Date: Saturday, February 3, 2018 @ 18:06:09 Author: seblu Revision: 288806
upgpkg: sslh 1.19b-1 Modified: sslh/trunk/PKGBUILD sslh/trunk/sslh-fork.service sslh/trunk/sslh-select.service sslh/trunk/sslh.cfg sslh/trunk/sslh.install sslh/trunk/sslh.service Deleted: sslh/trunk/sslh-fork.service.next sslh/trunk/sslh-select.service.next sslh/trunk/sslh.conf --------------------------+ PKGBUILD | 20 +++++--------------- sslh-fork.service | 22 +++++++++++++++++++--- sslh-fork.service.next | 12 ------------ sslh-select.service | 23 ++++++++++++++++++++--- sslh-select.service.next | 11 ----------- sslh.cfg | 10 +--------- sslh.conf | 29 ----------------------------- sslh.install | 5 ++++- sslh.service | 18 ++++++++++++++---- 9 files changed, 63 insertions(+), 87 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-02-03 17:45:10 UTC (rev 288805) +++ PKGBUILD 2018-02-03 18:06:09 UTC (rev 288806) @@ -16,7 +16,6 @@ install=$pkgname.install source=("https://www.rutschle.net/tech/sslh/$pkgname-v$pkgver.tar.gz"{,.asc} 'sslh.cfg' - 'sslh.sysusers' 'sslh.service' 'sslh-select.service' 'sslh-fork.service') @@ -23,24 +22,16 @@ validpgpkeys=('CDDDBADBEA4B72748E007D326C056F7AC7934136') # Yves Rutschle <y...@rutschle.net> md5sums=('33e371c978614638b4c0db4e40afa5c4' 'SKIP' - 'd5405c7ca7e1813e4d49a473e5834640' - 'f39544277a30595d4b7476b3f87ebbcf' - 'e66490eacc9cb586e48e4e0562ac25e3' - '0f3f9e3ac2ac4b576d684b21b566aeb9' - '4e64f0850ec9bd44071ae8d5369316e5') + '67a119213538aabf5d70a756ae7a99d0' + 'ecbb46c46874d7b620202926d36b8478' + '2b98633ee61bc5a809a4f75479628b2f' + 'ca5ec0adf9149f1db4e09af659391659') build() { cd $pkgname-v$pkgver - #FIXME: https://github.com/yrutschle/sslh/issues/103 - #export CFLAGS='' make VERSION=\"v$pkgver\" USELIBCAP=1 USESYSTEMD=1 all systemd-sslh-generator } -#check() { -# cd $pkgname-v$pkgver -# make test -#} - package() { # default arch config install -Dm 644 sslh.cfg "$pkgdir/etc/sslh.cfg" @@ -57,11 +48,10 @@ install -Dm 644 basic.cfg "$pkgdir/usr/share/doc/$pkgname/basic.cfg" install -Dm 644 example.cfg "$pkgdir/usr/share/doc/$pkgname/example.cfg" # systemd - install -dm 755 "$pkgdir"/usr/lib/{systemd/system,sysusers.d} + install -dm 755 "$pkgdir"/usr/lib/systemd/{system,system-generators} install -Dm 755 systemd-sslh-generator "$pkgdir/usr/lib/systemd/system-generators/systemd-sslh-generator" cd "$pkgdir" install -Dm 644 "$srcdir"/sslh{,-fork,-select}.service usr/lib/systemd/system - install -Dm 644 "$srcdir"/sslh.sysusers usr/lib/sysusers.d/sslh.conf } # vim:set ts=2 sw=2 et: Modified: sslh-fork.service =================================================================== --- sslh-fork.service 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh-fork.service 2018-02-03 18:06:09 UTC (rev 288806) @@ -1,11 +1,27 @@ [Unit] -Description=SSL/SSH multiplexer +Description=SSL/SSH multiplexer (fork mode) +Conflicts=sslh-select.service sslh.socket After=network.target [Service] -ExecStart=/usr/bin/sslh-fork -F/etc/sslh.conf +ExecStart=/usr/bin/sslh-fork --config --foreground KillMode=process -PIDFile=/run/sslh.pid +ProtectSystem=strict +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +PrivateTmp=true +PrivateDevices=true +SecureBits=noroot-locked +MountFlags=private +NoNewPrivileges=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true +User=sslh +DynamicUser=true [Install] WantedBy=multi-user.target Deleted: sslh-fork.service.next =================================================================== --- sslh-fork.service.next 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh-fork.service.next 2018-02-03 18:06:09 UTC (rev 288806) @@ -1,12 +0,0 @@ -[Unit] -Description=SSL/SSH multiplexer (fork mode) -Conflicts=sslh-select.service sslh.socket -After=network.target - -[Service] -ExecStart=/usr/bin/sslh-fork -F -KillMode=process -PIDFile=/run/sslh.pid - -[Install] -WantedBy=multi-user.target Modified: sslh-select.service =================================================================== --- sslh-select.service 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh-select.service 2018-02-03 18:06:09 UTC (rev 288806) @@ -1,10 +1,27 @@ [Unit] -Description=SSL/SSH multiplexer +Description=SSL/SSH multiplexer (select mode) +Conflicts=sslh-fork.service sslh.socket After=network.target [Service] -ExecStart=/usr/bin/sslh-select -F/etc/sslh.conf -PIDFile=/run/sslh.pid +ExecStart=/usr/bin/sslh-select --config --foreground +KillMode=process +ProtectSystem=strict +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +PrivateTmp=true +PrivateDevices=true +SecureBits=noroot-locked +MountFlags=private +NoNewPrivileges=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true +User=sslh +DynamicUser=true [Install] WantedBy=multi-user.target Deleted: sslh-select.service.next =================================================================== --- sslh-select.service.next 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh-select.service.next 2018-02-03 18:06:09 UTC (rev 288806) @@ -1,11 +0,0 @@ -[Unit] -Description=SSL/SSH multiplexer (select mode) -Conflicts=sslh-fork.service sslh.socket -After=network.target - -[Service] -ExecStart=/usr/bin/sslh-select -F -PIDFile=/run/sslh.pid - -[Install] -WantedBy=multi-user.target Modified: sslh.cfg =================================================================== --- sslh.cfg 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh.cfg 2018-02-03 18:06:09 UTC (rev 288806) @@ -1,19 +1,11 @@ # Default Arch configuration # You can find more examples in /usr/share/doc/sslh -verbose: false; -foreground: true; -inetd: false; -numeric: false; -transparent: false; timeout: 2; -user: "sslh"; -pidfile: "/run/sslh.pid"; - listen: ( - { host: "::0"; port: "443"; } + { host: "0.0.0.0"; port: "443"; } ); protocols: Deleted: sslh.conf =================================================================== --- sslh.conf 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh.conf 2018-02-03 18:06:09 UTC (rev 288806) @@ -1,29 +0,0 @@ -# Default Arch configuration -# You can find more examples in /usr/share/doc/sslh - -verbose: false; -foreground: true; -inetd: false; -numeric: false; -transparent: false; -timeout: 2; -user: "sslh"; -pidfile: "/run/sslh.pid"; - - -listen: -( - { host: "::0"; port: "443"; } -); - -protocols: -( - { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; }, - { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; }, - { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; }, - { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, - { name: "ssl"; host: "localhost"; port: "8443"; probe: "builtin"; }, - { name: "anyprot"; host: "localhost"; port: "8443"; probe: "builtin"; } -); - -# vim:set ts=4 sw=4 et: Modified: sslh.install =================================================================== --- sslh.install 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh.install 2018-02-03 18:06:09 UTC (rev 288806) @@ -16,7 +16,10 @@ if (( "$(vercmp $2 1.19b)" < 0 )); then cat << EOF ===> Default config path is now /etc/sslh.cfg (as required by systemd generator) -===> Rename your /etc/sslh.conf into /etc/sslh.cfg +=====> Rename your /etc/sslh.conf into /etc/sslh.cfg +===> sslh unit files security has been improved. +=====> You may need to remove the PIDfile option in your /etc/sslh.cfg. +===> sslh user is now created at unit startup (via DynamicUser) EOF fi } Modified: sslh.service =================================================================== --- sslh.service 2018-02-03 17:45:10 UTC (rev 288805) +++ sslh.service 2018-02-03 18:06:09 UTC (rev 288806) @@ -5,11 +5,21 @@ PartOf=sslh.socket [Service] -ExecStart=/usr/bin/sslh -F -f -P/tmp/pid +ExecStart=/usr/bin/sslh --config --foreground KillMode=process -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID +ProtectSystem=strict +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true PrivateTmp=true PrivateDevices=true -ProtectSystem=full -ProtectHome=true +SecureBits=noroot-locked +MountFlags=private +NoNewPrivileges=true +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true User=sslh +DynamicUser=true