Date: Thursday, August 6, 2020 @ 08:42:26 Author: dvzrv Revision: 670679
upgpkg: icecast 2.4.4-2: Rebuild to fix service. Switch to correct license (GPL2). Add sodeps in package() and add the respective packages in makedepends. Remove patch modifying the default configuration file (it forces running the service as root just to drop privileges to nobody, which should never be used for a service like this). Run autoreconf in prepare(). Remove log directory creation and (broken) ownership change from package() (FS#67487). Add sysusers.d and tmpfiles.d integration for the systemd service and less permissive access rights for the configuration file. Harden the systemd service and run it as its own user (icecast). Update maintainer info. Added: icecast/trunk/icecast.sysusers icecast/trunk/icecast.tmpfiles Modified: icecast/trunk/PKGBUILD icecast/trunk/icecast.service Deleted: icecast/trunk/start-by-nobody.patch -----------------------+ PKGBUILD | 74 +++++++++++++++++++++++++++++------------------- icecast.service | 35 ++++++++++++++++++++++ icecast.sysusers | 1 icecast.tmpfiles | 1 start-by-nobody.patch | 15 --------- 5 files changed, 81 insertions(+), 45 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-08-06 08:41:55 UTC (rev 670678) +++ PKGBUILD 2020-08-06 08:42:26 UTC (rev 670679) @@ -1,4 +1,5 @@ -# Maintainer: Lukas Fleischer <lfleisc...@archlinux.org> +# Maintainer: David Runge <dv...@archlinux.org> +# Contributor: Lukas Fleischer <lfleisc...@archlinux.org> # Contributor: Andrea Scarpino <and...@archlinux.org> # Contributor: Andreas Radke <andy...@archlinux.org> # Contributor: Jason Chu <j...@xentac.net> @@ -5,43 +6,58 @@ pkgname=icecast pkgver=2.4.4 -pkgrel=1 +pkgrel=2 pkgdesc='Streaming audio over the Internet' arch=('x86_64') -license=('GPL') -url='https://www.icecast.org/' -depends=('libxslt' 'libvorbis' 'curl' 'speex' 'libtheora' 'libkate') +license=('GPL2') +url="https://www.icecast.org/" +depends=('glibc' 'libkate' 'libxml2' 'libxslt' 'openssl' 'speex' 'libtheora') +makedepends=('curl' 'libogg' 'libvorbis') backup=('etc/icecast.xml' 'etc/logrotate.d/icecast') -source=("https://downloads.us.xiph.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz" - 'icecast.logrotate' - 'start-by-nobody.patch' - 'icecast.service') -md5sums=('835c7b571643f6436726a6118defb366' - '59c6552bcb1dd9fb542af8670dfabd3c' - 'd8e929d2214123a1954da4383bf16583' - '0753c15f01dc14852e5d70925fc1f6a0') +source=( + "https://downloads.us.xiph.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz" + "${pkgname}.logrotate" + "${pkgname}.service" + "${pkgname}.sysusers" + "${pkgname}.tmpfiles" +) +sha512sums=('e9ffb478cac2570891787455591d881a59185e067bb36f51706a7070cd9d82d80425ec8cf151f5ebb17d1b75654449fc760f8b82a1bb05f020b47ec09e46b4d0' + '1727ec4e66ce2939a6b66c23b2f0938e2e6c717d2753f4d8c05eb31ff211d50f7ce3d38b8fca93b8cb98c1b755a5d8e3baf381fe8eb0624e7e4fe9c7486ad14a' + 'debfd3e609d97b3e1297645aaaae2f98851304c02ccaf791d339c40ad4ba02dfaf3dbcff6c455a80a8ad610c53ca388e66922221a3b8d9c2171ff5ea031a4bc1' + 'ca0c6e81e84910ac5bcd573aa280224426201b4aa8580f974b17daea6f95472e3ba47b3319ea1291d6762e858a3f7e9120f05357fe02aa83f01bb767862a04c8' + 'db3cf00e5ff1e2f5636288992212964f068f94ee98a880c27f00afda44f048e608636a34f2ae551f3cf24f7c43ebd2f40ab8a9bcc5d8057901d4a871c6b79f13') +b2sums=('fd4034749feb4bf38c684ac6d8de572fdebce875843dc1be286264c8fe8d38feb24ea889b07ec79aada34cf16dae46eb21a8c5470f67c08f2dd56dc04c12130f' + '9d4897d84c4be355b04c542fcf5242d5341634eefb0ca8233f8bf944e208f4ba3a2855a922639979541ec55280cdbebbebedb2a3b8a59289d19803bf7d3cdc11' + '65bbb1c6e601b92952f7c3ad318ed320eabd6443f6c6f16625fa28ffe1c4977094067169c89564c911673c4a7b881ee86d6dd792eced4ff3f36066ff26db4218' + '61c3194a0ca86f19bd4d8153eb3589f0b400549605b588418bc60a5f8a70198d1532f53ca48070385012ef8346bed69b5e1b53d2cf2b803da921414365394224' + 'b17bf9b34daa89e32a41be3364ca74f8d2403bc8f6a103e4db51c637b42f9cd0841553b2838ce9dcdb91c3561249f13fca39359636c07f163c90de3945bf1784') +prepare() { + cd "${pkgname}-${pkgver}" + autoreconf -vfi +} + build() { - cd "${srcdir}/${pkgname}-${pkgver}" - - patch -Np1 -i "${srcdir}/start-by-nobody.patch" - - ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + cd "${pkgname}-${pkgver}" + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var make } package() { - cd "${srcdir}/${pkgname}-${pkgver}" - + depends+=('libcurl.so' 'libogg.so' 'libvorbis.so') + cd "${pkgname}-${pkgver}" make DESTDIR="${pkgdir}" install - - # install logrotate config (taken from Fedora) - install -Dm644 "${srcdir}/icecast.logrotate" "${pkgdir}/etc/logrotate.d/icecast" - - # create log directory - install -d -g99 -o99 "${pkgdir}/var/log/icecast" - - # install systemd unit - install -Dm0644 "${srcdir}/icecast.service" "${pkgdir}/usr/lib/systemd/system/icecast.service" + # logrotate + install -vDm 644 "../${pkgname}.logrotate" \ + "${pkgdir}/etc/logrotate.d/${pkgname}" + # systemd unit + install -vDm 644 "../${pkgname}.service" \ + -t "${pkgdir}/usr/lib/systemd/system" + install -vDm 644 "../${pkgname}.sysusers" \ + "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf" + install -vDm 644 "../${pkgname}.tmpfiles" \ + "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf" } Modified: icecast.service =================================================================== --- icecast.service 2020-08-06 08:41:55 UTC (rev 670678) +++ icecast.service 2020-08-06 08:42:26 UTC (rev 670679) @@ -3,9 +3,42 @@ After=network.target [Service] -Type=simple +CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_KILL CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM CAP_SYS_NICE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW ExecStart=/usr/bin/icecast -c /etc/icecast.xml ExecReload=/usr/bin/kill -HUP $MAINPID +Group=icecast +IPAccounting=yes +LogsDirectory=icecast +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=/etc/icecast.xml +RemoveIPC=true +RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_INET6 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_XDP AF_UNIX +RestrictAddressFamilies=AF_INET +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +RuntimeDirectory=icecast +StandardError=syslog +StateDirectory=icecast +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources @privileged +Type=exec +UMask=177 +User=icecast [Install] WantedBy=multi-user.target Added: icecast.sysusers =================================================================== --- icecast.sysusers (rev 0) +++ icecast.sysusers 2020-08-06 08:42:26 UTC (rev 670679) @@ -0,0 +1 @@ +u icecast - "Media streaming server" - Added: icecast.tmpfiles =================================================================== --- icecast.tmpfiles (rev 0) +++ icecast.tmpfiles 2020-08-06 08:42:26 UTC (rev 670679) @@ -0,0 +1 @@ +z /etc/icecast.xml 0640 root icecast - Deleted: start-by-nobody.patch =================================================================== --- start-by-nobody.patch 2020-08-06 08:41:55 UTC (rev 670678) +++ start-by-nobody.patch 2020-08-06 08:42:26 UTC (rev 670679) @@ -1,15 +0,0 @@ ---- icecast-2.3.2/conf/icecast.xml.in~ 2010-11-12 16:47:54.750000918 +0100 -+++ icecast-2.3.2/conf/icecast.xml.in 2010-11-12 16:48:08.086667585 +0100 -@@ -164,11 +164,9 @@ - - <security> - <chroot>0</chroot> -- <!-- - <changeowner> - <user>nobody</user> -- <group>nogroup</group> -+ <group>nobody</group> - </changeowner> -- --> - </security> - </icecast>