* [PATCH] gnu: Add xinetd. @ 2017-01-26 10:43 Thomas Danckaert 2017-01-26 13:58 ` Tobias Geerinckx-Rice 2017-02-01 22:25 ` Ludovic Courtès 0 siblings, 2 replies; 9+ messages in thread From: Thomas Danckaert @ 2017-01-26 10:43 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: Text/Plain, Size: 335 bytes --] Hi, I'd like to use xinetd to forward some local ports via ssh (e.g. as explained here: https://debian-administration.org/article/487/SMTP_via_a_SSH_tunnel). This patch provides the xinetd executables, I'll try my hand at writing a xinetd service next... Unless there is already an alternative to xinetd on GuixSD? cheers, Thomas [-- Attachment #2: 0001-gnu-Add-xinetd.patch --] [-- Type: Text/X-Patch, Size: 1813 bytes --] From e9709558ee99be799edb187bdb9857fdfc7f97c3 Mon Sep 17 00:00:00 2001 From: Thomas Danckaert <thomas.danckaert@gmail.com> Date: Thu, 26 Jan 2017 11:35:50 +0100 Subject: [PATCH] gnu: Add xinetd. * gnu/packages/web.scm (xinetd): New variable. --- gnu/packages/web.scm | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 67b9797..cc05a22 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -3995,3 +3995,29 @@ programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.") (license l:gpl2+))) + +(define-public xinetd + (package + (name "xinetd") + (version "2.3.15") + (source + (origin + (method url-fetch) + (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz") + (file-name (string-append name "-" version)) + (sha256 + (base32 + "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2")))) + (build-system gnu-build-system) + (arguments + `(#:configure-flags '("--with-loadavg") + #:phases + (modify-phases %standard-phases (delete 'check)))) ; doesn't provide tests + (home-page "https://github.com/xinetd-org/xinetd") + (synopsis "Internet services daemon") + (description "@code{xinetd}, a more secure replacement for @code{inetd}, +listens for incoming requests over a network and launches the appropriate +service for that request. Requests are made using port numbers as identifiers +and xinetd usually launches another daemon to handle the request. It can be +used to start services with both privileged and non-privileged port numbers.") + (license (l:non-copyleft "file://COPYRIGHT")))) -- 2.7.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd. 2017-01-26 10:43 [PATCH] gnu: Add xinetd Thomas Danckaert @ 2017-01-26 13:58 ` Tobias Geerinckx-Rice 2017-01-26 14:55 ` [PATCH] gnu: Add xinetd.,Re: " Thomas Danckaert 2017-02-01 22:25 ` Ludovic Courtès 1 sibling, 1 reply; 9+ messages in thread From: Tobias Geerinckx-Rice @ 2017-01-26 13:58 UTC (permalink / raw) To: post, guix-devel [-- Attachment #1.1: Type: text/plain, Size: 979 bytes --] Thomas, On 26/01/17 11:43, Thomas Danckaert wrote: > This patch provides the xinetd executables[.] Thanks! > + (origin > + (method url-fetch) > + (uri "https://github.com/xinetd-org/xinetd/archive/\ > \xinetd-2-3-15.tar.gz") > + (file-name (string-append name "-" version)) file-name is used mainly to avoid polluting the store with meaningless (tobias.gr/download.php?foo=123) or misleading file names. It shouldn't be needed here, and would require its own ".tar.gz" suffix otherwise. > + #:phases > + (modify-phases %standard-phases (delete 'check)))) ; doesn't\ > \provide tests Would the simpler (and more idiomatic) #:tests? #f ... ; no tests work? > + (license (l:non-copyleft "file://COPYRIGHT")))) Interesting licence. :-) Against my intuition, it appears to be FSDG-compatible[0]. Kind regards, T G-R [0]: http://metadata.ftp-master.debian.org/changelogs/main/x/xinetd/xinetd_2.3.15-7_copyright [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 476 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. 2017-01-26 13:58 ` Tobias Geerinckx-Rice @ 2017-01-26 14:55 ` Thomas Danckaert 2017-01-26 15:00 ` Thomas Danckaert 0 siblings, 1 reply; 9+ messages in thread From: Thomas Danckaert @ 2017-01-26 14:55 UTC (permalink / raw) To: me; +Cc: guix-devel From: Tobias Geerinckx-Rice <me@tobias.gr> Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. Date: Thu, 26 Jan 2017 14:58:53 +0100 > [...] >> + (file-name (string-append name "-" version)) > > file-name is used mainly to avoid polluting the store with > meaningless > (tobias.gr/download.php?foo=123) or misleading file names. > > It shouldn't be needed here, and would require its own ".tar.gz" > suffix > otherwise. Ah yes, for some reason I thought we insisted the file would conform to the version number as written here (i.e. "." instead of "-" as a separator), and then forgot about the suffix... > Would the simpler (and more idiomatic) > > #:tests? #f ... ; no tests > > work? totally! >> + (license (l:non-copyleft "file://COPYRIGHT")))) > > Interesting licence. :-) Against my intuition, it appears to be > FSDG-compatible[0]. Yes, feels like this license can cause more confusion than it manages to avoid (which is ostensibly the purpose) :-) Thomas ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. 2017-01-26 14:55 ` [PATCH] gnu: Add xinetd.,Re: " Thomas Danckaert @ 2017-01-26 15:00 ` Thomas Danckaert 2017-01-30 22:38 ` Leo Famulari 0 siblings, 1 reply; 9+ messages in thread From: Thomas Danckaert @ 2017-01-26 15:00 UTC (permalink / raw) To: me; +Cc: guix-devel [-- Attachment #1: Type: Text/Plain, Size: 65 bytes --] My apologies, I forgot to attach the improved patch... Thomas [-- Attachment #2: 0001-gnu-Add-xinetd.patch --] [-- Type: Text/X-Patch, Size: 1692 bytes --] From ae03afa6753e286c2bb4a58762e5419273f7002d Mon Sep 17 00:00:00 2001 From: Thomas Danckaert <thomas.danckaert@gmail.com> Date: Thu, 26 Jan 2017 11:35:50 +0100 Subject: [PATCH] gnu: Add xinetd. * gnu/packages/web.scm (xinetd): New variable. --- gnu/packages/web.scm | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 67b9797..4be3e2d 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -3995,3 +3995,27 @@ programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.") (license l:gpl2+))) + +(define-public xinetd + (package + (name "xinetd") + (version "2.3.15") + (source + (origin + (method url-fetch) + (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz") + (sha256 + (base32 + "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2")))) + (build-system gnu-build-system) + (arguments + `(#:configure-flags '("--with-loadavg") + #:tests? #f )) ; no tests + (home-page "https://github.com/xinetd-org/xinetd") + (synopsis "Internet services daemon") + (description "@code{xinetd}, a more secure replacement for @code{inetd}, +listens for incoming requests over a network and launches the appropriate +service for that request. Requests are made using port numbers as identifiers +and xinetd usually launches another daemon to handle the request. It can be +used to start services with both privileged and non-privileged port numbers.") + (license (l:non-copyleft "file://COPYRIGHT")))) -- 2.7.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. 2017-01-26 15:00 ` Thomas Danckaert @ 2017-01-30 22:38 ` Leo Famulari 2017-01-31 7:49 ` Thomas Danckaert 0 siblings, 1 reply; 9+ messages in thread From: Leo Famulari @ 2017-01-30 22:38 UTC (permalink / raw) To: Thomas Danckaert; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 730 bytes --] On Thu, Jan 26, 2017 at 04:00:44PM +0100, Thomas Danckaert wrote: > My apologies, I forgot to attach the improved patch... > > Thomas > From ae03afa6753e286c2bb4a58762e5419273f7002d Mon Sep 17 00:00:00 2001 > From: Thomas Danckaert <thomas.danckaert@gmail.com> > Date: Thu, 26 Jan 2017 11:35:50 +0100 > Subject: [PATCH] gnu: Add xinetd. > > * gnu/packages/web.scm (xinetd): New variable. Overall LGTM, but we should include at least the patch for the CVE-2013-4342, introduced here: https://github.com/xinetd-org/xinetd/pull/10 And applied as 000009-TCPMUX by Debian, along with some other patches that should be evaluated: https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. 2017-01-30 22:38 ` Leo Famulari @ 2017-01-31 7:49 ` Thomas Danckaert 2017-01-31 20:10 ` Leo Famulari 0 siblings, 1 reply; 9+ messages in thread From: Thomas Danckaert @ 2017-01-31 7:49 UTC (permalink / raw) To: leo; +Cc: guix-devel [-- Attachment #1: Type: Text/Plain, Size: 1058 bytes --] From: Leo Famulari <leo@famulari.name> Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. Date: Mon, 30 Jan 2017 17:38:21 -0500 > Overall LGTM, but we should include at least the patch for the > CVE-2013-4342, introduced here: > > https://github.com/xinetd-org/xinetd/pull/10 Yes, you're right. I was under the impression that the CVE was already fixed in version 2.3.15, but it's not. I took the patch from github (it's already in the master branch, there's just no recent release). > And applied as 000009-TCPMUX by Debian, along with some other > patches > that should be evaluated: > > https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches I've added a patch that fixes a file descriptor leak (and created a pull request for it). There's also a patch to fix compilation on hurd, but that's probably something that should be fixed upstream? The other patches are corrections to the man pages, which have made it into upstream master as well, so perhaps we do not need to add them all to Guix. Thomas [-- Attachment #2: 0001-gnu-Add-xinetd.patch --] [-- Type: Text/X-Patch, Size: 4867 bytes --] From 7a10feac4ec4035214a8fc212344aacec83bedc6 Mon Sep 17 00:00:00 2001 From: Thomas Danckaert <thomas.danckaert@gmail.com> Date: Thu, 26 Jan 2017 11:35:50 +0100 Subject: [PATCH] gnu: Add xinetd. * gnu/packages/web.scm (xinetd): New variable. * gnu/packages/patches/xinetd-CVE-2013-4342.patch: New file. * gnu/packages/patches/xinetd-fix-fd-leak.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patches. --- gnu/local.mk | 2 ++ gnu/packages/patches/xinetd-CVE-2013-4342.patch | 27 +++++++++++++++++++++++++ gnu/packages/patches/xinetd-fix-fd-leak.patch | 18 +++++++++++++++++ gnu/packages/web.scm | 25 +++++++++++++++++++++++ 4 files changed, 72 insertions(+) create mode 100644 gnu/packages/patches/xinetd-CVE-2013-4342.patch create mode 100644 gnu/packages/patches/xinetd-fix-fd-leak.patch diff --git a/gnu/local.mk b/gnu/local.mk index 59fc1a8..160a4aa 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -953,6 +953,8 @@ dist_patch_DATA = \ %D%/packages/patches/xfce4-panel-plugins.patch \ %D%/packages/patches/xfce4-session-fix-xflock4.patch \ %D%/packages/patches/xfce4-settings-defaults.patch \ + %D%/packages/patches/xinetd-fix-fd-leak.patch \ + %D%/packages/patches/xinetd-CVE-2013-4342.patch \ %D%/packages/patches/xmodmap-asprintf.patch \ %D%/packages/patches/libyaml-CVE-2014-9130.patch \ %D%/packages/patches/zathura-plugindir-environment-variable.patch diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch b/gnu/packages/patches/xinetd-CVE-2013-4342.patch new file mode 100644 index 0000000..f095a44 --- /dev/null +++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch @@ -0,0 +1,27 @@ +From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001 +From: Thomas Swan <thomas.swan@gmail.com> +Date: Wed, 2 Oct 2013 23:17:17 -0500 +Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for + TCPMUX services + +Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root). +--- + xinetd/builtins.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xinetd/builtins.c b/xinetd/builtins.c +index 3b85579..34a5bac 100644 +--- a/xinetd/builtins.c ++++ b/xinetd/builtins.c +@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp ) + if( SC_IS_INTERNAL( scp ) ) { + SC_INTERNAL(scp, nserp); + } else { +- exec_server(nserp); ++ child_process(nserp); + } + } + +-- +2.7.4 + diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch b/gnu/packages/patches/xinetd-fix-fd-leak.patch new file mode 100644 index 0000000..70a4ec2 --- /dev/null +++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch @@ -0,0 +1,18 @@ +Reported upstream at https://github.com/xinetd-org/xinetd/pull/26. + +diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c +index 5a26214..fe0f872 100644 +--- a/xinetd/xgetloadavg.c ++++ b/xinetd/xgetloadavg.c +@@ -34,7 +34,7 @@ double xgetloadavg(void) + + if( fscanf(fd, "%lf", &ret) != 1 ) { + perror("fscanf"); +- return -1; ++ ret = -1; + } + + fclose(fd); +-- +2.7.4 + diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 67b9797..80f52ee 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -3995,3 +3995,28 @@ programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.") (license l:gpl2+))) + +(define-public xinetd + (package + (name "xinetd") + (version "2.3.15") + (source + (origin + (method url-fetch) + (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz") + (patches (search-patches "xinetd-CVE-2013-4342.patch" "xinetd-fix-fd-leak.patch")) + (sha256 + (base32 + "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2")))) + (build-system gnu-build-system) + (arguments + `(#:configure-flags '("--with-loadavg") + #:tests? #f )) ; no tests + (home-page "https://github.com/xinetd-org/xinetd") + (synopsis "Internet services daemon") + (description "@code{xinetd}, a more secure replacement for @code{inetd}, +listens for incoming requests over a network and launches the appropriate +service for that request. Requests are made using port numbers as identifiers +and xinetd usually launches another daemon to handle the request. It can be +used to start services with both privileged and non-privileged port numbers.") + (license (l:non-copyleft "file://COPYRIGHT")))) -- 2.7.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. 2017-01-31 7:49 ` Thomas Danckaert @ 2017-01-31 20:10 ` Leo Famulari 2017-01-31 20:27 ` Thomas Danckaert 0 siblings, 1 reply; 9+ messages in thread From: Leo Famulari @ 2017-01-31 20:10 UTC (permalink / raw) To: Thomas Danckaert; +Cc: guix-devel On Tue, Jan 31, 2017 at 08:49:16AM +0100, Thomas Danckaert wrote: > From: Leo Famulari <leo@famulari.name> > I've added a patch that fixes a file descriptor leak (and created a pull > request for it). There's also a patch to fix compilation on hurd, but > that's probably something that should be fixed upstream? We will find out :) > The other patches are corrections to the man pages, which have made it into > upstream master as well, so perhaps we do not need to add them all to Guix. Agreed. > From 7a10feac4ec4035214a8fc212344aacec83bedc6 Mon Sep 17 00:00:00 2001 > From: Thomas Danckaert <thomas.danckaert@gmail.com> > Date: Thu, 26 Jan 2017 11:35:50 +0100 > Subject: [PATCH] gnu: Add xinetd. > > * gnu/packages/web.scm (xinetd): New variable. > * gnu/packages/patches/xinetd-CVE-2013-4342.patch: New file. > * gnu/packages/patches/xinetd-fix-fd-leak.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add patches. I pushed with the following changes. I added more comments to the patch files. I think that patches should include a link to upstream bug reports and upstream source, assuming they exist. > + (license (l:non-copyleft "file://COPYRIGHT")))) I changed the license to 'fsf-free', since the FSF does describe it as a copyleft license: https://www.gnu.org/licenses/license-list.en.html#xinetd "This is a copyleft free software license, incompatible with the GPL. It is incompatible because it places extra restrictions on redistribution of modified versions that contradict the redistribution requirements in the GPL." ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. 2017-01-31 20:10 ` Leo Famulari @ 2017-01-31 20:27 ` Thomas Danckaert 0 siblings, 0 replies; 9+ messages in thread From: Thomas Danckaert @ 2017-01-31 20:27 UTC (permalink / raw) To: leo; +Cc: guix-devel From: Leo Famulari <leo@famulari.name> Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd. Date: Tue, 31 Jan 2017 15:10:22 -0500 > I pushed with the following changes. > > I added more comments to the patch files. I think that patches should > include a link to upstream bug reports and upstream source, assuming > they exist. Thanks! I'll be more precise with the patches next time. Thomas ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] gnu: Add xinetd. 2017-01-26 10:43 [PATCH] gnu: Add xinetd Thomas Danckaert 2017-01-26 13:58 ` Tobias Geerinckx-Rice @ 2017-02-01 22:25 ` Ludovic Courtès 1 sibling, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-02-01 22:25 UTC (permalink / raw) To: Thomas Danckaert; +Cc: guix-devel Hi! Thomas Danckaert <post@thomasdanckaert.be> skribis: > This patch provides the xinetd executables, I'll try my hand at > writing a xinetd service next... Unless there is already an > alternative to xinetd on GuixSD? There no such thing, but GNU Inetutils includes ‘inetd’ and it would be nice to have it as the primary option if you’re going to write a service. (In the future I’d like the Shepherd to subsume inetd functionality…) Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-02-01 22:25 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-01-26 10:43 [PATCH] gnu: Add xinetd Thomas Danckaert 2017-01-26 13:58 ` Tobias Geerinckx-Rice 2017-01-26 14:55 ` [PATCH] gnu: Add xinetd.,Re: " Thomas Danckaert 2017-01-26 15:00 ` Thomas Danckaert 2017-01-30 22:38 ` Leo Famulari 2017-01-31 7:49 ` Thomas Danckaert 2017-01-31 20:10 ` Leo Famulari 2017-01-31 20:27 ` Thomas Danckaert 2017-02-01 22:25 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).