Browse Source

popularity-contest: add private option --su-nobody to drop privileges

tags/1.70+devuan1
Bill Allombert 1 year ago
parent
commit
49f42f493f
3 changed files with 44 additions and 31 deletions
  1. +9
    -3
      debian/changelog
  2. +1
    -6
      debian/cron.daily
  3. +34
    -22
      popularity-contest

+ 9
- 3
debian/changelog View File

@@ -1,15 +1,21 @@
popularity-contest (1.70) unstable; urgency=medium

* debian-popcon.gpg: use new submission key
* debian/cron.daily: fix reporting logic to avoid double submissions.
Closes: #930446
* debian/cron.daily:
- fix reporting logic to avoid double submissions. Closes: #930446
- run 'popularity-contest --su-nobody' as root. This allows
popcon to read the configuration file and /proc/*/maps files.
Closes: #865730. Thanks Robert Luberda.
* debian/control:
- Updated Standards-Version from 4.4.0 to 4.5.0. No change needed.
* Update example server-side scripts to popcon.d.o version:
- popanal.py: bump stable version to 1.67
- popcon.pl: update URL from Alioth to Salsa
* popularity-contest:
- add private option --su-nobody to drop privileges after reading
the configuration file and /proc.

-- Bill Allombert <ballombe@debian.org> Sat, 21 Mar 2020 20:37:36 +0100
-- Bill Allombert <ballombe@debian.org> Mon, 30 Mar 2020 10:16:39 +0200

popularity-contest (1.69) unstable; urgency=medium



+ 1
- 6
debian/cron.daily View File

@@ -104,11 +104,6 @@ cd /var/log
umask 022
savelog -c 7 popularity-contest >/dev/null

run_popcon()
{
runuser -s /bin/sh -c "/usr/sbin/popularity-contest" nobody
}

do_sendmail()
{
if [ -n "$MAILFROM" ]; then
@@ -120,7 +115,7 @@ do_sendmail()

# generate the popularity contest data

run_popcon > $POPCON
/usr/sbin/popularity-contest --su-nobody > $POPCON

GPG=/usr/bin/gpg



+ 34
- 22
popularity-contest View File

@@ -53,6 +53,40 @@ if ( $HOSTID !~ /^([a-f0-9]{32})$/)
exit 1;
}

# List all mapped files
my %mapped;
if (opendir(PROC, "/proc"))
{
my @procfiles = readdir(PROC);
closedir(PROC);

foreach (@procfiles)
{
-d "/proc/$_" or next;
m{^[0-9]+$} or next;

open MAPS, "/proc/$_/maps" or next;
while (<MAPS>)
{
m{(/.*)} or next;
$mapped{$1} = 1;
}
close MAPS;
}
}

if (defined($ARGV[0]) && $ARGV[0] eq "--su-nobody")
{
my $user="nobody";
my ($uid, $gid, $home, $shell) = (getpwnam($user))[2,3,7,8];
$( = $) = $gid;
$< = $> = $uid;
$ENV{USER} = $user;
$ENV{LOGNAME} = $user;
$ENV{HOME} = $home;
$ENV{SHELL} = $shell;
}

# Architecture.
my $debarch = `dpkg --print-architecture`;
chomp $debarch;
@@ -85,28 +119,6 @@ sub trunc_time {

my %popcon=();

# List all mapped files
my %mapped;
if (opendir(PROC, "/proc"))
{
my @procfiles = readdir(PROC);
closedir(PROC);

foreach (@procfiles)
{
-d "/proc/$_" or next;
m{^[0-9]+$} or next;

open MAPS, "/proc/$_/maps" or next;
while (<MAPS>)
{
m{(/.*)} or next;
$mapped{$1} = 1;
}
close MAPS;
}
}

# List files diverted by dpkg
my %diverted;
if (open DIVERSIONS, "env LC_ALL=C dpkg-divert --list|")


Loading…
Cancel
Save