTC 2017 

On Thu, Jan 12, 2017 at 09:21:16PM +0100, Damien Fleuriot wrote:
> On 12 January 2017 at 17:47, Roland Smith <rsmith at xs4all.nl> wrote:
> > On Wed, Jan 11, 2017 at 12:53:02PM +0100, Damien Fleuriot wrote:
> >> Thanks for the additional input Roland.
> >>
> >> I currently have my eye on shells/lshell, which we use here on
> >> 10-STABLE for PCI-DSS compliance (restricting and logging commands).
> >
> > In this case you might want to look at auditing;
> > https://www.freebsd.org/doc/handbook/audit.html
> >
> > While the handbook explains how it works, I haven't really found good examples
> > of its use.
> >
> 
> I thank you for the input and have indeed already looked at auditd.
> 
> While it does provide very good logging, it only answers one of the
> prerequisites, logging, not actual command restriction.

There is another (somewhat heavyhanded) approach to restricting commands.
You could copy binaries for allowed programs to a special directory (to be put
in $PATH) and remove read/execute access for others from the normal `bin` directories.

> We do have another constraint which is that the software be portable
> to linux as well, so as to not maintain 2 different sets of
> logging/restriction stacks.

I thought OpenBSM was ported to Linux, but it seems to miss auditd because of
kernel support. Pity.

> >> It so happens the current (0.9.16_2) version on FreeBSD suffers from a
> >> nasty case of shell escape :
> >> https://github.com/ghantoos/lshell/issues/151
> >> root:~$ echo () sh && echo
> >> #
> >> ^-- uh oh...
> >
> > Oops.
> >
> > Looking at the discussion of the issue, I get the impression that there are
> > some fundamental problems with the way lshell parses and executes commands.
> >
> 
> Aye, bug reporter seems quite adamant that, quote, the software is
> entirely broken.

Not a good sign. And I think he has a point, seeing how lshell uses Python's
subprocess module.

> >> I cannot seem to reproduce when using the latest master branch, and am
> >> seeking confirmation in the bug thread that I'm actually trying to
> >> reproduce correctly.
> >>
> >> If it should transpire that the problem is indeed fixed in the master,
> >> I shall try and update the port to the latest version.
> >
> > The port now uses SourceForge, which is getting a bad reputation these days
> > for adding crap to binary installers. This is probably not an issue with
> > tarballs, but it makes me wonder if they are still trustworthy.  You might
> > want to consider switching to github. If you do, read
> > /usr/ports/Mk/bsd.sites.mk on how to properly do that in the port Makefile.
> >
> 
> When (if) I manage to get Poudriere up and running (it's currently
> bitching about missing /usr/local/share/poudriere/jail.sh), I shall be
> able to submit run tests for a patched version of shells/lshell.

For just one port, bringing up Poudiere is surely overkill?

My workflow for modifying a port is generally as follows (using sysutils/conky
as an example):

    > mkdir scratch
    > cd scratch/
    > cp -Rp /usr/ports/sysutils/conky .
    > cp -Rp /usr/ports/sysutils/conky conky.orig
    > cd conky/
    [Make whatever changes necessary, then run the following tests (from the
    Porters Handbook) *as a normal user*, unless otherwise (#) indicated]
    > make stage
    > make check-orphans
    > make package
    > portlint .
    # make install
    # make deinstall
    # pkg add package-filename
    # pkg delete package-filename

When all this works,

    # make clean
    > cd ..
    > diff -ruN conky.orig/ conky/ > patch-for-conky.diff

Attach the diff to a PR.

> The aim is to bring it up to upstream from github at version 0.9.18.
>
> Sadly lot of vulns were patched since 0.9.18 and there is no further
> release tag.
>
> I've asked for one today, wait and see.

The documentation for github in bsd.sites.mk states that you can use a hash
from a commit as a GH_TAGNAME.

Roland
-- 
R.F.Smith                                   http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
THUBpgp: 5753 3324 1661 B0FE 8D93  FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170114/9549865a/attachment.sig>

More information about the freebsd-questions mailing list