[arch-commits] Commit in nsd/trunk (7 files)

Bruno Pagani archange at archlinux.org
Sat Feb 6 12:39:07 UTC 2021 

    Date: Saturday, February 6, 2021 @ 12:39:07
  Author: archange
Revision: 846613

upgpkg: nsd 4.3.5-1

Upstream upgrade + PKGBUILD overhaul
Includes hardening of systemd service

Added:
  nsd/trunk/nsd.service
    (from rev 846612, nsd/trunk/service)
  nsd/trunk/nsd.sysusers
    (from rev 846612, nsd/trunk/sysusers.d)
  nsd/trunk/nsd.tmpfiles
    (from rev 846612, nsd/trunk/tmpfiles.d)
Modified:
  nsd/trunk/PKGBUILD
Deleted:
  nsd/trunk/service
  nsd/trunk/sysusers.d
  nsd/trunk/tmpfiles.d

--------------+
 PKGBUILD     |   83 ++++++++++++++++++++++++++++++---------------------------
 nsd.service  |   39 ++++++++++++++++++++++++++
 nsd.sysusers |    1 
 nsd.tmpfiles |    1 
 service      |   13 --------
 sysusers.d   |    1 
 tmpfiles.d   |    2 -
 7 files changed, 86 insertions(+), 54 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-02-06 12:39:05 UTC (rev 846612)
+++ PKGBUILD	2021-02-06 12:39:07 UTC (rev 846613)
@@ -1,53 +1,60 @@
-# Maintaier:
+# Maintainer: Bruno Pagani <archange at archlinux.org>
 # Contributor: Gaetan Bisson <bisson at archlinux.org>
 # Contributor: Kaiting Chen <kaitocracy at gmail.com>
 # Contributor: Roberto Alsina <ralsina at kde.org>
 
 pkgname=nsd
-pkgver=4.3.4
+pkgver=4.3.5
 pkgrel=1
-pkgdesc='Authoritative only, high performance and simple DNS server'
-url='https://www.nlnetlabs.nl/nsd/'
-license=('BSD')
-arch=('x86_64')
-depends=('openssl' 'libevent')
-makedepends=('flex')
-validpgpkeys=('EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D'
-              'C3E356788FAD0179D872D092BA811E62E7194568')
+pkgdesc="Authoritative only, high performance and simple DNS server"
+arch=(x86_64)
+url="https://www.nlnetlabs.nl/nsd/"
+license=(BSD)
+depends=(openssl libevent fstrm protobuf-c systemd-libs)
+makedepends=(systemd)
+validpgpkeys=(EDFAA3F2CA4E6EB05681AF8E9F6F1C2D7E045F8D  # W.C.A. Wijngaards <wouter at nlnetlabs.nl>
+              C3E356788FAD0179D872D092BA811E62E7194568)
 source=("https://www.nlnetlabs.nl/downloads/${pkgname}/${pkgname}-${pkgver}.tar.gz"{,.asc}
-        'tmpfiles.d'
-        'sysusers.d'
-        'service')
-sha256sums=('3be834a97151a7ba8185e46bc37ff12c2f25f399755ae8a2d0e3711801528b50'
+        nsd.service
+        nsd.sysusers
+        nsd.tmpfiles)
+sha256sums=('7da2b43e30b3d7f307722c608f719bfb169f0d985c764a34fa0669dc33484472'
             'SKIP'
-            '0be5badb996297150da49b4c655d801bfba76fd8d7785e0899184c130630fe66'
-            '6490660d5d4b3e28e16d73e50e35a786a41149917999939fac461ebc60465c79'
-            '5ec7616df32c29ddec25a6ec772db5053e234410cf1042f2945d0f554b1f9b65')
+            'af6935d55916b186d0aa8baf59ad6cb531bb000189cc9fd240ef95272b80bf8c'
+            '12ce2a05fbb23bb38c31933530a7773f796e250691843b9da76f178f5e7c94f5'
+            '07a31cecdc787c7ef44018dfc696115bd7b5d44b6e93f56c6c08ed0887d51579')
 
+prepare() {
+  cd ${pkgname}-${pkgver}
+  autoreconf -vfi
+}
+
 build() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	./configure \
-		--prefix=/ \
-		--sbindir=/usr/bin \
-		--datarootdir=/usr/share \
-		--with-pidfile=/run/nsd/nsd.pid \
-		--enable-ratelimit \
-		--enable-relro-now \
-		--enable-pie \
-
-	make
+  cd ${pkgname}-${pkgver}
+  ./configure \
+    --prefix=/ \
+    --sbindir=/usr/bin \
+    --datarootdir=/usr/share \
+    --with-pidfile=/run/nsd/nsd.pid \
+    --enable-ratelimit \
+    --enable-relro-now \
+    --enable-pie \
+    --enable-dnstap \
+    --enable-systemd \
+    --enable-tcp-fastopen
+  make
 }
 
 package() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	make DESTDIR="${pkgdir}" install
-	rmdir "${pkgdir}"/{tmp,run/{nsd,}}
+  cd ${pkgname}-${pkgver}
+  make DESTDIR="${pkgdir}" install
+  rmdir "${pkgdir}"/{tmp,run{/nsd,},var{/db{/nsd,},}}
 
-	rm doc/differences.pdf
-	install -d "${pkgdir}"/usr/share/{doc,licenses}/"${pkgname}"
-	install -m644 doc/* "${pkgdir}"/usr/share/doc/"${pkgname}"
-	ln -s ../../doc/"${pkgname}"/LICENSE "${pkgdir}"/usr/share/licenses/"${pkgname}"/LICENSE
-	install -Dm644 ../service "${pkgdir}"/usr/lib/systemd/system/nsd.service
-	install -Dm644 ../tmpfiles.d "${pkgdir}"/usr/lib/tmpfiles.d/nsd.conf
-	install -Dm644 ../sysusers.d "${pkgdir}"/usr/lib/sysusers.d/nsd.conf
+  rm doc/differences.pdf
+  install -d "${pkgdir}"/usr/share/{doc,licenses}/"${pkgname}"
+  install -m644 doc/* "${pkgdir}"/usr/share/doc/"${pkgname}"
+  ln -s ../../doc/"${pkgname}"/LICENSE "${pkgdir}"/usr/share/licenses/"${pkgname}"/LICENSE
+  install -Dm644 ../nsd.service -t "${pkgdir}"/usr/lib/systemd/system/
+  install -Dm644 ../nsd.sysusers "${pkgdir}"/usr/lib/sysusers.d/nsd.conf
+  install -Dm644 ../nsd.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/nsd.conf
 }

Copied: nsd/trunk/nsd.service (from rev 846612, nsd/trunk/service)
===================================================================
--- nsd.service	                        (rev 0)
+++ nsd.service	2021-02-06 12:39:07 UTC (rev 846613)
@@ -0,0 +1,39 @@
+[Unit]
+Description=Name Server Daemon
+After=network.target
+
+[Service]
+User=nsd
+Group=nsd
+PermissionsStartOnly=true
+WorkingDirectory=~
+RuntimeDirectory=nsd
+ReadWritePaths=/var/db/nsd
+PIDFile=/run/nsd/nsd.pid
+ExecStart=/usr/bin/nsd -d -c /etc/nsd/nsd.conf
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -TERM $MAINPID
+Restart=always
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=True
+#SecureBits=noroot-locked
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

Copied: nsd/trunk/nsd.sysusers (from rev 846612, nsd/trunk/sysusers.d)
===================================================================
--- nsd.sysusers	                        (rev 0)
+++ nsd.sysusers	2021-02-06 12:39:07 UTC (rev 846613)
@@ -0,0 +1 @@
+u nsd - "Name Server Daemon"

Copied: nsd/trunk/nsd.tmpfiles (from rev 846612, nsd/trunk/tmpfiles.d)
===================================================================
--- nsd.tmpfiles	                        (rev 0)
+++ nsd.tmpfiles	2021-02-06 12:39:07 UTC (rev 846613)
@@ -0,0 +1 @@
+d /var/db/nsd 0700 nsd nsd

Deleted: service
===================================================================
--- service	2021-02-06 12:39:05 UTC (rev 846612)
+++ service	2021-02-06 12:39:07 UTC (rev 846613)
@@ -1,13 +0,0 @@
-[Unit]
-Description=NSD Name Server Daemon
-After=network.target
-
-[Service]
-PIDFile=/run/nsd/nsd.pid
-ExecStart=/usr/bin/nsd -d -c /etc/nsd/nsd.conf
-ExecReload=/bin/kill -HUP $MAINPID
-ExecStop=/bin/kill -TERM $MAINPID
-Restart=always
-
-[Install]
-WantedBy=multi-user.target

Deleted: sysusers.d
===================================================================
--- sysusers.d	2021-02-06 12:39:05 UTC (rev 846612)
+++ sysusers.d	2021-02-06 12:39:07 UTC (rev 846613)
@@ -1 +0,0 @@
-u nsd - - /dev/null

Deleted: tmpfiles.d
===================================================================
--- tmpfiles.d	2021-02-06 12:39:05 UTC (rev 846612)
+++ tmpfiles.d	2021-02-06 12:39:07 UTC (rev 846613)
@@ -1,2 +0,0 @@
-d /run/nsd 0755 nsd nsd
-z /var/db/nsd 0700 nsd nsd

More information about the arch-commits mailing list