main/zoneminder: harden file permissions

2 files changed, 63 insertions, 1 deletions

diff --git a/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch b/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch
new file mode 100644
index 000000000..10b71f185
--- /dev/null
+++ b/main/zoneminder/0001-security-hardening-make-static-files-non-writable-by.patch
@@ -0,0 +1,58 @@
+From caead923a7d539622ba7aa508918e6e5f1e07983 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Tue, 16 Feb 2016 22:30:45 +0200
+Subject: [PATCH] security hardening: make static files non-writable by webuser
+
+---
+ Makefile.am     | 2 +-
+ src/Makefile.am | 2 +-
+ web/Makefile.am | 4 +---
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 62f767e..b7e69e6 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -27,7 +27,7 @@ EXTRA_DIST = \
+ 
+ # Yes, you are correct. This is a HACK!
+ install-data-hook:
+-	( cd $(DESTDIR)$(zmconfigdir); chown $(webuser):$(webgroup) $(zmconfig_DATA); chmod 600 $(zmconfig_DATA) )
++	( cd $(DESTDIR)$(zmconfigdir); chgrp $(webgroup) $(zmconfig_DATA); chmod 640 $(zmconfig_DATA) )
+ 	( if ! test -e $(DESTDIR)$(ZM_RUNDIR); then mkdir -p $(DESTDIR)$(ZM_RUNDIR); fi; if test "$(DESTDIR)$(ZM_RUNDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_RUNDIR); chmod u+w $(DESTDIR)$(ZM_RUNDIR); fi )
+ 	( if ! test -e $(DESTDIR)$(ZM_SOCKDIR); then mkdir -p $(DESTDIR)$(ZM_SOCKDIR); fi; if test "$(DESTDIR)$(ZM_SOCKDIR)" != "/var/run"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_SOCKDIR); chmod u+w $(DESTDIR)$(ZM_SOCKDIR); fi )
+ 	( if ! test -e $(DESTDIR)$(ZM_TMPDIR); then mkdir -m 700 -p $(DESTDIR)$(ZM_TMPDIR); fi; if test "$(DESTDIR)$(ZM_TMPDIR)" != "/tmp" && test "$(DESTDIR)$(ZM_TMPDIR)" != "/var/tmp"; then chown $(webuser):$(webgroup) $(DESTDIR)$(ZM_TMPDIR); chmod u+w $(DESTDIR)$(ZM_TMPDIR); fi )
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 9314daa..26c9934 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -128,7 +128,7 @@ dist-hook:
+ # Yes, you are correct. This is a HACK!
+ install-exec-hook:
+ 	( cd $(DESTDIR)@bindir@; mkdir -p $(DESTDIR)$(cgidir); mv zms $(DESTDIR)$(cgidir) )
+-	( cd $(DESTDIR)$(cgidir); chown $(webuser):$(webgroup) zms; ln -f zms nph-zms )
++	( cd $(DESTDIR)$(cgidir); ln -f zms nph-zms )
+ 
+ uninstall-hook:
+ 	( cd $(DESTDIR)$(cgidir); rm -f zms nph-zms )
+diff --git a/web/Makefile.am b/web/Makefile.am
+index 077a4ff..3538c67 100644
+--- a/web/Makefile.am
++++ b/web/Makefile.am
+@@ -22,12 +22,10 @@ dist_web_DATA = \
+ 
+ # Yes, you are correct. This is a HACK!
+ install-data-hook:
+-	( cd $(DESTDIR)$(webdir); chown $(webuser):$(webgroup) $(dist_web_DATA) )
+-	( cd $(DESTDIR)$(webdir); chown -R $(webuser):$(webgroup) $(SUBDIRS) )
+ 	@-( cd $(DESTDIR)$(webdir); if ! test -e events; then mkdir events; fi; chown $(webuser):$(webgroup) events; chmod u+w events )
+ 	@-( cd $(DESTDIR)$(webdir); if ! test -e images; then mkdir images; fi; chown $(webuser):$(webgroup) images; chmod u+w images )
+ 	@-( cd $(DESTDIR)$(webdir); if ! test -e sounds; then mkdir sounds; fi; chown $(webuser):$(webgroup) sounds; chmod u+w sounds )
+-	@-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi; chown $(webuser):$(webgroup) tools; chmod u+w tools )
++	@-( cd $(DESTDIR)$(webdir); if ! test -e tools; then mkdir tools; fi )
+ 	@-( cd $(DESTDIR)$(webdir); if ! test -e temp; then mkdir temp; fi; chown $(webuser):$(webgroup) temp; chmod u+w temp )
+ 
+ uninstall-hook:
+-- 
+2.5.0
+
diff --git a/main/zoneminder/APKBUILD b/main/zoneminder/APKBUILD
index 6d2ecfa23..84a29a765 100644
--- a/main/zoneminder/APKBUILD
+++ b/main/zoneminder/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
 pkgname=zoneminder
 pkgver=1.29.0
-pkgrel=4
+pkgrel=5
 pkgdesc="Video camera surveillance system"
 url="http://www.zoneminder.com/"
 arch="x86_64"
@@ -22,6 +22,7 @@ subpackages=$pkgname-doc
 source="zoneminder-$pkgver.tar.gz::https://github.com/ZoneMinder/ZoneMinder/archive/v${pkgver}.tar.gz
 	$pkgname.initd
 	musl-fix.patch
+	0001-security-hardening-make-static-files-non-writable-by.patch
 	0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
 	zm-additional.sql"
 
@@ -88,15 +89,18 @@ package() {
 md5sums="b4de8dd3fd86fc72e929e116e926d901  zoneminder-1.29.0.tar.gz
 ab1fe4fb2392b82acf18ca8412fb927f  zoneminder.initd
 b95482fefbf22e8a89fb061805d05f03  musl-fix.patch
+c7b793be7b48685197acfb5b79470f2c  0001-security-hardening-make-static-files-non-writable-by.patch
 1429766dc44764dc77c735f4320b5a44  0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
 24359849eef7c5293f63136e704fdca4  zm-additional.sql"
 sha256sums="34e1f0d4b616e320e557f8e3fbe278d3ab70f30f6278cc153b44f2193c85ddbd  zoneminder-1.29.0.tar.gz
 887174a6d1489bdcfbadf760758b14ef4e184dfcae728e15cb0e697e61e1c42f  zoneminder.initd
 829551a83e62ff84fcba7a0f88105a0b6d15d89a66e1e98dc50098c30c48672f  musl-fix.patch
+7090caf93886b01032a8c4e5585f37e6a3e7ac59cdfdfddfd8150c03dacfd93f  0001-security-hardening-make-static-files-non-writable-by.patch
 a830478a806e36d41016d3c2663d892fafa65b580d3bccccc131fe114c842834  0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
 dea3a1b493bc7d7dbe9c431f565b9e916fb8a8bd29fcd74947b14592ef7f4494  zm-additional.sql"
 sha512sums="71a397df83c92de3b977832bb0a11791a3a756e7219e0cf3dc6c5c30fa0dd488ea00a925433669bf4e79873df980a852f2c805d1b7c9c8a06b6c39b9a16a2fda  zoneminder-1.29.0.tar.gz
 fa993a86c21697467c8f63ce584531f8e2c3da977b65e6557161b4b91807b1c78b14fb64f6f54c50fddcb51b54bae6dff45776f5a69bfcc635a5c2927a292b57  zoneminder.initd
 b2c4e31fd0a31f034be3029eab4f2943e07e95e64bb2d8eb38d93b790059d694a9a007e98b0f9b4c47ecfe91296bc21a3795b8a4aaf5b2a83071251456e533da  musl-fix.patch
+a7e58312c804f58ac41ee569fefffa99e65beba29f07eff36fb3cf2aa4fd68e1fc903feb73ab0c1fc6c58442251076042b537ab21156b956d7854a86bde14307  0001-security-hardening-make-static-files-non-writable-by.patch
 8a35bfc782792ca559d6cf78e3e17f0caa45e19981cea12090b4f0ececa98bd9a121d2918e06e991ae5c06ab876ffddc94cd4f9db640f510314a3d09a6d90b4c  0001-zm_monitor-fix-overlap-in-memcpy-buffers.patch
 0bb99af417441e2c12cb3b8c00ecb8d76bdc343d39092a222841ae0bd684eeba1783a8bccf5630dae56f64992f8a09ec16e0cbc7069665e1ee3b62dd3f96c3a9  zm-additional.sql"