Package: ptunnel Version: 0.72-3 Severity: normal Tags: bullseye sid Dear Maintainer,
Please consider adding a native systemd service masking the already shipped init script (fixes lintian tag[1] in subject). I've attached my own attempt at writing a service file, based off looking at what the init script does. Note that it is completely untested (as I don't use ptunnel myself). The ptunnel.service could simply be dropped into the debian/ directory and debhelper should do the right thing with the service file (although note that the current compat 11 is now discuraged!). Please also note that the magic expansions as done to $password is a shell feature and is not supported inside a service file. Also passing a password on the command line to a process is a local security hole as anyone could see it by simply running 'ps aux' or similar. I would recommend that ptunnel implements reading the password from the environment variable directly itself. The service could also be simplified by dropping the -daemon argument running ptunnel in the foreground and set Type=simple. It is recommended that user changes to settings are done via 'systemctl edit ptunnel.service' rather than using /etc/default files, which will allow 'systemd-delta' to show customizations. I however did not go this route as users current setup might contain important settings already in their $OPTIONS variable that I'm not aware of. Additional improvements eg. using security hardening[2] could also be added. Finally please get rid of the homebrew enable/disable[3] service implementation $run_daemon. Ship the service disabled and let the user simply run 'service ptunnel enable' when they have configured it. Regards, Andreas Henriksson [1]: https://lintian.debian.org/tags/missing-systemd-service-for-init.d-script.html [2]: https://lintian.debian.org/tags/systemd-service-file-missing-hardening-features.html [3]: https://lintian.debian.org/tags/init.d-script-should-always-start-service.html
[Unit] Description=TCP over ICMP tunnelling daemon After=network.target [Service] Type=forking PIDFile=/run/ptunnel.pid Environment="OPTIONS=-daemon /run/ptunnel.pid" #Environment=run_daemon=false EnvironmentFile=-/etc/default/ptunnel # Note: https://lintian.debian.org/tags/init.d-script-should-always-start-service.html #ExecStartPre=/bin/bash -c 'if [ "$run_daemon" != true ]; then echo "To run the ptunnel daemon, please set run_daemon to 'true' in /etc/default/ptunnel "; exit 1 ; fi' ExecStart=/usr/sbin/ptunnel # TODO: security hardening [Install] WantedBy=multi-user.target
