Bug#934186: marked as done (shadowsocks-libev: Do not run daemons as nobody)

Fri, 22 Nov 2019 22:09:20 -0800 

Your message dated Sat, 23 Nov 2019 06:04:13 +0000
with message-id <[email protected]>
and subject line Bug#934186: fixed in shadowsocks-libev 3.3.3+ds-1
has caused the Debian Bug report #934186,
regarding shadowsocks-libev: Do not run daemons as nobody
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
934186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934186
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: shadowsocks-libev
Version: 3.3.0+ds-1
Severity: important

Please do not run daemons as nobody - nobody is a special user
for NFS to map unknown user ids to. It's also not exclusive to
your service, so other services might be using it.

I'd suggest you useO

[Service]
DynamicUser=true

in the systemd services to fix this, so that systemd takes care of
the user management dynamically (this will create users dynamically
while the service is running using the service name (before @) as
the user name).

I might be opening two more bugs soon I guess, they are not ready
yet:

1) please add apparmor profiles

   I currently have

        # cat /etc/apparmor.d/usr.bin.ss-server
        #include <tunables/global>

        /usr/bin/ss-server {
          #include <abstractions/base>
          #include <abstractions/nameservice>
        
          /etc/shadowsocks-libev/*.json r,
          /lib/x86_64-linux-gnu/ld-*.so mr,
          /usr/bin/ss-server mr,
        }

   but this needs a bit more work to be shipped by default IMO.

2) please use systemd service restrictions (capability limiting,
   namespacing, r/o system directories, etc.; systemd-resolved's
   service is a good example). Have not tried that yet.


-- System Information:
Debian Release: buster/sid
  APT prefers eoan
  APT policy: (991, 'eoan'), (500, 'eoan'), (500, 'cosmic-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.2.0-9-generic (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shadowsocks-libev depends on:
ii  libbloom1       1.5-5
ii  libc-ares2      1.15.0-1
ii  libc6           2.29-0ubuntu3
ii  libcap2-bin     1:2.25-2
ii  libcork16       0.15.0+ds-12
ii  libcorkipset1   1.1.1+20150311-8
ii  libev4          1:4.27-1
ii  libmbedcrypto3  2.16.2-1
ii  libpcre3        2:8.39-12
ii  libsodium23     1.0.17-1
ii  lsb-base        10.2019051400ubuntu1

shadowsocks-libev recommends no packages.

Versions of packages shadowsocks-libev suggests:
pn  haveged      <none>
pn  kcptun       <none>
pn  simple-obfs  <none>

-- no debconf information

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---
--- Begin Message --- 
Source: shadowsocks-libev
Source-Version: 3.3.3+ds-1

We believe that the bug you reported is fixed in the latest version of
shadowsocks-libev, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger Shimizu <[email protected]> (supplier of updated shadowsocks-libev package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Nov 2019 14:29:07 +0900
Source: shadowsocks-libev
Architecture: source
Version: 3.3.3+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Bridges Team <[email protected]>
Changed-By: Roger Shimizu <[email protected]>
Closes: 934186
Changes:
 shadowsocks-libev (3.3.3+ds-1) unstable; urgency=medium
 .
   * debian/*.service:
     - Run service in DynamicUser (Closes: #934186).
   * debian/control:
     - Use tracker mail as maintainer address.
   * debian/copyright:
     - Update copyright year and debian email for my entry.
   * debian/patches:
     - Add a patch to amend shadowsocks-libev.pc.in,
       to remove crypto library dependency. Thanks to lintian.
Checksums-Sha1:
 56c123d937475d94602d6da6da0f8a9aa15d1c91 2504 shadowsocks-libev_3.3.3+ds-1.dsc
 cb1fb0eda443351add94cd961751e8875fa11d35 182468 
shadowsocks-libev_3.3.3+ds.orig.tar.xz
 bbc94c220aad881350d75fdab6dc00fd6711bc94 16892 
shadowsocks-libev_3.3.3+ds-1.debian.tar.xz
 54fa7a1f9af521d807de9ffbf6862a5f853625ee 6655 
shadowsocks-libev_3.3.3+ds-1_source.buildinfo
Checksums-Sha256:
 517d912575288777cf3bbf935d822983dc12841e0afc9067703ca8ffaf273c6d 2504 
shadowsocks-libev_3.3.3+ds-1.dsc
 1c22b9dd584514e1266e9b63ffa17ac61c7ad0b3408be1d95734c978901c1ddb 182468 
shadowsocks-libev_3.3.3+ds.orig.tar.xz
 7792dacdfdad2a3cbed3869e06e944f465c7ca1aa82fca6b4ff4aace67b4b9a2 16892 
shadowsocks-libev_3.3.3+ds-1.debian.tar.xz
 72f5160f79f56964b014389829c3bcd15290ffd74cad556d51e153f205cd1da1 6655 
shadowsocks-libev_3.3.3+ds-1_source.buildinfo
Files:
 47add689dc655bcb93182f8f565f6466 2504 net optional 
shadowsocks-libev_3.3.3+ds-1.dsc
 2780537420e78546c2bde5435a2ea573 182468 net optional 
shadowsocks-libev_3.3.3+ds.orig.tar.xz
 9269a2b492c54253142faa43f9abb87b 16892 net optional 
shadowsocks-libev_3.3.3+ds-1.debian.tar.xz
 120f1c179637d7f5ed4c178fb19150df 6655 net optional 
shadowsocks-libev_3.3.3+ds-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEECjKtvoA5m+cWOFnspHhrDacDNKgFAl3Yw8gQHHJvc2hAZGVi
aWFuLm9yZwAKCRCkeGsNpwM0qJ9pEACDN2p7kCrdpFE4HfJHg8mPIJxmgVfa7Hv0
F+7QhL0c/MPaiFjyKPQ5g5kSjT618yQcHHg5HQH/dhuoYd+oyZZc81WSwXmywSA+
r6aoeT7wKUjWXO9JMjEURgpj1wZwR83wV0EvApaL10S8PJbY2y0gmqjJaIjS53p5
5ASWSGUi9RX6XBXKJWCjlzxKAxOmY/gNWUc+we3cFwULXo1JPKW12soVHZVQaiwG
+7juqRHEbZbNuxa6Q1Nv4o98Sjf5N1Wg5u6BAj7OZGj3wQmC3ntxc/0HNxQGq2uK
DAt9K9EUT3PIYRXIPIQXWPI9VV9lNJi4Xpy02ba2P/f0KJNa8g9XCeIf4+T7+Xu2
m+kH4X1rYjfdoIsrGViHAZJmGngP0ijkz4P7VlQHdm/0VCOcoVzC7WgUP/t4IyVE
fodopeGefUawTq8M8xkyZbaA3cqq2BvhXB2UhmwNdznm08uB7QEnU26DweHvLvaG
jOS9K8r6w42dclaRKSisnGiU36HNzXw36oBOiKi765fbZKyJ1S7q3rbMOb88MoM9
z8RZprXLZsyJadX0K6iVSCFH32YIllKih6Oa9gCW5hAEWWHEZ5ErpMYd5uZt3RzU
rNcfRtKhfw3EhJz42RFiispHCORdc/738FX41iTqtJ3At/8khKffQdxmxFLraeEX
TdUsMWL4cA==
=7QOf
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to