[evolvis-commits] r18412: evolvis-auth pending merges:↵ Thorsten Glaser 2012-05-16 bump S-V and beat lintian into submission↵ Thorsten Glaser 2012-05-16 move priority to extra↵ Thorsten Glaser 2012-05-16 hook up explicit dochroot/nochroot flavours of anonsvnsh↵ Thorsten Glaser 2012-05-16 update descriptions, VCS links↵ Thorsten Glaser 2012-05-16 lintian rework↵ Thorsten Glaser 2012-05-14 part of anonsvnsh rework:↵ Thorsten Glaser 2012-05-14 fix some warnings (for unknown reasons, Debian builds with -Werror)

mirabilos at evolvis.org mirabilos at evolvis.org
Wed May 16 12:26:44 CEST 2012


Author: mirabilos
Date: 2012-05-16 12:26:44 +0200 (Wed, 16 May 2012)
New Revision: 18412

Modified:
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/anoncvssh.c
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/changelog
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/control
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/copyright
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh-chroot.dirs
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh.dirs
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh-chroot
   trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/rules
   trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php
Log:
evolvis-auth pending merges:
  Thorsten Glaser 2012-05-16 bump S-V and beat lintian into submission
    Thorsten Glaser 2012-05-16 move priority to extra
    Thorsten Glaser 2012-05-16 hook up explicit dochroot/nochroot flavours of anonsvnsh
    Thorsten Glaser 2012-05-16 update descriptions, VCS links
    Thorsten Glaser 2012-05-16 lintian rework
    Thorsten Glaser 2012-05-14 part of anonsvnsh rework:
    Thorsten Glaser 2012-05-14 fix some warnings (for unknown reasons, Debian builds with -Werror)

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/anoncvssh.c
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/anoncvssh.c	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/anoncvssh.c	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1,7 +1,7 @@
 /* $MirOS: src/libexec/anoncvssh/anoncvssh.c,v 1.9 2008/06/07 20:25:43 tg Exp $ */
 
 /*-
- * Copyright (c) 2010, 2011
+ * Copyright (c) 2010, 2011, 2012
  *	Thorsten Glaser <t.glaser at tarent.de>
  * Copyright (c) 2007
  *	Thorsten Glaser <t.glaser at aurisp.de>
@@ -214,7 +214,14 @@
 		exit(1);
 	}
 #endif
-	chdir(homedir);
+	if (chdir(homedir)) {
+		perror(homedir);
+		fprintf(stderr, "trying to chdir / instead\n");
+		if (chdir("/")) {
+			perror("chdir");
+			exit(1);
+		}
+	}
 
 #ifdef DEBUG
 	/* log someone is there */

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/changelog	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/changelog	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1,8 +1,12 @@
-evolvis-anonsvnsh (20120511) unstable; urgency=low
+evolvis-anonsvnsh (20120516) unstable; urgency=low
 
-  * Rebuild to use anonsvnsh from 5.1 tree
+  * Install anonsvnsh.dochroot and anonsvnsh.nochroot into both packages
+    and link the “correct” one for each package as anonsvnsh
+  * Modernise rules; use full hardening flags
+  * Fix warnings
+  * Policy 3.9.3.1
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Fri, 11 May 2012 17:19:56 +0200
+ -- Thorsten Glaser <t.glaser at tarent.de>  Wed, 16 May 2012 11:52:26 +0200
 
 evolvis-anonsvnsh (20110920) unstable; urgency=low
 

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/control
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/control	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/control	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1,21 +1,24 @@
 Source: evolvis-anonsvnsh
 Section: shells
-Priority: optional
+Priority: extra
 Maintainer: Thorsten Glaser <t.glaser at tarent.de>
 Build-Depends: debhelper (>= 5), pmake
-Standards-Version: 3.8.0
-Vcs-SVN: svn://svn.evolvis.org/svnroot/evolvis/trunk/gforge_base/evolvisforge/anonsvnsh/
-Vcs-Browser: https://evolvis.org/plugins/scmsvn/viewcvs.php/trunk/gforge_base/evolvisforge/anonsvnsh/?root=evolvis
+Standards-Version: 3.9.3
+Vcs-SVN: svn://evolvis.org/scmrepos/svn/evolvis/trunk/gforge_base/evolvisforge-5.1/anonsvnsh/
+Vcs-Browser: https://evolvis.org/scm/viewvc.php/trunk/gforge_base/evolvisforge-5.1/anonsvnsh/?root=evolvis
 
 Package: evolvis-anonsvnsh
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: restricted user shell for git/SFTP/svn only access
- /lib/anonsvnsh provides a binary that can be used as a user’s
- login shell and restricts them to only access the system via
- SFTP and Subversion.
+ This package as well as its brother evolvis-anonsvnsh-chroot
+ provides /bin/anonsvnsh.dochroot and anonsvnsh.nochroot
+ which can be used as a user’s login shell and restrict
+ them to only access the system via SFTP, Subversion and git.
  .
- This flavour does NOT chroot. Commit mail scripts will work.
+ This package installs /lib/anonsvnsh as a symbolic link
+ to /bin/anonsvnsh.nochroot which does NOT chroot.
+ Hence, commit mail scripts will work.
 
 Package: evolvis-anonsvnsh-chroot
 Architecture: any
@@ -24,12 +27,15 @@
 Conflicts: evolvis-anonsvnsh
 Replaces: evolvis-anonsvnsh
 Description: restricted user shell for git/SFTP/svn only access with chroot
- /lib/anonsvnsh provides a binary that can be used as a user’s
- login shell and restricts them to only access the system via
- SFTP and Subversion.
+ This package as well as its brother evolvis-anonsvnsh
+ provides /bin/anonsvnsh.dochroot and anonsvnsh.nochroot
+ which can be used as a user’s login shell and restrict
+ them to only access the system via SFTP, Subversion and git.
  .
- This flavour chroots into /var/lib/gforge/chroot before passing
- control to the SFTP or Subversion application.
+ This package installs /lib/anonsvnsh as a symbolic link
+ to /bin/anonsvnsh.dochroot which does in fact chroot
+ into /var/lib/gforge/chroot before passing control to the
+ SFTP, git or Subversion application.
  .
  Note that commit hooks, such as post-commit/receive-pack mailings,
  probably will not be able to run within the chroot (without further

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/copyright
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/copyright	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/copyright	2012-05-16 10:26:44 UTC (rev 18412)
@@ -4,7 +4,7 @@
 Licence:
 
 
-Copyright (c) 2010, 2011
+Copyright (c) 2010, 2011, 2012
 	Thorsten Glaser <t.glaser at tarent.de>
 Copyright (c) 2007
 	Thorsten Glaser <t.glaser at aurisp.de>

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh-chroot.dirs
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh-chroot.dirs	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh-chroot.dirs	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1 +1,2 @@
+bin
 lib

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh.dirs
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh.dirs	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/evolvis-anonsvnsh.dirs	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1 +1,2 @@
+bin
 lib

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1,2 +1,9 @@
 # by design
-evolvis-anonsvnsh: setuid-binary lib/anonsvnsh 4755 root/root
+evolvis-anonsvnsh: binary-without-manpage bin/anonsvnsh.dochroot
+evolvis-anonsvnsh: binary-without-manpage bin/anonsvnsh.nochroot
+evolvis-anonsvnsh: setuid-binary bin/anonsvnsh.dochroot 4755 root/root
+evolvis-anonsvnsh: setuid-binary bin/anonsvnsh.nochroot 4755 root/root
+
+# false positive (these are PIE executables)
+evolvis-anonsvnsh: shared-lib-without-dependency-information bin/anonsvnsh.dochroot
+evolvis-anonsvnsh: shared-lib-without-dependency-information bin/anonsvnsh.nochroot

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh-chroot
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh-chroot	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/lintian/evolvis-anonsvnsh-chroot	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1,2 +1,9 @@
 # by design
-evolvis-anonsvnsh-chroot: setuid-binary lib/anonsvnsh 4755 root/root
+evolvis-anonsvnsh-chroot: binary-without-manpage bin/anonsvnsh.dochroot
+evolvis-anonsvnsh-chroot: binary-without-manpage bin/anonsvnsh.nochroot
+evolvis-anonsvnsh-chroot: setuid-binary bin/anonsvnsh.dochroot 4755 root/root
+evolvis-anonsvnsh-chroot: setuid-binary bin/anonsvnsh.nochroot 4755 root/root
+
+# false positive (these are PIE executables)
+evolvis-anonsvnsh-chroot: shared-lib-without-dependency-information bin/anonsvnsh.dochroot
+evolvis-anonsvnsh-chroot: shared-lib-without-dependency-information bin/anonsvnsh.nochroot

Modified: trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/rules
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/rules	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/anonsvnsh/debian/rules	2012-05-16 10:26:44 UTC (rev 18412)
@@ -1,32 +1,38 @@
 #!/usr/bin/make -f
-#-
-# -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-# This file was originally written by Joey Hess and Craig Small.
-# As a special exception, when this file is copied by dh-make into a
-# dh-make output file, you may use that output file without restriction.
-# This special exception was added by Craig Small in version 0.37 of dh-make.
 
+shellescape='$(subst ','\'',$(1))'
+shellexport=$(1)=$(call shellescape,${$(1)})
+
 CC?=			gcc
-CFLAGS=			-Wall -g
+EXTRA_CFLAGS=		-Wall -Wextra -Wformat
 
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
-CFLAGS+=		-O0
+ifneq (,$(wildcard /usr/share/dpkg/buildflags.mk))
+# dpkg-dev (>= 1.16.1~)
+DEB_CFLAGS_MAINT_APPEND=${EXTRA_CFLAGS}
+DEB_BUILD_MAINT_OPTIONS=hardening=+all
+include /usr/share/dpkg/buildflags.mk
 else
-CFLAGS+=		-O2
+# old-fashioned way to determine build flags
+CFLAGS=			-O$(if $(findstring noopt,${DEB_BUILD_OPTIONS}),0,2) -g
+CFLAGS+=		${EXTRA_CFLAGS}
 endif
 
+MAKE_ENV:=		$(foreach i,CC CFLAGS CPPFLAGS LDFLAGS,$(call shellexport,$i))
+
 MAKE_FLAGS:=		SRCDIR=..
 MAKE_FLAGS+=		USE_GIT=1
 
+MAKE_INVOCATION:=	env ${MAKE_ENV} pmake -f ../Makefile ${MAKE_FLAGS}
 
-build: debian/.build_stamp
+build build-arch: debian/.build_stamp
+build-indep:
 
 debian/.build_stamp:
 	dh_testdir
+	rm -rf b-chroot b-nochroot
 	mkdir b-chroot b-nochroot
-	cd b-chroot && pmake -f ../Makefile ${MAKE_FLAGS}
-	cd b-nochroot && pmake -f ../Makefile ${MAKE_FLAGS} NO_CHROOT=Yes
+	cd b-chroot && ${MAKE_INVOCATION}
+	cd b-nochroot && ${MAKE_INVOCATION} NO_CHROOT=Yes
 	:>$@
 
 clean:
@@ -35,52 +41,45 @@
 	-rm -rf b-chroot b-nochroot
 	dh_clean
 
-install: build
-	dh_testdir
-	dh_testroot
-	dh_clean -k
-	dh_installdirs
+binary: binary-arch binary-indep
+binary-indep:
 
-# Build architecture-independent files here.
-binary-indep: build install
-# We have nothing to do by default.
-
-# Build architecture-dependent files here.
-binary-arch: build install
+binary-arch: build-arch
 	dh_testdir
 	dh_testroot
-	_topdir=$$(pwd); cd b-chroot && pmake -f ../Makefile ${MAKE_FLAGS} \
+	if test -x "$$(which dh_prep)"; then dh_prep; else dh_clean -k; fi
+	dh_installdirs
+	# install anonsvnsh.dochroot and symlink to anonsvnsh in -chroot pkg
+	_topdir=$$(pwd); cd b-chroot && ${MAKE_INVOCATION} \
 	    install DESTDIR=$$_topdir/debian/evolvis-anonsvnsh-chroot
-	_topdir=$$(pwd); cd b-nochroot && pmake -f ../Makefile ${MAKE_FLAGS} \
+	mv debian/evolvis-anonsvnsh-chroot/lib/anonsvnsh \
+	    debian/evolvis-anonsvnsh-chroot/bin/anonsvnsh.dochroot
+	ln -s ../bin/anonsvnsh.dochroot \
+	    debian/evolvis-anonsvnsh-chroot/lib/anonsvnsh
+	# install anonsvnsh.nochroot and symlink to anonsvnsh in normal pkg
+	_topdir=$$(pwd); cd b-nochroot && ${MAKE_INVOCATION} \
 	    install DESTDIR=$$_topdir/debian/evolvis-anonsvnsh
+	mv debian/evolvis-anonsvnsh/lib/anonsvnsh \
+	    debian/evolvis-anonsvnsh/bin/anonsvnsh.nochroot
+	ln -s ../bin/anonsvnsh.nochroot debian/evolvis-anonsvnsh/lib/anonsvnsh
+	# copy anonsvnsh.{d,n}ochroot into both packages
+	ln debian/evolvis-anonsvnsh-chroot/bin/anonsvnsh.dochroot \
+	    debian/evolvis-anonsvnsh/bin/
+	ln debian/evolvis-anonsvnsh/bin/anonsvnsh.nochroot \
+	    debian/evolvis-anonsvnsh-chroot/bin/
 	dh_installchangelogs
 	dh_installdocs
-#	dh_installexamples
 	dh_install
-#	dh_installmenu
-#	dh_installdebconf
-#	dh_installlogrotate
-#	dh_installemacsen
-#	dh_installpam
-#	dh_installmime
-#	dh_installinit
-#	dh_installcron
-#	dh_installinfo
-#	dh_installman
-#	dh_link
+	dh_link
 	dh_strip
 	dh_compress
 	dh_fixperms
-	chown 0:0 debian/evolvis-anonsvnsh*/lib/anonsvnsh
-	chmod 4755 debian/evolvis-anonsvnsh*/lib/anonsvnsh
-#	dh_perl
-#	dh_python
-#	dh_makeshlibs
+	chown 0:0 debian/evolvis-anonsvnsh*/bin/anonsvnsh*
+	chmod 4755 debian/evolvis-anonsvnsh*/bin/anonsvnsh*
 	dh_installdeb
 	dh_shlibdeps
 	dh_gencontrol
 	dh_md5sums
 	dh_builddeb
 
-binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install check
+.PHONY: binary binary-arch binary-indep build build-arch build-indep clean

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php	2012-05-16 10:26:40 UTC (rev 18411)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php	2012-05-16 10:26:44 UTC (rev 18412)
@@ -400,6 +400,8 @@
 function account_shellselects($current) {
 	$shells = file("/etc/shells");
 	array_unshift($shells, "/lib/anonsvnsh");
+	array_unshift($shells, "/bin/anonsvnsh.dochroot");
+	array_unshift($shells, "/bin/anonsvnsh.nochroot");
 	$shells[count($shells)] = "/bin/cvssh";
 
 	for ($i = 0; $i < count($shells); $i++) {



More information about the evolvis-commits mailing list