From d3df6110c86376c1511660a3f4ba74774dc6d351 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sun, 3 May 2020 12:15:01 +0200 Subject: [PATCH] freeswitch-stable: improve init script This is in response to a posting on oss-security ([1]). This commit removes the ability to choose a user/group via /etc/config/freeswitch. This makes the init script simpler. If anybody wants to play around with the user/group, then it's up to them to fix the permissions. The complex awk script is deleted and replaced by two for-loops, basically. The first loop creates "/var/lib/freeswitch" and "/var/run/freeswitch" and chowns them to freeswitch, in case they don't exist already. The second loop checks if the other directories (either the default ones or the ones specified by the user) exist. If any is missing it uses "su" to create that directory as user "freeswitch". The reasoning behind this is that a) this works for the defaults (example: "/tmp/freeswitch/db") and b) the user can specify anything he/she wants in "/etc/config/freeswitch", which could be all kinds of strange directories. "mkdir" may now fail, as we're not calling it as root anymore, but we err on the side of caution, as the saying goes. Calls to "chmod" are eliminated. Instead the desired mode is provided to "mkdir". The latter applies the mode only to the final directory. Possible parent directories are created with the regular umask alone. A dependency on the "su" utility is added to the Makefile. "local" also gets removed because it is undefined in POSIX. [1] https://www.openwall.com/lists/oss-security/2020/04/30/1 Signed-off-by: Sebastian Kemper --- net/freeswitch-stable/Makefile | 5 +- net/freeswitch-stable/files/freeswitch.conf | 2 - net/freeswitch-stable/files/freeswitch.init | 103 ++++++-------------- 3 files changed, 34 insertions(+), 76 deletions(-) diff --git a/net/freeswitch-stable/Makefile b/net/freeswitch-stable/Makefile index 4f32c21..334121a 100644 --- a/net/freeswitch-stable/Makefile +++ b/net/freeswitch-stable/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PRG_NAME:=freeswitch PKG_NAME:=$(PRG_NAME)-stable PKG_VERSION:=1.10.2 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_MAINTAINER:=Sebastian Kemper PKG_SOURCE:=$(PRG_NAME)-$(PKG_VERSION).-release.tar.xz @@ -366,9 +366,10 @@ $(call Package/$(PKG_NAME)/Default) MENU:=1 USERID:=$(PRG_NAME)=372:$(PRG_NAME)=372 DEPENDS:= \ - +@OPENSSL_WITH_DEPRECATED \ $(CXX_DEPENDS) \ $(ICONV_DEPENDS) \ + +!BUSYBOX_DEFAULT_SU:shadow-su \ + +@OPENSSL_WITH_DEPRECATED \ +FS_STABLE_WITH_FREETYPE:libfreetype \ +FS_STABLE_WITH_ODBC:unixodbc \ +FS_STABLE_WITH_PNG:libpng \ diff --git a/net/freeswitch-stable/files/freeswitch.conf b/net/freeswitch-stable/files/freeswitch.conf index d7c591a..c2e48ca 100644 --- a/net/freeswitch-stable/files/freeswitch.conf +++ b/net/freeswitch-stable/files/freeswitch.conf @@ -1,8 +1,6 @@ config freeswitch 'general' option enabled '0' - option user 'freeswitch' - option group 'freeswitch' option log_stderr '1' option log_stdout '1' option options '-nonat -np' diff --git a/net/freeswitch-stable/files/freeswitch.init b/net/freeswitch-stable/files/freeswitch.init index aeab073..12d7ec6 100644 --- a/net/freeswitch-stable/files/freeswitch.init +++ b/net/freeswitch-stable/files/freeswitch.init @@ -13,26 +13,9 @@ COMMAND=/usr/bin/$NAME LOGGER="/usr/bin/logger -p user.err -s -t $NAME --" start_service() { - local dir - local enabled - - local user - local group - - local log_stderr - local log_stdout - - local dir_cache - local dir_db - local dir_etc=/etc/$NAME - local dir_localstate=/var/lib/$NAME - local dir_log - local dir_recordings - local dir_run=/var/run/$NAME - local dir_storage - local dir_temp - - local options + dir_etc=/etc/$NAME + dir_localstate=/var/lib/$NAME + dir_run=/var/run/$NAME config_load $NAME @@ -42,9 +25,6 @@ start_service() { exit 1 fi - config_get user general user $NAME - config_get group general group $NAME - config_get_bool log_stderr general log_stderr 1 config_get_bool log_stdout general log_stdout 1 @@ -55,54 +35,34 @@ start_service() { config_get dir_storage directories storage /tmp/$NAME/storage config_get dir_temp directories temp /tmp/$NAME/temp - user_exists "$user" || { - $LOGGER user \""$user"\" does not exist - exit 1 - } - - group_exists "$group" || { - $LOGGER group \""$group"\" does not exist - exit 1 - } - - # do not touch directories that already exist - # posix shell does not support arrays, hence using awk - awk \ - -v user="$user" \ - -v group="$group" \ - -v a="$dir_cache" \ - -v b="$dir_db" \ - -v c="$dir_localstate" \ - -v d="$dir_log" \ - -v e="$dir_recordings" \ - -v f="$dir_run" \ - -v g="$dir_storage" \ - -v h="$dir_temp" \ - ' - BEGIN { - dir[0]=a - dir[1]=b - dir[2]=c - dir[3]=d - dir[4]=e - dir[5]=f - dir[6]=g - dir[7]=h - for (x in dir) { - if (system("test ! -e \"" dir[x] "\"" )) { - delete dir[x] - } - } - for (x in dir) { - system("mkdir -p \"" dir[x] "\"" ) - system("chmod 750 \"" dir[x] "\"" ) - system("chown \"" user "\":\"" group "\" \"" dir[x] "\"" ) - } - } - ' - config_get options general options + for i in "$dir_localstate" "$dir_run"; do + if ! [ -e "$i" ]; then + mkdir -m 0750 -p "$i" + [ -d "$i" ] && chown $NAME:$NAME "$i" + fi + done + + command -v su >/dev/null + ret=$? + if [ 0 != "$ret" ]; then + $LOGGER utility \"su\" not available + $LOGGER will not attempt to create directories + else + for i in "$dir_cache" \ + "$dir_db" \ + "$dir_log" \ + "$dir_recordings" \ + "$dir_storage" \ + "$dir_temp"; + do + if ! [ -e "$i" ]; then + su -s /bin/sh -c "mkdir -m 0750 -p \"$i\"" $NAME + fi + done + fi + procd_open_instance # starting with full path seems cleaner judging by 'ps' output procd_set_param command $COMMAND @@ -111,13 +71,13 @@ start_service() { -cache "$dir_cache" \ -conf "$dir_etc" \ -db "$dir_db" \ - -g "$group" \ + -g "$NAME" \ -log "$dir_log" \ -recordings "$dir_recordings" \ -run "$dir_run" \ -storage "$dir_storage" \ -temp "$dir_temp" \ - -u "$user" \ + -u "$NAME" \ $options \ -c # forward stderr to logd @@ -126,4 +86,3 @@ start_service() { procd_set_param stdout $log_stdout procd_close_instance } - -- 2.30.2