aboutsummaryrefslogtreecommitdiffstats
path: root/main/zoneminder
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2016-02-16 22:42:24 +0200
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2016-02-16 22:43:15 +0200
commitb1766033fc58fdd64b129a10590144126a193aef (patch)
tree780db8649c85fcbcc73c207596aa86567889b16a /main/zoneminder
parent1906d6925ee4e8d5e29149c0166790abec5b6fde (diff)
downloadaports-b1766033fc58fdd64b129a10590144126a193aef.tar.bz2
aports-b1766033fc58fdd64b129a10590144126a193aef.tar.xz
main/zoneminder: harden file permissions
Diffstat (limited to 'main/zoneminder')
-rw-r--r--main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch58
-rw-r--r--main/zoneminder/APKBUILD6
2 files changed, 63 insertions, 1 deletions
diff --git a/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch b/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch
new file mode 100644
index 0000000000..10b71f185f
--- /dev/null
+++ b/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch
@@ -0,0 +1,58 @@
+From caead923a7d539622ba7aa508918e6e5f1e07983 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Tue, 16 Feb 2016 22:30:45 +0200
+Subject: [PATCH] security hardening: make static files non-writable by webuser
+
+---
+ Makefile.am | 2 +-
+ src/Makefile.am | 2 +-
+ web/Makefile.am | 4 +---
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 62f767e..b7e69e6 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -27,7 +27,7 @@ EXTRA_DIST = \
+
+ # Yes, you are correct. This is a HACK!
+ install-data-hook:
+- ( cd $(DESTDIR)$(zmconfigdir); chown $(webuser):$(webgroup) $(zmconfig_DATA); chmod 600 $(zmconfig_DATA) )
++ ( cd $(DESTDIR)$(zmconfigdir); chgrp $(webgroup) $(zmconfig_DATA); chmod 640 $(zmconfig_DATA) )
+ ( if ! test -e $(DESTDIR)$(ZM_RUNDIR); then mkdir -p $(DESTDIR)$(ZM_RUNDIR); fi; if test "$(DESTDIR)$(ZM_RUNDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_RUNDIR); chmod u+w $(DESTDIR)$(ZM_RUNDIR); fi )
+ ( if ! test -e $(DESTDIR)$(ZM_SOCKDIR); then mkdir -p $(DESTDIR)$(ZM_SOCKDIR); fi; if test "$(DESTDIR)$(ZM_SOCKDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_SOCKDIR); chmod u+w $(DESTDIR)$(ZM_SOCKDIR); fi )
+ ( if ! test -e $(DESTDIR)$(ZM_TMPDIR); then mkdir -m 700 -p $(DESTDIR)$(ZM_TMPDIR); fi; if test "$(DESTDIR)$(ZM_TMPDIR)" != "/tmp" && test "$(DESTDIR)$(ZM_TMPDIR)" != "/var/tmp"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_TMPDIR); chmod u+w $(DESTDIR)$(ZM_TMPDIR); fi )
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 9314daa..26c9934 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -128,7 +128,7 @@ dist-hook:
+ # Yes, you are correct. This is a HACK!
+ install-exec-hook:
+ ( cd $(DESTDIR)@bindir@; mkdir -p $(DESTDIR)$(cgidir); mv zms $(DESTDIR)$(cgidir) )
+- ( cd $(DESTDIR)$(cgidir); chown $(webuser):$(webgroup) zms; ln -f zms nph-zms )
++ ( cd $(DESTDIR)$(cgidir); ln -f zms nph-zms )
+
+ uninstall-hook:
+ ( cd $(DESTDIR)$(cgidir); rm -f zms nph-zms )
+diff --git a/web/Makefile.am b/web/Makefile.am
+index 077a4ff..3538c67 100644
+--- a/web/Makefile.am
++++ b/web/Makefile.am
+@@ -22,12 +22,10 @@ dist_web_DATA = \
+
+ # Yes, you are correct. This is a HACK!
+ install-data-hook:
+- ( cd $(DESTDIR)$(webdir); chown $(webuser):$(webgroup) $(dist_web_DATA) )
+- ( cd $(DESTDIR)$(webdir); chown -R $(webuser):$(webgroup) $(SUBDIRS) )
+ @-( cd $(DESTDIR)$(webdir); if ! test -e events; then mkdir events; fi; chown $(webuser):$(webgroup) events; chmod u+w events )
+ @-( cd $(DESTDIR)$(webdir); if ! test -e images; then mkdir images; fi; chown $(webuser):$(webgroup) images; chmod u+w images )
+ @-( cd $(DESTDIR)$(webdir); if ! test -e sounds; then mkdir sounds; fi; chown $(webuser):$(webgroup) sounds; chmod u+w sounds )
+- @-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi; chown $(webuser):$(webgroup) tools; chmod u+w tools )
++ @-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi )
+ @-( cd $(DESTDIR)$(webdir); if ! test -e temp; then mkdir temp; fi; chown $(webuser):$(webgroup) temp; chmod u+w temp )
+
+ uninstall-hook:
+--
+2.5.0
+
diff --git a/main/zoneminder/APKBUILD b/main/zoneminder/APKBUILD
index 6d2ecfa23f..84a29a765e 100644
--- a/main/zoneminder/APKBUILD
+++ b/main/zoneminder/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
pkgname=zoneminder
pkgver=1.29.0
-pkgrel=4
+pkgrel=5
pkgdesc="Video camera surveillance system"
url="http://www.zoneminder.com/"
arch="x86_64"
@@ -22,6 +22,7 @@ subpackages=$pkgname-doc
source="zoneminder-$pkgver.tar.gz::https://github.com/ZoneMinder/ZoneMinder/archive/v${pkgver}.tar.gz
$pkgname.initd
musl-fix.patch
+ 0001-security-hardening-make-static-files-non-writable-by.patch
0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
zm-additional.sql"
@@ -88,15 +89,18 @@ package() {
md5sums="b4de8dd3fd86fc72e929e116e926d901 zoneminder-1.29.0.tar.gz
ab1fe4fb2392b82acf18ca8412fb927f zoneminder.initd
b95482fefbf22e8a89fb061805d05f03 musl-fix.patch
+c7b793be7b48685197acfb5b79470f2c 0001-security-hardening-make-static-files-non-writable-by.patch
1429766dc44764dc77c735f4320b5a44 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
24359849eef7c5293f63136e704fdca4 zm-additional.sql"
sha256sums="34e1f0d4b616e320e557f8e3fbe278d3ab70f30f6278cc153b44f2193c85ddbd zoneminder-1.29.0.tar.gz
887174a6d1489bdcfbadf760758b14ef4e184dfcae728e15cb0e697e61e1c42f zoneminder.initd
829551a83e62ff84fcba7a0f88105a0b6d15d89a66e1e98dc50098c30c48672f musl-fix.patch
+7090caf93886b01032a8c4e5585f37e6a3e7ac59cdfdfddfd8150c03dacfd93f 0001-security-hardening-make-static-files-non-writable-by.patch
a830478a806e36d41016d3c2663d892fafa65b580d3bccccc131fe114c842834 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
dea3a1b493bc7d7dbe9c431f565b9e916fb8a8bd29fcd74947b14592ef7f4494 zm-additional.sql"
sha512sums="71a397df83c92de3b977832bb0a11791a3a756e7219e0cf3dc6c5c30fa0dd488ea00a925433669bf4e79873df980a852f2c805d1b7c9c8a06b6c39b9a16a2fda zoneminder-1.29.0.tar.gz
fa993a86c21697467c8f63ce584531f8e2c3da977b65e6557161b4b91807b1c78b14fb64f6f54c50fddcb51b54bae6dff45776f5a69bfcc635a5c2927a292b57 zoneminder.initd
b2c4e31fd0a31f034be3029eab4f2943e07e95e64bb2d8eb38d93b790059d694a9a007e98b0f9b4c47ecfe91296bc21a3795b8a4aaf5b2a83071251456e533da musl-fix.patch
+a7e58312c804f58ac41ee569fefffa99e65beba29f07eff36fb3cf2aa4fd68e1fc903feb73ab0c1fc6c58442251076042b537ab21156b956d7854a86bde14307 0001-security-hardening-make-static-files-non-writable-by.patch
8a35bfc782792ca559d6cf78e3e17f0caa45e19981cea12090b4f0ececa98bd9a121d2918e06e991ae5c06ab876ffddc94cd4f9db640f510314a3d09a6d90b4c 0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
0bb99af417441e2c12cb3b8c00ecb8d76bdc343d39092a222841ae0bd684eeba1783a8bccf5630dae56f64992f8a09ec16e0cbc7069665e1ee3b62dd3f96c3a9 zm-additional.sql"