Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] spiped: add unprivileged system account
@ 2021-06-06 23:22 ailiop-git
  2021-06-08  2:16 ` [PR REVIEW] " ericonr
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: ailiop-git @ 2021-06-06 23:22 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1606 bytes --]

There is a new pull request by ailiop-git against master on the void-packages repository

https://github.com/ailiop-git/void-packages spiped
https://github.com/void-linux/void-packages/pull/31332

spiped: add unprivileged system account
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


A patch file from https://github.com/void-linux/void-packages/pull/31332.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-spiped-31332.patch --]
[-- Type: text/x-diff, Size: 1116 bytes --]

From ff44865a7ce963d4e43e9c98a7c3a5411828cf4b Mon Sep 17 00:00:00 2001
From: Anthony Iliopoulos <ailiop@altatus.com>
Date: Mon, 7 Jun 2021 01:18:59 +0200
Subject: [PATCH] spiped: add unprivileged system account

---
 srcpkgs/spiped/template | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/spiped/template b/srcpkgs/spiped/template
index 765b0b00959a..5d1faf9e9bfa 100644
--- a/srcpkgs/spiped/template
+++ b/srcpkgs/spiped/template
@@ -1,19 +1,21 @@
 # Template file for 'spiped'
 pkgname=spiped
 version=1.6.1
-revision=2
+revision=3
 build_style=gnu-makefile
 makedepends="openssl-devel"
 short_desc="Spiped secure pipe daemon"
-maintainer="Orphaned <orphan@voidlinux.org>"
+maintainer="Anthony Iliopoulos <ailiop@altatus.com>"
 license="BSD-2-Clause"
 homepage="http://www.tarsnap.com/spiped.html"
 distfiles="http://www.tarsnap.com/spiped/spiped-${version}.tgz"
 checksum=8d7089979db79a531a0ecc507b113ac6f2cf5f19305571eff1d3413e0ab33713
+system_accounts="_spiped"
 
 pre_build() {
 	export LDADD_EXTRA="$LDFLAGS"
 }
+
 do_install() {
 	vmkdir usr/bin
 	vmkdir usr/share/man/man1

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PR REVIEW] spiped: add unprivileged system account
  2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
@ 2021-06-08  2:16 ` ericonr
  2021-06-08  8:38 ` ailiop-git
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: ericonr @ 2021-06-08  2:16 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 290 bytes --]

New review comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/31332#discussion_r647060620

Comment:
Shouldn't this be passed in configure somewhere as well? Or is it just so someone doesn't have to create it? Not sure I understand the purpose.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PR REVIEW] spiped: add unprivileged system account
  2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
  2021-06-08  2:16 ` [PR REVIEW] " ericonr
@ 2021-06-08  8:38 ` ailiop-git
  2021-06-09  0:56 ` sgn
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: ailiop-git @ 2021-06-08  8:38 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 837 bytes --]

New review comment by ailiop-git on void-packages repository

https://github.com/void-linux/void-packages/pull/31332#discussion_r647237436

Comment:
There are no configure options as by default spiped runs with the current user privileges, unless the -u option is passed.

It's so that an account doesn't have to be created manually and so that we have "standardized" sandbox accounts as much as possible. 

Ideally this would be accompanied by a sv script, but given that a tunnel can be created for any arbitrary service/port I wasn't sure if I should provide one. Would it make sense to provide a run script that needs a related conf file (for configuring the various options)? Also, that would cover a single tunnel instance only, anyone that needs more would need to create more services (e.g. /etc/sv/spiped-tunnel-N etc.). 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PR REVIEW] spiped: add unprivileged system account
  2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
  2021-06-08  2:16 ` [PR REVIEW] " ericonr
  2021-06-08  8:38 ` ailiop-git
@ 2021-06-09  0:56 ` sgn
  2021-06-09 10:03 ` ailiop-git
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: sgn @ 2021-06-09  0:56 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 169 bytes --]

New review comment by sgn on void-packages repository

https://github.com/void-linux/void-packages/pull/31332#discussion_r647890551

Comment:
Why don't it use `nobody`?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PR REVIEW] spiped: add unprivileged system account
  2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
                   ` (2 preceding siblings ...)
  2021-06-09  0:56 ` sgn
@ 2021-06-09 10:03 ` ailiop-git
  2022-05-21  2:00 ` github-actions
  2022-06-04  2:09 ` [PR PATCH] [Closed]: " github-actions
  5 siblings, 0 replies; 7+ messages in thread
From: ailiop-git @ 2021-06-09 10:03 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

New review comment by ailiop-git on void-packages repository

https://github.com/void-linux/void-packages/pull/31332#discussion_r648157096

Comment:
I'd like to avoid doing that, given that `nobody` it's a catch-all account and maybe shared by different services. There are far too many ways that processes running with the same creds can influence each other, and it's better to avoid that as much as possible given that this is done for increased security, especially for long-running daemons. Plus there are further things that can be restricted by uid so it's useful to have separation.

I suppose I'd better provide a parameterized sv file, similar to what the freebsd pkg does [1], and let users configure the various options over a conf file as we do for the rest (e.g. like sshd). This would also have the system accounts hardcoded, so it would make more sense.

[1] https://cgit.freebsd.org/ports/tree/sysutils/spiped/files/spiped.in

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: spiped: add unprivileged system account
  2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
                   ` (3 preceding siblings ...)
  2021-06-09 10:03 ` ailiop-git
@ 2022-05-21  2:00 ` github-actions
  2022-06-04  2:09 ` [PR PATCH] [Closed]: " github-actions
  5 siblings, 0 replies; 7+ messages in thread
From: github-actions @ 2022-05-21  2:00 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/pull/31332#issuecomment-1133500175

Comment:
Pull Requests become stale 90 days after last activity and are closed 14 days after that.  If this pull request is still relevant bump it or assign it.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PR PATCH] [Closed]: spiped: add unprivileged system account
  2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
                   ` (4 preceding siblings ...)
  2022-05-21  2:00 ` github-actions
@ 2022-06-04  2:09 ` github-actions
  5 siblings, 0 replies; 7+ messages in thread
From: github-actions @ 2022-06-04  2:09 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]

There's a closed pull request on the void-packages repository

spiped: add unprivileged system account
https://github.com/void-linux/void-packages/pull/31332

Description:
<!-- Mark items with [x] where applicable -->

#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!-- 
#### Does it build and run successfully? 
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
  - [ ] aarch64-musl
  - [ ] armv7l
  - [ ] armv6l-musl
-->


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-06-04  2:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-06 23:22 [PR PATCH] spiped: add unprivileged system account ailiop-git
2021-06-08  2:16 ` [PR REVIEW] " ericonr
2021-06-08  8:38 ` ailiop-git
2021-06-09  0:56 ` sgn
2021-06-09 10:03 ` ailiop-git
2022-05-21  2:00 ` github-actions
2022-06-04  2:09 ` [PR PATCH] [Closed]: " github-actions

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).