[Pkg-kde-extras] Bug#784261: Unconditionally disables remote jobs if not run as root; fixable by compiling with libcap-ng and a small patch

2015-05-04 Thread KORN Andras 
Source: icecc
Version: icecc-1.0.1
Severity: normal
Tags: upstream patch

Hi,

currently iceccd will refuse to accept remote jobs if it's not run as root.

However, as far as I can tell it only requires the CAP_SYS_CHROOT
capability, which can be granted by running

setcap cap_sys_chroot+ep /usr/sbin/iceccd

(I also made the capability inheritable by using +eip; I'm not sure if
that's needed.)

iceccd already has the beginnings of capability support, so this is almost
sufficient; main.cpp needs a small patch so it doesn't unconditionally
disable remote jobs if it isn't running as root.

I'm attaching the patch (which also modifies debian/control to Build-Depends
on libcap-ng-dev).

Andras

-- 
 What happens if you .ARC de Triomphe?

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

[Pkg-kde-extras] Bug#784261: Unconditionally disables remote jobs if not run as root; fixable by compiling with libcap-ng and a small patch

2015-05-04 Thread Andras Korn 
Hmmm, it seems upstream has a better fix for this bug and has had it for
more than a year:
https://github.com/icecc/icecream/blame/master/daemon/main.cpp#L2197 --
maybe you could ship the newer version, built with libcap-ng?

Thanks!

Andras

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

[Pkg-kde-extras] Bug#784261: Unconditionally disables remote jobs if not run as root; fixable by compiling with libcap-ng and a small patch

2015-05-04 Thread Andras Korn 
Actually attaching the patch now :)
diff -ru icecc-1.0.1/daemon/main.cpp icecc-1.0.1+ak/daemon/main.cpp
--- icecc-1.0.1/daemon/main.cpp	2013-07-11 15:41:17.0 +0200
+++ icecc-1.0.1+ak/daemon/main.cpp	2015-05-04 19:13:52.259493247 +0200
@@ -546,13 +546,17 @@
 #ifdef HAVE_LIBCAP_NG
 // We run as system daemon.
 if (capng_have_capability( CAPNG_PERMITTED, CAP_SYS_CHROOT )) {
+log_info()  We are chroot capable due to CAP_SYS_CHROOT\n;
 #else
 if (getuid()==0) {
+log_info()  We are chroot capable due to uid==0\n;
 #endif
 strncpy(myaddr.sun_path, /var/run/icecc/iceccd.socket, sizeof(myaddr.sun_path)-1);
 unlink(myaddr.sun_path);
 old_umask = umask(0);
 } else { // Started by user.
+log_error()  We are not chroot capable. Disabling remote jobs.\n;
+noremote = true;
 strncpy(myaddr.sun_path, getenv(HOME), sizeof(myaddr.sun_path)-1);
 strncat(myaddr.sun_path, /.iceccd.socket, sizeof(myaddr.sun_path)-1-strlen(myaddr.sun_path));
 unlink(myaddr.sun_path);
@@ -1806,8 +1810,6 @@
 capng_change_id(d.user_uid, d.user_gid, CAPNG_NO_FLAG);
 capng_apply(CAPNG_SELECT_BOTH);
 #endif
-} else {
-d.noremote = true;
 }
 
 setup_debug( debug_level, logfile );
diff -ru icecc-1.0.1/debian/control icecc-1.0.1+ak/debian/control
--- icecc-1.0.1/debian/control	2013-07-18 10:37:58.0 +0200
+++ icecc-1.0.1+ak/debian/control	2015-05-04 19:16:16.125481400 +0200
@@ -7,6 +7,7 @@
 Build-Depends: debhelper (= 9),
  autotools-dev,
  docbook2x, docbook-to-man, docbook-xml,
+ libcap-ng-dev,
  libdevstat-dev [kfreebsd-any]
 Homepage: http://en.opensuse.org/Icecream
 Standards-Version: 3.9.4
diff -ru icecc-1.0.1/debian/rules icecc-1.0.1+ak/debian/rules
--- icecc-1.0.1/debian/rules	2013-06-06 16:57:58.0 +0200
+++ icecc-1.0.1+ak/debian/rules	2015-05-04 18:46:10.183096508 +0200
@@ -13,7 +13,7 @@
 	rm -rf debian/out
 
 override_dh_auto_configure:
-	dh_auto_configure -- --libexecdir='$${prefix}/lib'
+	dh_auto_configure -- --libexecdir='$${prefix}/lib' --with-libcap-ng=yes
 
 override_dh_auto_build:
 	dh_auto_build

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras