[arch-commits] Commit in icecast/trunk (5 files)

Thu Aug 6 08:42:27 UTC 2020

Date: Thursday, August 6, 2020 @ 08:42:26
  Author: dvzrv
Revision: 670679

upgpkg: icecast 2.4.4-2: Rebuild to fix service.

Switch to correct license (GPL2).
Add sodeps in package() and add the respective packages in makedepends.
Remove patch modifying the default configuration file (it forces running the service as root just to drop privileges to nobody, which should never be used for a service like this).
Run autoreconf in prepare().
Remove log directory creation and (broken) ownership change from package() (FS#67487).
Add sysusers.d and tmpfiles.d integration for the systemd service and less permissive access rights for the configuration file.
Harden the systemd service and run it as its own user (icecast).
Update maintainer info.

Added:
  icecast/trunk/icecast.sysusers
  icecast/trunk/icecast.tmpfiles
Modified:
  icecast/trunk/PKGBUILD
  icecast/trunk/icecast.service
Deleted:
  icecast/trunk/start-by-nobody.patch

-----------------------+
 PKGBUILD              |   74 +++++++++++++++++++++++++++++-------------------
 icecast.service       |   35 ++++++++++++++++++++++
 icecast.sysusers      |    1 
 icecast.tmpfiles      |    1 
 start-by-nobody.patch |   15 ---------
 5 files changed, 81 insertions(+), 45 deletions(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2020-08-06 08:41:55 UTC (rev 670678)
+++ PKGBUILD	2020-08-06 08:42:26 UTC (rev 670679)
@@ -1,4 +1,5 @@
-# Maintainer: Lukas Fleischer <lfleischer at archlinux.org>
+# Maintainer: David Runge <dvzrv at archlinux.org>
+# Contributor: Lukas Fleischer <lfleischer at archlinux.org>
 # Contributor: Andrea Scarpino <andrea at archlinux.org>
 # Contributor: Andreas Radke <andyrtr at archlinux.org>
 # Contributor: Jason Chu <jchu at xentac.net>
@@ -5,43 +6,58 @@
 
 pkgname=icecast
 pkgver=2.4.4
-pkgrel=1
+pkgrel=2
 pkgdesc='Streaming audio over the Internet'
 arch=('x86_64')
-license=('GPL')
-url='https://www.icecast.org/'
-depends=('libxslt' 'libvorbis' 'curl' 'speex' 'libtheora' 'libkate')
+license=('GPL2')
+url="https://www.icecast.org/"
+depends=('glibc' 'libkate' 'libxml2' 'libxslt' 'openssl' 'speex' 'libtheora')
+makedepends=('curl' 'libogg' 'libvorbis')
 backup=('etc/icecast.xml'
         'etc/logrotate.d/icecast')
-source=("https://downloads.us.xiph.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz"
-        'icecast.logrotate'
-        'start-by-nobody.patch'
-        'icecast.service')
-md5sums=('835c7b571643f6436726a6118defb366'
-         '59c6552bcb1dd9fb542af8670dfabd3c'
-         'd8e929d2214123a1954da4383bf16583'
-         '0753c15f01dc14852e5d70925fc1f6a0')
+source=(
+  "https://downloads.us.xiph.org/releases/${pkgname}/${pkgname}-${pkgver}.tar.gz"
+  "${pkgname}.logrotate"
+  "${pkgname}.service"
+  "${pkgname}.sysusers"
+  "${pkgname}.tmpfiles"
+)
+sha512sums=('e9ffb478cac2570891787455591d881a59185e067bb36f51706a7070cd9d82d80425ec8cf151f5ebb17d1b75654449fc760f8b82a1bb05f020b47ec09e46b4d0'
+            '1727ec4e66ce2939a6b66c23b2f0938e2e6c717d2753f4d8c05eb31ff211d50f7ce3d38b8fca93b8cb98c1b755a5d8e3baf381fe8eb0624e7e4fe9c7486ad14a'
+            'debfd3e609d97b3e1297645aaaae2f98851304c02ccaf791d339c40ad4ba02dfaf3dbcff6c455a80a8ad610c53ca388e66922221a3b8d9c2171ff5ea031a4bc1'
+            'ca0c6e81e84910ac5bcd573aa280224426201b4aa8580f974b17daea6f95472e3ba47b3319ea1291d6762e858a3f7e9120f05357fe02aa83f01bb767862a04c8'
+            'db3cf00e5ff1e2f5636288992212964f068f94ee98a880c27f00afda44f048e608636a34f2ae551f3cf24f7c43ebd2f40ab8a9bcc5d8057901d4a871c6b79f13')
+b2sums=('fd4034749feb4bf38c684ac6d8de572fdebce875843dc1be286264c8fe8d38feb24ea889b07ec79aada34cf16dae46eb21a8c5470f67c08f2dd56dc04c12130f'
+        '9d4897d84c4be355b04c542fcf5242d5341634eefb0ca8233f8bf944e208f4ba3a2855a922639979541ec55280cdbebbebedb2a3b8a59289d19803bf7d3cdc11'
+        '65bbb1c6e601b92952f7c3ad318ed320eabd6443f6c6f16625fa28ffe1c4977094067169c89564c911673c4a7b881ee86d6dd792eced4ff3f36066ff26db4218'
+        '61c3194a0ca86f19bd4d8153eb3589f0b400549605b588418bc60a5f8a70198d1532f53ca48070385012ef8346bed69b5e1b53d2cf2b803da921414365394224'
+        'b17bf9b34daa89e32a41be3364ca74f8d2403bc8f6a103e4db51c637b42f9cd0841553b2838ce9dcdb91c3561249f13fca39359636c07f163c90de3945bf1784')
 
+prepare() {
+  cd "${pkgname}-${pkgver}"
+  autoreconf -vfi
+}
+
 build() {
-  cd "${srcdir}/${pkgname}-${pkgver}"
-
-  patch -Np1 -i "${srcdir}/start-by-nobody.patch"
-
-  ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
+  cd "${pkgname}-${pkgver}"
+  ./configure --prefix=/usr \
+              --sysconfdir=/etc \
+              --localstatedir=/var
   make
 }
 
 package() {
-  cd "${srcdir}/${pkgname}-${pkgver}"
-
+  depends+=('libcurl.so' 'libogg.so' 'libvorbis.so')
+  cd "${pkgname}-${pkgver}"
   make DESTDIR="${pkgdir}" install
-
-  # install logrotate config (taken from Fedora)
-  install -Dm644 "${srcdir}/icecast.logrotate" "${pkgdir}/etc/logrotate.d/icecast"
-
-  # create log directory
-  install -d -g99 -o99 "${pkgdir}/var/log/icecast"
-
-  # install systemd unit
-  install -Dm0644 "${srcdir}/icecast.service" "${pkgdir}/usr/lib/systemd/system/icecast.service"
+  # logrotate
+  install -vDm 644 "../${pkgname}.logrotate" \
+    "${pkgdir}/etc/logrotate.d/${pkgname}"
+  # systemd unit
+  install -vDm 644 "../${pkgname}.service" \
+    -t "${pkgdir}/usr/lib/systemd/system"
+  install -vDm 644 "../${pkgname}.sysusers" \
+    "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
+  install -vDm 644 "../${pkgname}.tmpfiles" \
+    "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
 }

Modified: icecast.service
===================================================================
--- icecast.service	2020-08-06 08:41:55 UTC (rev 670678)
+++ icecast.service	2020-08-06 08:42:26 UTC (rev 670679)
@@ -3,9 +3,42 @@
 After=network.target
 
 [Service]
-Type=simple
+CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_KILL CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM CAP_SYS_NICE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 ExecStart=/usr/bin/icecast -c /etc/icecast.xml
 ExecReload=/usr/bin/kill -HUP $MAINPID
+Group=icecast
+IPAccounting=yes
+LogsDirectory=icecast
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/etc/icecast.xml
+RemoveIPC=true
+RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_INET6 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_XDP AF_UNIX
+RestrictAddressFamilies=AF_INET
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=icecast
+StandardError=syslog
+StateDirectory=icecast
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+Type=exec
+UMask=177
+User=icecast
 
 [Install]
 WantedBy=multi-user.target

Added: icecast.sysusers
===================================================================
--- icecast.sysusers	                        (rev 0)
+++ icecast.sysusers	2020-08-06 08:42:26 UTC (rev 670679)
@@ -0,0 +1 @@
+u icecast - "Media streaming server" -

Added: icecast.tmpfiles
===================================================================
--- icecast.tmpfiles	                        (rev 0)
+++ icecast.tmpfiles	2020-08-06 08:42:26 UTC (rev 670679)
@@ -0,0 +1 @@
+z /etc/icecast.xml 0640 root icecast -

Deleted: start-by-nobody.patch
===================================================================
--- start-by-nobody.patch	2020-08-06 08:41:55 UTC (rev 670678)
+++ start-by-nobody.patch	2020-08-06 08:42:26 UTC (rev 670679)
@@ -1,15 +0,0 @@
---- icecast-2.3.2/conf/icecast.xml.in~	2010-11-12 16:47:54.750000918 +0100
-+++ icecast-2.3.2/conf/icecast.xml.in	2010-11-12 16:48:08.086667585 +0100
-@@ -164,11 +164,9 @@
- 
-     <security>
-         <chroot>0</chroot>
--        <!--
-         <changeowner>
-             <user>nobody</user>
--            <group>nogroup</group>
-+            <group>nobody</group>
-         </changeowner>
--        -->
-     </security>
- </icecast>

