Re: libcap

Robert Connolly Sat, 26 May 2007 22:56:57 -0700

Here's the svn patch. It might need adjustment. It'll need changelog entries, 
and regenerated bootscripts package. 'make install-ntp' and 'make 
install-ntp-libcap' will overwrite eachother, like openldap1 and openldap2 
do. I bumped the ntpd version to 4.2.4p0. 'ntpd' can be installed 
to /usr/sbin with the '--with-binsubdir=sbin' option:


$ ls DESTDIR/usr/bin/
ntp-keygen  ntpq  ntptime  ntptrace  ntp-wait  tickadj
$ ls DESTDIR/usr/sbin/
ntpd  ntpdate  ntpdc  sntp

This is perfect, at least for me. I like running 'ntpq' as a regular user.

I made a bug report to ntp's bugzilla about the --sbindir having no effect, 
and they said it's intentional. They want everything installing to /usr/bin, 
and said the --with-binsubdir is provided if you want the admin programs 
installing to /usr/sbin.

robert

Index: BOOK/basicnet/netprogs/ntp.xml
===================================================================
--- BOOK/basicnet/netprogs/ntp.xml	(revision 6789)
+++ BOOK/basicnet/netprogs/ntp.xml	(working copy)
@@ -4,13 +4,11 @@
   <!ENTITY % general-entities SYSTEM "../../general.ent">
   %general-entities;
 
-  <!-- <!ENTITY ntp-download-http "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-stable-&ntp-version;-20060224.tar.gz";> -->
-  <!-- <!ENTITY ntp-download-ftp  "ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-stable-&ntp-version;-20060224.tar.gz";> -->
-  <!ENTITY ntp-download-http "&sources-anduin-http;/n/ntp-stable-&ntp-version;-20060224.tar.gz">
-  <!ENTITY ntp-download-ftp  "&sources-anduin-ftp;/n/ntp-stable-&ntp-version;-20060224.tar.gz">
-  <!ENTITY ntp-md5sum        "49d4a704b49dc1ef2a7ec0b7938c3ae1">
-  <!ENTITY ntp-size          "2.3 MB">
-  <!ENTITY ntp-buildsize     "22.1 MB">
+  <!ENTITY ntp-download-http "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-&ntp-version;.tar.gz";>
+  <!ENTITY ntp-download-ftp  "ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-&ntp-version;.tar.gz";>
+  <!ENTITY ntp-md5sum        "6f381e3764eac481bed9cf7e4d508952">
+  <!ENTITY ntp-size          "3.3 MB">
+  <!ENTITY ntp-buildsize     "26 MB">
   <!ENTITY ntp-time          "0.4 SBU">
 ]>
 
@@ -58,20 +56,11 @@
       </listitem>
     </itemizedlist>
 
-<!--
-    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
-    <itemizedlist spacing='compact'>
-      <listitem>
-        <para>Required patch: <ulink
-        url="&patch-root;/ntp-&ntp-version;-gcc4-1.patch"/></para>
-      </listitem>
-    </itemizedlist>
--->
-
     <bridgehead renderas="sect3">NTP Dependencies</bridgehead>
 
     <bridgehead renderas="sect4">Optional</bridgehead>
-    <para role="optional"><xref linkend="openssl"/></para>
+    <para role="optional"><xref linkend="openssl"/>,
+    <xref linkend="libcap"/></para>
 
     <para condition="html" role="usernotes">User Notes:
     <ulink url="&blfs-wiki;/ntp"/></para>
@@ -81,10 +70,22 @@
   <sect2 role="installation">
     <title>Installation of NTP</title>
 
+    <para>If you link <application>Libcap</application> into the build using
+    the <parameter>--enable-linuxcaps</parameter> parameter, then additional
+    installation steps are necessary to set up the proper environment, which
+    are performed by issuing the following commands as the root user:</para>
+
+<screen role="root"><userinput>install -v -m710 -d /var/lib/ntp/var &amp;&amp;
+install -v -m770 -d /var/lib/ntp/var/cache &amp;&amp;
+groupadd -g 55 ntp &amp;&amp;
+useradd -c 'ntp PrivSep' -d /var/lib/ntp -g ntp \
+    -s /bin/false -u 55 ntp &amp;&amp;
+chgrp -v -R ntp /var/lib/ntp</userinput></screen>
+
     <para>Install <application>NTP</application> by running
     the following commands:</para>
 
-<screen><userinput>./configure --prefix=/usr --bindir=/usr/sbin \
+<screen><userinput>./configure --prefix=/usr --with-binsubdir=sbin \
     --sysconfdir=/etc &amp;&amp;
 make</userinput></screen>
 
@@ -98,6 +99,19 @@
 
   </sect2>
 
+  <sect2 role="commands">
+    <title>Command Explanations</title>
+
+    <para><parameter>--with-binsubdir</parameter>: This switch tells
+    <application>NTP</application> to
+    install the server programs to
+    <filename class="directory">/usr/sbin</filename>. This switch is equivilent
+    to <parameter>--sbindir</parameter>, except that
+    <parameter>--sbindir</parameter> does not currently work with the
+    <application>NTP</application> package.</para>
+
+  </sect2>
+
   <sect2 role="configuration">
     <title>Configuring NTP</title>
 
@@ -157,7 +171,10 @@
       <para>If you choose Option one, then install the
       <filename>/etc/rc.d/init.d/ntp</filename>
       init script included in the
-      <xref linkend="bootscripts"/> package.</para>
+      <xref linkend="bootscripts"/> package. If you linked
+      <application>NTP</application> to <application>Libcap</application>,
+      then substitute the follwing command with
+      <command>make install-ntp-libcap</command>.</para>
 
       <indexterm zone="ntp ntp-init">
         <primary sortas="f-ntp">ntp</primary>
Index: BOOK/postlfs/config/users.xml
===================================================================
--- BOOK/postlfs/config/users.xml	(revision 6789)
+++ BOOK/postlfs/config/users.xml	(working copy)
@@ -93,6 +93,7 @@
         <row><entry>rsyncd  </entry><entry>48</entry><entry>48</entry></row>
         <row><entry>sshd    </entry><entry>50</entry><entry>50</entry></row>
         <row><entry>stunnel </entry><entry>51</entry><entry>51</entry></row>
+        <row><entry>ntp     </entry><entry>55</entry><entry>55</entry></row>
         <row><entry>svn     </entry><entry>56</entry><entry>56</entry></row>
         <row><entry>svntest </entry><entry>  </entry><entry>57</entry></row>
         <row><entry>games   </entry><entry>60</entry><entry>60</entry></row>
Index: BOOK/postlfs/security/libcap.xml
===================================================================
--- BOOK/postlfs/security/libcap.xml	(revision 0)
+++ BOOK/postlfs/security/libcap.xml	(revision 0)
@@ -0,0 +1,170 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+
+  <!ENTITY libcap-download-http "http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/libcap-&libcap-version;.tar.bz2";>
+  <!ENTITY libcap-download-ftp "ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/libcap-&libcap-version;.tar.bz2";>
+  <!ENTITY libcap-md5sum "4426a413128142cab89eb2e6f13d8571">
+  <!ENTITY libcap-size "28 KB">
+  <!ENTITY libcap-buildsize "44 KB">
+  <!ENTITY libcap-time "less than 0.1 SBU">
+]>
+
+<sect1 id="libcap" xreflabel="libcap-&libcap-version;">
+  <?dbhtml filename="libcap.html"?>
+
+  <sect1info>
+    <othername>$LastChangedBy: robert $</othername>
+    <date>$Date: 2007-05-27 00:00:00 -0000 (Sun, 27 May 2007) $</date>
+  </sect1info>
+
+  <title>Libcap-&libcap-version;</title>
+
+  <indexterm zone="libcap">
+    <primary sortas="a-libcap">libcap</primary>
+  </indexterm>
+
+  <sect2 role="package">
+    <title>Introduction to Libcap</title>
+
+    <para>The <application>Libcap</application> package is used to modify
+    capabilities of programs so they can run without
+    <systemitem class="username">root</systemitem> privileges.</para>
+
+    <bridgehead renderas="sect3">Package Information</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>Download (HTTP): <ulink url="&libcap-download-http;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download (FTP): <ulink url="&libcap-download-ftp;"/></para>
+      </listitem>
+      <listitem>
+        <para>Download MD5 sum: &libcap-md5sum;</para>
+      </listitem>
+      <listitem>
+        <para>Download size: &libcap-size;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated disk space required: &libcap-buildsize;</para>
+      </listitem>
+      <listitem>
+        <para>Estimated build time: &libcap-time;</para>
+      </listitem>
+    </itemizedlist>
+
+    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
+    <itemizedlist spacing='compact'>
+      <listitem>
+        <para>Required patch: <ulink
+        url="&patch-root;/libcap-&libcap-version;-blfs-1.patch"/></para>
+      </listitem>
+    </itemizedlist>
+
+    <para condition="html" role="usernotes">User Notes:
+    <ulink url="&blfs-wiki;/libcap"/></para>
+
+  </sect2>
+
+  <sect2 role="installation">
+    <title>Installation of Libcap</title>
+
+    <para>Install <application>Libcap</application> by running
+    the following command:</para>
+
+<screen><userinput>patch -Np1 -i ../libcap-&libcap-version;-blfs-1.patch &amp;&amp;
+make</userinput></screen>
+
+    <para>This package does not come with a test suite.</para>
+
+    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
+
+<screen role="root"><userinput>make install
+install -vd /usr/share/libcap-&libcap-version;
+cp -v {README,CHANGELOG,doc/capability.notes} \
+    /usr/share/libcap-&libcap-version;</userinput></screen>
+
+  </sect2>
+
+  <sect2 role="content">
+    <title>Contents</title>
+
+    <segmentedlist>
+      <segtitle>Installed Programs</segtitle>
+      <segtitle>Installed Library</segtitle>
+      <segtitle>Installed Directories</segtitle>
+
+      <seglistitem>
+        <seg>execcap getpcaps setpcaps sucap</seg>
+        <seg>libcap.so</seg>
+        <seg>/usr/share/libcap-&libcap-version;</seg>
+      </seglistitem>
+    </segmentedlist>
+
+    <variablelist>
+      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
+      <?dbfo list-presentation="list"?>
+      <?dbhtml list-presentation="table"?>
+
+      <varlistentry id="execcap">
+        <term><command>execcap</command></term>
+        <listitem>
+          <para>is a program that can be used to limit the inheritable
+          capabilities of a program.</para>
+          <indexterm zone="libcap execcap">
+            <primary sortas="b-execcap">execcap</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="getpcaps">
+        <term><command>getpcaps</command></term>
+        <listitem>
+          <para>is used to display the capabilities of a running process.
+          </para>
+          <indexterm zone="libcap getpcaps">
+            <primary sortas="b-getpcaps">getpcaps</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="setpcaps">
+        <term><command>setpcaps</command></term>
+        <listitem>
+          <para>is used to set the capabilities of a running process.</para>
+          <indexterm zone="libcap setpcaps">
+            <primary sortas="b-setpcaps">setpcaps</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry id="sucap">
+        <term><command>sucap</command></term>
+        <listitem>
+          <para>is a program to change the UID, but not the capabilities, of a
+          running process.</para>
+          <indexterm zone="libcap sucap">
+            <primary sortas="b-sucap">sucap</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+
+      <varlistentry id="libcap-lib">
+        <term><filename class='libraryfile'>libcap.so</filename></term>
+        <listitem>
+          <para>is a support library for the
+          <application>Libcap</application> programs.</para>
+          <indexterm zone="libcap libcap-lib">
+            <primary sortas="c-libcap-lib">libcap.so</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </sect2>
+
+</sect1>
Index: BOOK/postlfs/security/security.xml
===================================================================
--- BOOK/postlfs/security/security.xml	(revision 6789)
+++ BOOK/postlfs/security/security.xml	(working copy)
@@ -53,5 +53,6 @@
   <xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="stunnel.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="sudo.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="nss.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2003/XInclude"; href="libcap.xml"/>
 
 </chapter>
Index: BOOK/general.ent
===================================================================
--- BOOK/general.ent	(revision 6789)
+++ BOOK/general.ent	(working copy)
@@ -73,6 +73,7 @@
 <!ENTITY stunnel-version              "4.20">
 <!ENTITY sudo-version                 "1.6.8p12">
 <!ENTITY nss-version                  "3.11.5">
+<!ENTITY libcap-version               "1.10">
 
 <!-- Chapter 5 -->
 <!ENTITY reiser-version               "3.6.19">
@@ -315,7 +316,7 @@
 <!-- <!ENTITY ncpfs-version                "2.2.4"> -->
 <!ENTITY net-tools-version            "1.60">
 <!ENTITY wireless-tools-version       "28">
-<!ENTITY ntp-version                  "4.2.0a">
+<!ENTITY ntp-version                  "4.2.4p0">
 <!ENTITY openssh-version              "4.6p1">
 <!ENTITY portmap-version              "5beta">
 <!ENTITY rsync-version                "2.6.8">
Index: bootscripts/blfs/init.d/ntp-libcap
===================================================================
--- bootscripts/blfs/init.d/ntp-libcap	(revision 0)
+++ bootscripts/blfs/init.d/ntp-libcap	(revision 0)
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Begin $rc_base/init.d/ntp-libcap
+
+#$LastChangedBy: robert $
+#$Date: 2007-05-27 00:00:00 -0000 (Sun, 27 Aug 2007) $
+
+. /etc/sysconfig/rc
+. $rc_functions
+
+case "$1" in
+	start)
+		boot_mesg "Starting ntpd in chroot..."
+		ntpd -gqx
+		loadproc /usr/sbin/ntpd --configfile=/etc/ntp.conf \
+			--jaildir=/var/lib/ntp --logfile=/var/log/ntp.log \
+			--pidfile=/var/run/ntp.pid --user=ntpd:ntpd
+		;;
+
+	stop)
+		boot_mesg "Stopping ntpd..."
+		killproc /usr/sbin/ntpd
+		;;
+
+	restart)
+		$0 stop
+		sleep 1
+		$0 start
+		;;
+
+	status)
+		statusproc /usr/sbin/ntpd
+		;;
+
+	*)
+		echo "Usage: $0 {start|stop|restart|status}"
+		exit 1
+		;;
+esac
+
+# End $rc_base/init.d/ntp-libcap
Index: bootscripts/Makefile
===================================================================
--- bootscripts/Makefile	(revision 6789)
+++ bootscripts/Makefile	(working copy)
@@ -261,7 +261,7 @@
 	ln -sf  ../init.d/nfs-server ${EXTDIR}/rc.d/rc6.d/K48nfs-server
 
 install-ntp: create-dirs
-	install -m ${MODE} blfs/init.d/ntp        ${EXTDIR}/rc.d/init.d/
+	install -m ${MODE} blfs/init.d/ntp        ${EXTDIR}/rc.d/init.d/ntp
 	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc0.d/K46ntp
 	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc1.d/K46ntp
 	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc2.d/K46ntp
@@ -270,6 +270,16 @@
 	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc5.d/S26ntp
 	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc6.d/K46ntp
 
+install-ntp-libcap: create-dirs
+	install -m ${MODE} blfs/init.d/ntp-libcap ${EXTDIR}/rc.d/init.d/ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc0.d/K46ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc1.d/K46ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc2.d/K46ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc3.d/S26ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc4.d/S26ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc5.d/S26ntp
+	ln -sf  ../init.d/ntp ${EXTDIR}/rc.d/rc6.d/K46ntp
+
 install-openldap1: create-dirs
 	install -m ${MODE} blfs/init.d/openldap1  ${EXTDIR}/rc.d/init.d/openldap
 	ln -sf  ../init.d/openldap ${EXTDIR}/rc.d/rc0.d/K46openldap
@@ -664,6 +674,16 @@
 	rm -f ${EXTDIR}/rc.d/rc5.d/S26ntp
 	rm -f ${EXTDIR}/rc.d/rc6.d/K46ntp
 
+uninstall-ntp-libcap:
+	rm -f ${EXTDIR}/rc.d/init.d/ntp
+	rm -f ${EXTDIR}/rc.d/rc0.d/K46ntp
+	rm -f ${EXTDIR}/rc.d/rc1.d/K46ntp
+	rm -f ${EXTDIR}/rc.d/rc2.d/K46ntp
+	rm -f ${EXTDIR}/rc.d/rc3.d/S26ntp
+	rm -f ${EXTDIR}/rc.d/rc4.d/S26ntp
+	rm -f ${EXTDIR}/rc.d/rc5.d/S26ntp
+	rm -f ${EXTDIR}/rc.d/rc6.d/K46ntp
+
 uninstall-openldap1:
 	rm -f ${EXTDIR}/rc.d/init.d/openldap
 	rm -f ${EXTDIR}/rc.d/rc0.d/K46openldap

pgpBPeULdyk0b.pgp
Description: PGP signature

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: libcap

Reply via email to