+Wed Oct 23 00:00:00 UTC 2019
+ Remove setuid helpers. They never worked as intended. The
+ fixed version is not portable and the defacto good way to
+ handle this which is most portable is to let package managers
+ handle this (as they do right now, the good ones), and let
+ people handle this who read the documentation.
+ This commit removes what would be patched out by the majority
+ of package managers, which is setuid handling in Makefiles.
+ It is very likely that no one will notice this code is gone.
+ -ng0
+
Thu Oct 17 00:00:00 UTC 2019
Added support for doas, use it in some places conditionally
if sudo is not present. Fixed sudo detection. -ng0
more details.
However, this leak is just a minor concern.
+Notes on setuid
+===============
+
+For a correct functionality depending on the host OS, you need
+to run the equivalent of these steps after installation:
+
+chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-vpn
+chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-vpn
+chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-transport-wlan
+chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-transport-wlan
+chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-transport-bluetooth
+chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-transport-bluetooth
+chown root $(DESTDIR)$(libexecdir)/gnunet-helper-dns
+chgrp $(GNUNETDNS_GROUP) $(DESTDIR)$(libexecdir)/gnunet-helper-dns
+chmod 4750 $(DESTDIR)$(libexecdir)/gnunet-helper-dns
+chgrp $(GNUNETDNS_GROUP) $(DESTDIR)$(libexecdir)/gnunet-helper-dns
+chown gnunet:$(GNUNETDNS_GROUP) $(DESTDIR)$(libexecdir)/gnunet-helper-dns
+chmod 2750 $(DESTDIR)$(libexecdir)/gnunet-helper-dns
+chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-exit
+chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-exit
+chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-nat-server
+chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-nat-client
+chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-nat-server
+chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-nat-client
+
+
Requirements
============
pkgcfg_DATA = \
dns.conf
-if HAVE_SUDO
-SUDO_OR_DOAS_BINARY= $(SUDO_BINARY)
-else
-if HAVE_DOAS_BINARY
-SUDO_OR_DOAS_BINARY= $(DOAS_BINARY)
-endif
-endif
-
if LINUX
HIJACKBIN = gnunet-helper-dns
-install-exec-hook:
- chown root $(DESTDIR)$(libexecdir)/gnunet-helper-dns
- chgrp $(GNUNETDNS_GROUP) $(DESTDIR)$(libexecdir)/gnunet-helper-dns
- chmod 4750 $(DESTDIR)$(libexecdir)/gnunet-helper-dns
- chgrp $(GNUNETDNS_GROUP) $(DESTDIR)$(libexecdir)/gnunet-helper-dns
- chown gnunet:$(GNUNETDNS_GROUP) $(DESTDIR)$(libexecdir)/gnunet-helper-dns
- chmod 2750 $(DESTDIR)$(libexecdir)/gnunet-helper-dns
-else
-install-exec-hook:
endif
lib_LTLIBRARIES = \
+++ /dev/null
-#!/bin/sh
-# $1 - bindir
-# $2 - gnunetdns group
-# $3 - sudo binary (optional)
-$3 chown root $1/gnunet-helper-dns
-$3 chgrp $2 $1/gnunet-helper-dns
-$3 chmod 4750 $1/gnunet-helper-dns
-# In case user 'gnunet' does not exist, at least set the group
-$3 chgrp $2 $1/gnunet-service-dns
-# Usually we want both...
-$3 chown gnunet:$2 $1/gnunet-service-dns
-$3 chmod 2750 $1/gnunet-service-dns
dist_pkgcfg_DATA = \
exit.conf
-if HAVE_SUDO
-SUDO_OR_DOAS_BINARY= $(SUDO_BINARY)
-else
-if HAVE_DOAS_BINARY
-SUDO_OR_DOAS_BINARY= $(DOAS_BINARY)
-endif
-endif
-
if LINUX
EXITBIN = gnunet-helper-exit
-install-exec-hook:
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-exit
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-exit
-else
-install-exec-hook:
endif
+++ /dev/null
-#!/bin/sh
-# $1 - bindir
-# $2 - sudo binary (optional)
-$2 chown root:root $1/gnunet-helper-exit || true
-$2 chmod u+s $1/gnunet-helper-exit || true
pkgcfg_DATA = \
nat.conf
-if HAVE_SUDO
-SUDO_OR_DOAS_BINARY= $(SUDO_BINARY)
-else
-if HAVE_DOAS_BINARY
-SUDO_OR_DOAS_BINARY= $(DOAS_BINARY)
-endif
-endif
-
if LINUX
NATBIN = gnunet-helper-nat-server gnunet-helper-nat-client
NATSERVER = gnunet-helper-nat-server.c
NATCLIENT = gnunet-helper-nat-client.c
-install-exec-hook:
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-nat-server
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-nat-client
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-nat-server
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-nat-client
else
if XFREEBSD
NATBIN = gnunet-helper-nat-server gnunet-helper-nat-client
NATSERVER = gnunet-helper-nat-server.c
NATCLIENT = gnunet-helper-nat-client.c
-install-exec-hook:
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-nat-server
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-nat-client
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-nat-server
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-nat-client
endif
else
install-exec-hook:
+++ /dev/null
-#!/bin/sh
-# $1 - bindir
-# $2 - sudo binary (optional)
-$2 chown root:root $1/gnunet-helper-nat-server $1/gnunet-helper-nat-client || true
-$2 chmod u+s $1/gnunet-helper-nat-server $1/gnunet-helper-nat-client || true
test_quota_compliance_wlan_asymmetric
endif
-if HAVE_SUDO
-SUDO_OR_DOAS_BINARY= $(SUDO_BINARY)
-else
-if HAVE_DOAS_BINARY
-SUDO_OR_DOAS_BINARY= $(DOAS_BINARY)
-endif
-endif
-
-if LINUX
-install-exec-hook:
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-transport-wlan
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-transport-wlan
-if HAVE_LIBBLUETOOTH
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-transport-bluetooth
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-transport-bluetooth
-endif
-else
-install-exec-hook:
-endif
-
if LINUX
if HAVE_LIBBLUETOOTH
BT_BIN = gnunet-helper-transport-bluetooth
+++ /dev/null
-#!/bin/sh
-# $1 - bindir
-# $2 - sudo binary (optional)
-$2 chown root:root $1/gnunet-helper-transport-bluetooth || true
-$2 chmod u+s $1/gnunet-helper-transport-bluetooth || true
+++ /dev/null
-#!/bin/sh
-# $1 - bindir
-# $2 - sudo binary (optional)
-$2 chown root:root $1/gnunet-helper-transport-wlan || true
-$2 chmod u+s $1/gnunet-helper-transport-wlan || true
pkgcfg_DATA = \
vpn.conf
-if HAVE_SUDO
-SUDO_OR_DOAS_BINARY= $(SUDO_BINARY)
-else
-if HAVE_DOAS_BINARY
-SUDO_OR_DOAS_BINARY= $(DOAS_BINARY)
-endif
-endif
-
if LINUX
VPNBIN = gnunet-helper-vpn
-install-exec-hook:
- chown root:root $(DESTDIR)$(libexecdir)/gnunet-helper-vpn
- chmod u+s $(DESTDIR)$(libexecdir)/gnunet-helper-vpn
-else
-install-exec-hook:
endif
+++ /dev/null
-#!/bin/sh
-# $1 - bindir
-# $2 - sudo binary (optional)
-$2 chown root:root $1/gnunet-helper-vpn || true
-$2 chmod u+s $1/gnunet-helper-vpn || true