[arch-commits] Commit in sslh/trunk (9 files)
Sébastien Luttringer
seblu at archlinux.org
Sat Feb 3 18:06:10 UTC 2018
Date: Saturday, February 3, 2018 @ 18:06:09
Author: seblu
Revision: 288806
upgpkg: sslh 1.19b-1
Modified:
sslh/trunk/PKGBUILD
sslh/trunk/sslh-fork.service
sslh/trunk/sslh-select.service
sslh/trunk/sslh.cfg
sslh/trunk/sslh.install
sslh/trunk/sslh.service
Deleted:
sslh/trunk/sslh-fork.service.next
sslh/trunk/sslh-select.service.next
sslh/trunk/sslh.conf
--------------------------+
PKGBUILD | 20 +++++---------------
sslh-fork.service | 22 +++++++++++++++++++---
sslh-fork.service.next | 12 ------------
sslh-select.service | 23 ++++++++++++++++++++---
sslh-select.service.next | 11 -----------
sslh.cfg | 10 +---------
sslh.conf | 29 -----------------------------
sslh.install | 5 ++++-
sslh.service | 18 ++++++++++++++----
9 files changed, 63 insertions(+), 87 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-02-03 17:45:10 UTC (rev 288805)
+++ PKGBUILD 2018-02-03 18:06:09 UTC (rev 288806)
@@ -16,7 +16,6 @@
install=$pkgname.install
source=("https://www.rutschle.net/tech/sslh/$pkgname-v$pkgver.tar.gz"{,.asc}
'sslh.cfg'
- 'sslh.sysusers'
'sslh.service'
'sslh-select.service'
'sslh-fork.service')
@@ -23,24 +22,16 @@
validpgpkeys=('CDDDBADBEA4B72748E007D326C056F7AC7934136') # Yves Rutschle <yves at rutschle.net>
md5sums=('33e371c978614638b4c0db4e40afa5c4'
'SKIP'
- 'd5405c7ca7e1813e4d49a473e5834640'
- 'f39544277a30595d4b7476b3f87ebbcf'
- 'e66490eacc9cb586e48e4e0562ac25e3'
- '0f3f9e3ac2ac4b576d684b21b566aeb9'
- '4e64f0850ec9bd44071ae8d5369316e5')
+ '67a119213538aabf5d70a756ae7a99d0'
+ 'ecbb46c46874d7b620202926d36b8478'
+ '2b98633ee61bc5a809a4f75479628b2f'
+ 'ca5ec0adf9149f1db4e09af659391659')
build() {
cd $pkgname-v$pkgver
- #FIXME: https://github.com/yrutschle/sslh/issues/103
- #export CFLAGS=''
make VERSION=\"v$pkgver\" USELIBCAP=1 USESYSTEMD=1 all systemd-sslh-generator
}
-#check() {
-# cd $pkgname-v$pkgver
-# make test
-#}
-
package() {
# default arch config
install -Dm 644 sslh.cfg "$pkgdir/etc/sslh.cfg"
@@ -57,11 +48,10 @@
install -Dm 644 basic.cfg "$pkgdir/usr/share/doc/$pkgname/basic.cfg"
install -Dm 644 example.cfg "$pkgdir/usr/share/doc/$pkgname/example.cfg"
# systemd
- install -dm 755 "$pkgdir"/usr/lib/{systemd/system,sysusers.d}
+ install -dm 755 "$pkgdir"/usr/lib/systemd/{system,system-generators}
install -Dm 755 systemd-sslh-generator "$pkgdir/usr/lib/systemd/system-generators/systemd-sslh-generator"
cd "$pkgdir"
install -Dm 644 "$srcdir"/sslh{,-fork,-select}.service usr/lib/systemd/system
- install -Dm 644 "$srcdir"/sslh.sysusers usr/lib/sysusers.d/sslh.conf
}
# vim:set ts=2 sw=2 et:
Modified: sslh-fork.service
===================================================================
--- sslh-fork.service 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh-fork.service 2018-02-03 18:06:09 UTC (rev 288806)
@@ -1,11 +1,27 @@
[Unit]
-Description=SSL/SSH multiplexer
+Description=SSL/SSH multiplexer (fork mode)
+Conflicts=sslh-select.service sslh.socket
After=network.target
[Service]
-ExecStart=/usr/bin/sslh-fork -F/etc/sslh.conf
+ExecStart=/usr/bin/sslh-fork --config --foreground
KillMode=process
-PIDFile=/run/sslh.pid
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+SecureBits=noroot-locked
+MountFlags=private
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+MemoryDenyWriteExecute=true
+User=sslh
+DynamicUser=true
[Install]
WantedBy=multi-user.target
Deleted: sslh-fork.service.next
===================================================================
--- sslh-fork.service.next 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh-fork.service.next 2018-02-03 18:06:09 UTC (rev 288806)
@@ -1,12 +0,0 @@
-[Unit]
-Description=SSL/SSH multiplexer (fork mode)
-Conflicts=sslh-select.service sslh.socket
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/sslh-fork -F
-KillMode=process
-PIDFile=/run/sslh.pid
-
-[Install]
-WantedBy=multi-user.target
Modified: sslh-select.service
===================================================================
--- sslh-select.service 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh-select.service 2018-02-03 18:06:09 UTC (rev 288806)
@@ -1,10 +1,27 @@
[Unit]
-Description=SSL/SSH multiplexer
+Description=SSL/SSH multiplexer (select mode)
+Conflicts=sslh-fork.service sslh.socket
After=network.target
[Service]
-ExecStart=/usr/bin/sslh-select -F/etc/sslh.conf
-PIDFile=/run/sslh.pid
+ExecStart=/usr/bin/sslh-select --config --foreground
+KillMode=process
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+PrivateTmp=true
+PrivateDevices=true
+SecureBits=noroot-locked
+MountFlags=private
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+MemoryDenyWriteExecute=true
+User=sslh
+DynamicUser=true
[Install]
WantedBy=multi-user.target
Deleted: sslh-select.service.next
===================================================================
--- sslh-select.service.next 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh-select.service.next 2018-02-03 18:06:09 UTC (rev 288806)
@@ -1,11 +0,0 @@
-[Unit]
-Description=SSL/SSH multiplexer (select mode)
-Conflicts=sslh-fork.service sslh.socket
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/sslh-select -F
-PIDFile=/run/sslh.pid
-
-[Install]
-WantedBy=multi-user.target
Modified: sslh.cfg
===================================================================
--- sslh.cfg 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh.cfg 2018-02-03 18:06:09 UTC (rev 288806)
@@ -1,19 +1,11 @@
# Default Arch configuration
# You can find more examples in /usr/share/doc/sslh
-verbose: false;
-foreground: true;
-inetd: false;
-numeric: false;
-transparent: false;
timeout: 2;
-user: "sslh";
-pidfile: "/run/sslh.pid";
-
listen:
(
- { host: "::0"; port: "443"; }
+ { host: "0.0.0.0"; port: "443"; }
);
protocols:
Deleted: sslh.conf
===================================================================
--- sslh.conf 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh.conf 2018-02-03 18:06:09 UTC (rev 288806)
@@ -1,29 +0,0 @@
-# Default Arch configuration
-# You can find more examples in /usr/share/doc/sslh
-
-verbose: false;
-foreground: true;
-inetd: false;
-numeric: false;
-transparent: false;
-timeout: 2;
-user: "sslh";
-pidfile: "/run/sslh.pid";
-
-
-listen:
-(
- { host: "::0"; port: "443"; }
-);
-
-protocols:
-(
- { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; },
- { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
- { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; },
- { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; },
- { name: "ssl"; host: "localhost"; port: "8443"; probe: "builtin"; },
- { name: "anyprot"; host: "localhost"; port: "8443"; probe: "builtin"; }
-);
-
-# vim:set ts=4 sw=4 et:
Modified: sslh.install
===================================================================
--- sslh.install 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh.install 2018-02-03 18:06:09 UTC (rev 288806)
@@ -16,7 +16,10 @@
if (( "$(vercmp $2 1.19b)" < 0 )); then
cat << EOF
===> Default config path is now /etc/sslh.cfg (as required by systemd generator)
-===> Rename your /etc/sslh.conf into /etc/sslh.cfg
+=====> Rename your /etc/sslh.conf into /etc/sslh.cfg
+===> sslh unit files security has been improved.
+=====> You may need to remove the PIDfile option in your /etc/sslh.cfg.
+===> sslh user is now created at unit startup (via DynamicUser)
EOF
fi
}
Modified: sslh.service
===================================================================
--- sslh.service 2018-02-03 17:45:10 UTC (rev 288805)
+++ sslh.service 2018-02-03 18:06:09 UTC (rev 288806)
@@ -5,11 +5,21 @@
PartOf=sslh.socket
[Service]
-ExecStart=/usr/bin/sslh -F -f -P/tmp/pid
+ExecStart=/usr/bin/sslh --config --foreground
KillMode=process
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
-ProtectSystem=full
-ProtectHome=true
+SecureBits=noroot-locked
+MountFlags=private
+NoNewPrivileges=true
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+MemoryDenyWriteExecute=true
User=sslh
+DynamicUser=true
More information about the arch-commits
mailing list