Date: Thursday, August 6, 2020 @ 08:42:26
Author: dvzrv
Revision: 670679
upgpkg: icecast 2.4.4-2: Rebuild to fix service.
Switch to correct license (GPL2).
Add sodeps in package() and add the respective packages in makedepends.
Remove patch modifying the default configuration file (it forces running the
service as root just to drop privileges to nobody, which should never be used
for a service like this).
Run autoreconf in prepare().
Remove log directory creation and (broken) ownership change from package()
(FS#67487).
Add sysusers.d and tmpfiles.d integration for the systemd service and less
permissive access rights for the configuration file.
Harden the systemd service and run it as its own user (icecast).
Update maintainer info.
Added:
icecast/trunk/icecast.sysusers
icecast/trunk/icecast.tmpfiles
Modified:
icecast/trunk/PKGBUILD
icecast/trunk/icecast.service
Deleted:
icecast/trunk/start-by-nobody.patch
-----------------------+
PKGBUILD | 74 +++++++++++++++++++++++++++++-------------------
icecast.service | 35 ++++++++++++++++++++++
icecast.sysusers | 1
icecast.tmpfiles | 1
start-by-nobody.patch | 15 ---------
5 files changed, 81 insertions(+), 45 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-08-06 08:41:55 UTC (rev 670678)
+++ PKGBUILD 2020-08-06 08:42:26 UTC (rev 670679)
@@ -1,4 +1,5 @@
-# Maintainer: Lukas Fleischer <lfleisc...@archlinux.org>
+# Maintainer: David Runge <dv...@archlinux.org>
+# Contributor: Lukas Fleischer <lfleisc...@archlinux.org>
# Contributor: Andrea Scarpino <and...@archlinux.org>
# Contributor: Andreas Radke <andy...@archlinux.org>
# Contributor: Jason Chu <j...@xentac.net>
@@ -5,43 +6,58 @@
pkgname=icecast
pkgver=2.4.4
-pkgrel=1
+pkgrel=2
pkgdesc='Streaming audio over the Internet'
arch=('x86_64')
-license=('GPL')
-url='https://www.icecast.org/'
-depends=('libxslt' 'libvorbis' 'curl' 'speex' 'libtheora' 'libkate')
+license=('GPL2')
+url="https://www.icecast.org/";
+depends=('glibc' 'libkate' 'libxml2' 'libxslt' 'openssl' 'speex' 'libtheora')
+makedepends=('curl' 'libogg' 'libvorbis')
backup=('etc/icecast.xml'
'etc/logrotate.d/icecast')
-source=("https://downloads.us.xiph.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz";
- 'icecast.logrotate'
- 'start-by-nobody.patch'
- 'icecast.service')
-md5sums=('835c7b571643f6436726a6118defb366'
- '59c6552bcb1dd9fb542af8670dfabd3c'
- 'd8e929d2214123a1954da4383bf16583'
- '0753c15f01dc14852e5d70925fc1f6a0')
+source=(
+
"https://downloads.us.xiph.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz";
+ "${pkgname}.logrotate"
+ "${pkgname}.service"
+ "${pkgname}.sysusers"
+ "${pkgname}.tmpfiles"
+)
+sha512sums=('e9ffb478cac2570891787455591d881a59185e067bb36f51706a7070cd9d82d80425ec8cf151f5ebb17d1b75654449fc760f8b82a1bb05f020b47ec09e46b4d0'
+
'1727ec4e66ce2939a6b66c23b2f0938e2e6c717d2753f4d8c05eb31ff211d50f7ce3d38b8fca93b8cb98c1b755a5d8e3baf381fe8eb0624e7e4fe9c7486ad14a'
+
'debfd3e609d97b3e1297645aaaae2f98851304c02ccaf791d339c40ad4ba02dfaf3dbcff6c455a80a8ad610c53ca388e66922221a3b8d9c2171ff5ea031a4bc1'
+
'ca0c6e81e84910ac5bcd573aa280224426201b4aa8580f974b17daea6f95472e3ba47b3319ea1291d6762e858a3f7e9120f05357fe02aa83f01bb767862a04c8'
+
'db3cf00e5ff1e2f5636288992212964f068f94ee98a880c27f00afda44f048e608636a34f2ae551f3cf24f7c43ebd2f40ab8a9bcc5d8057901d4a871c6b79f13')
+b2sums=('fd4034749feb4bf38c684ac6d8de572fdebce875843dc1be286264c8fe8d38feb24ea889b07ec79aada34cf16dae46eb21a8c5470f67c08f2dd56dc04c12130f'
+
'9d4897d84c4be355b04c542fcf5242d5341634eefb0ca8233f8bf944e208f4ba3a2855a922639979541ec55280cdbebbebedb2a3b8a59289d19803bf7d3cdc11'
+
'65bbb1c6e601b92952f7c3ad318ed320eabd6443f6c6f16625fa28ffe1c4977094067169c89564c911673c4a7b881ee86d6dd792eced4ff3f36066ff26db4218'
+
'61c3194a0ca86f19bd4d8153eb3589f0b400549605b588418bc60a5f8a70198d1532f53ca48070385012ef8346bed69b5e1b53d2cf2b803da921414365394224'
+
'b17bf9b34daa89e32a41be3364ca74f8d2403bc8f6a103e4db51c637b42f9cd0841553b2838ce9dcdb91c3561249f13fca39359636c07f163c90de3945bf1784')
+prepare() {
+ cd "${pkgname}-${pkgver}"
+ autoreconf -vfi
+}
+
build() {
- cd "${srcdir}/${pkgname}-${pkgver}"
-
- patch -Np1 -i "${srcdir}/start-by-nobody.patch"
-
- ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
+ cd "${pkgname}-${pkgver}"
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --localstatedir=/var
make
}
package() {
- cd "${srcdir}/${pkgname}-${pkgver}"
-
+ depends+=('libcurl.so' 'libogg.so' 'libvorbis.so')
+ cd "${pkgname}-${pkgver}"
make DESTDIR="${pkgdir}" install
-
- # install logrotate config (taken from Fedora)
- install -Dm644 "${srcdir}/icecast.logrotate"
"${pkgdir}/etc/logrotate.d/icecast"
-
- # create log directory
- install -d -g99 -o99 "${pkgdir}/var/log/icecast"
-
- # install systemd unit
- install -Dm0644 "${srcdir}/icecast.service"
"${pkgdir}/usr/lib/systemd/system/icecast.service"
+ # logrotate
+ install -vDm 644 "../${pkgname}.logrotate" \
+ "${pkgdir}/etc/logrotate.d/${pkgname}"
+ # systemd unit
+ install -vDm 644 "../${pkgname}.service" \
+ -t "${pkgdir}/usr/lib/systemd/system"
+ install -vDm 644 "../${pkgname}.sysusers" \
+ "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
+ install -vDm 644 "../${pkgname}.tmpfiles" \
+ "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
}
Modified: icecast.service
===================================================================
--- icecast.service 2020-08-06 08:41:55 UTC (rev 670678)
+++ icecast.service 2020-08-06 08:42:26 UTC (rev 670679)
@@ -3,9 +3,42 @@
After=network.target
[Service]
-Type=simple
+CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN
CAP_SYS_PTRACE CAP_KILL CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_CHOWN CAP_FSETID
CAP_SETFCAP CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_CHROOT
CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
CAP_SYS_NICE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
ExecStart=/usr/bin/icecast -c /etc/icecast.xml
ExecReload=/usr/bin/kill -HUP $MAINPID
+Group=icecast
+IPAccounting=yes
+LogsDirectory=icecast
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/etc/icecast.xml
+RemoveIPC=true
+RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_INET6 AF_DECnet
AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC
AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_XDP AF_UNIX
+RestrictAddressFamilies=AF_INET
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=icecast
+StandardError=syslog
+StateDirectory=icecast
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+Type=exec
+UMask=177
+User=icecast
[Install]
WantedBy=multi-user.target
Added: icecast.sysusers
===================================================================
--- icecast.sysusers (rev 0)
+++ icecast.sysusers 2020-08-06 08:42:26 UTC (rev 670679)
@@ -0,0 +1 @@
+u icecast - "Media streaming server" -
Added: icecast.tmpfiles
===================================================================
--- icecast.tmpfiles (rev 0)
+++ icecast.tmpfiles 2020-08-06 08:42:26 UTC (rev 670679)
@@ -0,0 +1 @@
+z /etc/icecast.xml 0640 root icecast -
Deleted: start-by-nobody.patch
===================================================================
--- start-by-nobody.patch 2020-08-06 08:41:55 UTC (rev 670678)
+++ start-by-nobody.patch 2020-08-06 08:42:26 UTC (rev 670679)
@@ -1,15 +0,0 @@
---- icecast-2.3.2/conf/icecast.xml.in~ 2010-11-12 16:47:54.750000918 +0100
-+++ icecast-2.3.2/conf/icecast.xml.in 2010-11-12 16:48:08.086667585 +0100
-@@ -164,11 +164,9 @@
-
- <security>
- <chroot>0</chroot>
-- <!--
- <changeowner>
- <user>nobody</user>
-- <group>nogroup</group>
-+ <group>nobody</group>
- </changeowner>
-- -->
- </security>
- </icecast>
