diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-02-16 22:42:24 +0200 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-02-16 22:43:15 +0200 |
commit | b1766033fc58fdd64b129a10590144126a193aef (patch) | |
tree | 780db8649c85fcbcc73c207596aa86567889b16a /main/zoneminder | |
parent | 1906d6925ee4e8d5e29149c0166790abec5b6fde (diff) | |
download | aports-b1766033fc58fdd64b129a10590144126a193aef.tar.bz2 aports-b1766033fc58fdd64b129a10590144126a193aef.tar.xz |
main/zoneminder: harden file permissions
Diffstat (limited to 'main/zoneminder')
-rw-r--r-- | main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch | 58 | ||||
-rw-r--r-- | main/zoneminder/APKBUILD | 6 |
2 files changed, 63 insertions, 1 deletions
diff --git a/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch b/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch new file mode 100644 index 0000000000..10b71f185f --- /dev/null +++ b/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch @@ -0,0 +1,58 @@ +From caead923a7d539622ba7aa508918e6e5f1e07983 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Tue, 16 Feb 2016 22:30:45 +0200 +Subject: [PATCH] security hardening: make static files non-writable by webuser + +--- + Makefile.am | 2 +- + src/Makefile.am | 2 +- + web/Makefile.am | 4 +--- + 3 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 62f767e..b7e69e6 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -27,7 +27,7 @@ EXTRA_DIST = \ + + # Yes, you are correct. This is a HACK! + install-data-hook: +- ( cd $(DESTDIR)$(zmconfigdir); chown $(webuser):$(webgroup) $(zmconfig_DATA); chmod 600 $(zmconfig_DATA) ) ++ ( cd $(DESTDIR)$(zmconfigdir); chgrp $(webgroup) $(zmconfig_DATA); chmod 640 $(zmconfig_DATA) ) + ( if ! test -e $(DESTDIR)$(ZM_RUNDIR); then mkdir -p $(DESTDIR)$(ZM_RUNDIR); fi; if test "$(DESTDIR)$(ZM_RUNDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_RUNDIR); chmod u+w $(DESTDIR)$(ZM_RUNDIR); fi ) + ( if ! test -e $(DESTDIR)$(ZM_SOCKDIR); then mkdir -p $(DESTDIR)$(ZM_SOCKDIR); fi; if test "$(DESTDIR)$(ZM_SOCKDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_SOCKDIR); chmod u+w $(DESTDIR)$(ZM_SOCKDIR); fi ) + ( if ! test -e $(DESTDIR)$(ZM_TMPDIR); then mkdir -m 700 -p $(DESTDIR)$(ZM_TMPDIR); fi; if test "$(DESTDIR)$(ZM_TMPDIR)" != "/tmp" && test "$(DESTDIR)$(ZM_TMPDIR)" != "/var/tmp"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_TMPDIR); chmod u+w $(DESTDIR)$(ZM_TMPDIR); fi ) +diff --git a/src/Makefile.am b/src/Makefile.am +index 9314daa..26c9934 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -128,7 +128,7 @@ dist-hook: + # Yes, you are correct. This is a HACK! + install-exec-hook: + ( cd $(DESTDIR)@bindir@; mkdir -p $(DESTDIR)$(cgidir); mv zms $(DESTDIR)$(cgidir) ) +- ( cd $(DESTDIR)$(cgidir); chown $(webuser):$(webgroup) zms; ln -f zms nph-zms ) ++ ( cd $(DESTDIR)$(cgidir); ln -f zms nph-zms ) + + uninstall-hook: + ( cd $(DESTDIR)$(cgidir); rm -f zms nph-zms ) +diff --git a/web/Makefile.am b/web/Makefile.am +index 077a4ff..3538c67 100644 +--- a/web/Makefile.am ++++ b/web/Makefile.am +@@ -22,12 +22,10 @@ dist_web_DATA = \ + + # Yes, you are correct. This is a HACK! + install-data-hook: +- ( cd $(DESTDIR)$(webdir); chown $(webuser):$(webgroup) $(dist_web_DATA) ) +- ( cd $(DESTDIR)$(webdir); chown -R $(webuser):$(webgroup) $(SUBDIRS) ) + @-( cd $(DESTDIR)$(webdir); if ! test -e events; then mkdir events; fi; chown $(webuser):$(webgroup) events; chmod u+w events ) + @-( cd $(DESTDIR)$(webdir); if ! test -e images; then mkdir images; fi; chown $(webuser):$(webgroup) images; chmod u+w images ) + @-( cd $(DESTDIR)$(webdir); if ! test -e sounds; then mkdir sounds; fi; chown $(webuser):$(webgroup) sounds; chmod u+w sounds ) +- @-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi; chown $(webuser):$(webgroup) tools; chmod u+w tools ) ++ @-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi ) + @-( cd $(DESTDIR)$(webdir); if ! test -e temp; then mkdir temp; fi; chown $(webuser):$(webgroup) temp; chmod u+w temp ) + + uninstall-hook: +-- +2.5.0 + diff --git a/main/zoneminder/APKBUILD b/main/zoneminder/APKBUILD index 6d2ecfa23f..84a29a765e 100644 --- a/main/zoneminder/APKBUILD +++ b/main/zoneminder/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> pkgname=zoneminder pkgver=1.29.0 -pkgrel=4 +pkgrel=5 pkgdesc="Video camera surveillance system" url="http://www.zoneminder.com/" arch="x86_64" @@ -22,6 +22,7 @@ subpackages=$pkgname-doc source="zoneminder-$pkgver.tar.gz::https://github.com/ZoneMinder/ZoneMinder/archive/v${pkgver}.tar.gz $pkgname.initd musl-fix.patch + 0001-security-hardening-make-static-files-non-writable-by.patch 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch zm-additional.sql" @@ -88,15 +89,18 @@ package() { md5sums="b4de8dd3fd86fc72e929e116e926d901 zoneminder-1.29.0.tar.gz ab1fe4fb2392b82acf18ca8412fb927f zoneminder.initd b95482fefbf22e8a89fb061805d05f03 musl-fix.patch +c7b793be7b48685197acfb5b79470f2c 0001-security-hardening-make-static-files-non-writable-by.patch 1429766dc44764dc77c735f4320b5a44 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch 24359849eef7c5293f63136e704fdca4 zm-additional.sql" sha256sums="34e1f0d4b616e320e557f8e3fbe278d3ab70f30f6278cc153b44f2193c85ddbd zoneminder-1.29.0.tar.gz 887174a6d1489bdcfbadf760758b14ef4e184dfcae728e15cb0e697e61e1c42f zoneminder.initd 829551a83e62ff84fcba7a0f88105a0b6d15d89a66e1e98dc50098c30c48672f musl-fix.patch +7090caf93886b01032a8c4e5585f37e6a3e7ac59cdfdfddfd8150c03dacfd93f 0001-security-hardening-make-static-files-non-writable-by.patch a830478a806e36d41016d3c2663d892fafa65b580d3bccccc131fe114c842834 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch dea3a1b493bc7d7dbe9c431f565b9e916fb8a8bd29fcd74947b14592ef7f4494 zm-additional.sql" sha512sums="71a397df83c92de3b977832bb0a11791a3a756e7219e0cf3dc6c5c30fa0dd488ea00a925433669bf4e79873df980a852f2c805d1b7c9c8a06b6c39b9a16a2fda zoneminder-1.29.0.tar.gz fa993a86c21697467c8f63ce584531f8e2c3da977b65e6557161b4b91807b1c78b14fb64f6f54c50fddcb51b54bae6dff45776f5a69bfcc635a5c2927a292b57 zoneminder.initd b2c4e31fd0a31f034be3029eab4f2943e07e95e64bb2d8eb38d93b790059d694a9a007e98b0f9b4c47ecfe91296bc21a3795b8a4aaf5b2a83071251456e533da musl-fix.patch +a7e58312c804f58ac41ee569fefffa99e65beba29f07eff36fb3cf2aa4fd68e1fc903feb73ab0c1fc6c58442251076042b537ab21156b956d7854a86bde14307 0001-security-hardening-make-static-files-non-writable-by.patch 8a35bfc782792ca559d6cf78e3e17f0caa45e19981cea12090b4f0ececa98bd9a121d2918e06e991ae5c06ab876ffddc94cd4f9db640f510314a3d09a6d90b4c 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch 0bb99af417441e2c12cb3b8c00ecb8d76bdc343d39092a222841ae0bd684eeba1783a8bccf5630dae56f64992f8a09ec16e0cbc7069665e1ee3b62dd3f96c3a9 zm-additional.sql" |