[PATCH] gnu: Add xinetd.

[PATCH] gnu: Add xinetd.

[Thomas Danckaert]

[-- Attachment #1: Type: Text/Plain, Size: 335 bytes --]

Hi,

I'd like to use xinetd to forward some local ports via ssh (e.g. as
explained here:
https://debian-administration.org/article/487/SMTP_via_a_SSH_tunnel).

This patch provides the xinetd executables, I'll try my hand at
writing a xinetd service next...  Unless there is already an
alternative to xinetd on GuixSD?

cheers,

Thomas

[-- Attachment #2: 0001-gnu-Add-xinetd.patch --]
[-- Type: Text/X-Patch, Size: 1813 bytes --]

From e9709558ee99be799edb187bdb9857fdfc7f97c3 Mon Sep 17 00:00:00 2001
From: Thomas Danckaert <thomas.danckaert@gmail.com>
Date: Thu, 26 Jan 2017 11:35:50 +0100
Subject: [PATCH] gnu: Add xinetd.

* gnu/packages/web.scm (xinetd): New variable.
---
 gnu/packages/web.scm | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 67b9797..cc05a22 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3995,3 +3995,29 @@ programs' code.  Its architecture is optimized for security, portability, and
 scalability (including load-balancing), making it suitable for large
 deployments.")
   (license l:gpl2+)))
+
+(define-public xinetd
+  (package
+    (name "xinetd")
+    (version "2.3.15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz")
+       (file-name (string-append name "-" version))
+       (sha256
+        (base32
+         "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--with-loadavg")
+       #:phases
+       (modify-phases %standard-phases (delete 'check)))) ; doesn't provide tests
+    (home-page "https://github.com/xinetd-org/xinetd")
+    (synopsis "Internet services daemon")
+    (description "@code{xinetd}, a more secure replacement for @code{inetd},
+listens for incoming requests over a network and launches the appropriate
+service for that request.  Requests are made using port numbers as identifiers
+and xinetd usually launches another daemon to handle the request.  It can be
+used to start services with both privileged and non-privileged port numbers.")
+    (license (l:non-copyleft "file://COPYRIGHT"))))
-- 
2.7.4

Re: [PATCH] gnu: Add xinetd.

[Tobias Geerinckx-Rice]

[-- Attachment #1.1: Type: text/plain, Size: 979 bytes --]

Thomas,

On 26/01/17 11:43, Thomas Danckaert wrote:
> This patch provides the xinetd executables[.]

Thanks!

> + (origin
> +   (method url-fetch)
> +   (uri "https://github.com/xinetd-org/xinetd/archive/\
>           \xinetd-2-3-15.tar.gz")
> +   (file-name (string-append name "-" version))

file-name is used mainly to avoid polluting the store with meaningless
(tobias.gr/download.php?foo=123) or misleading file names.

It shouldn't be needed here, and would require its own ".tar.gz" suffix
otherwise.

> + #:phases
> + (modify-phases %standard-phases (delete 'check)))) ; doesn't\
> \provide tests

Would the simpler (and more idiomatic)

  #:tests? #f ... ; no tests

work?

> + (license (l:non-copyleft "file://COPYRIGHT"))))

Interesting licence. :-) Against my intuition, it appears to be
FSDG-compatible[0].

Kind regards,

T G-R

[0]:
http://metadata.ftp-master.debian.org/changelogs/main/x/xinetd/xinetd_2.3.15-7_copyright


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 476 bytes --]

Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Thomas Danckaert]

From: Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.
Date: Thu, 26 Jan 2017 14:58:53 +0100

> [...]
>> +   (file-name (string-append name "-" version))
>
> file-name is used mainly to avoid polluting the store with 
> meaningless
> (tobias.gr/download.php?foo=123) or misleading file names.
>
> It shouldn't be needed here, and would require its own ".tar.gz" 
> suffix
> otherwise.

Ah yes, for some reason I thought we insisted the file would conform 
to the version number as written here (i.e. "." instead of "-" as a 
separator), and then forgot about the suffix...

> Would the simpler (and more idiomatic)
>
>   #:tests? #f ... ; no tests
>
> work?

totally!

>> + (license (l:non-copyleft "file://COPYRIGHT"))))
>
> Interesting licence. :-) Against my intuition, it appears to be
> FSDG-compatible[0].

Yes, feels like this license can cause more confusion than it manages
to avoid (which is ostensibly the purpose) :-)

Thomas

Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Thomas Danckaert]

[-- Attachment #1: Type: Text/Plain, Size: 65 bytes --]

My apologies, I forgot to attach the improved patch...  

Thomas

[-- Attachment #2: 0001-gnu-Add-xinetd.patch --]
[-- Type: Text/X-Patch, Size: 1692 bytes --]

From ae03afa6753e286c2bb4a58762e5419273f7002d Mon Sep 17 00:00:00 2001
From: Thomas Danckaert <thomas.danckaert@gmail.com>
Date: Thu, 26 Jan 2017 11:35:50 +0100
Subject: [PATCH] gnu: Add xinetd.

* gnu/packages/web.scm (xinetd): New variable.
---
 gnu/packages/web.scm | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 67b9797..4be3e2d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3995,3 +3995,27 @@ programs' code.  Its architecture is optimized for security, portability, and
 scalability (including load-balancing), making it suitable for large
 deployments.")
   (license l:gpl2+)))
+
+(define-public xinetd
+  (package
+    (name "xinetd")
+    (version "2.3.15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz")
+       (sha256
+        (base32
+         "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--with-loadavg")
+       #:tests? #f )) ; no tests
+    (home-page "https://github.com/xinetd-org/xinetd")
+    (synopsis "Internet services daemon")
+    (description "@code{xinetd}, a more secure replacement for @code{inetd},
+listens for incoming requests over a network and launches the appropriate
+service for that request.  Requests are made using port numbers as identifiers
+and xinetd usually launches another daemon to handle the request.  It can be
+used to start services with both privileged and non-privileged port numbers.")
+    (license (l:non-copyleft "file://COPYRIGHT"))))
-- 
2.7.4

Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On Thu, Jan 26, 2017 at 04:00:44PM +0100, Thomas Danckaert wrote:
> My apologies, I forgot to attach the improved patch...  
> 
> Thomas

> From ae03afa6753e286c2bb4a58762e5419273f7002d Mon Sep 17 00:00:00 2001
> From: Thomas Danckaert <thomas.danckaert@gmail.com>
> Date: Thu, 26 Jan 2017 11:35:50 +0100
> Subject: [PATCH] gnu: Add xinetd.
> 
> * gnu/packages/web.scm (xinetd): New variable.

Overall LGTM, but we should include at least the patch for the
CVE-2013-4342, introduced here:

https://github.com/xinetd-org/xinetd/pull/10

And applied as 000009-TCPMUX by Debian, along with some other patches
that should be evaluated:

https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Thomas Danckaert]

[-- Attachment #1: Type: Text/Plain, Size: 1058 bytes --]

From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.
Date: Mon, 30 Jan 2017 17:38:21 -0500

> Overall LGTM, but we should include at least the patch for the
> CVE-2013-4342, introduced here:
>
> https://github.com/xinetd-org/xinetd/pull/10

Yes, you're right.  I was under the impression that the CVE was 
already fixed in version 2.3.15, but it's not.  I took the patch from 
github (it's already in the master branch, there's just no recent 
release).

> And applied as 000009-TCPMUX by Debian, along with some other 
> patches
> that should be evaluated:
>
> https://anonscm.debian.org/cgit/collab-maint/xinetd.git/tree/debian/patches

I've added a patch that fixes a file descriptor leak (and created a 
pull request for it).  There's also a patch to fix compilation on 
hurd, but that's probably something that should be fixed upstream?

The other patches are corrections to the man pages, which have made 
it into upstream master as well, so perhaps we do not need to add 
them all to Guix.

Thomas

[-- Attachment #2: 0001-gnu-Add-xinetd.patch --]
[-- Type: Text/X-Patch, Size: 4867 bytes --]

From 7a10feac4ec4035214a8fc212344aacec83bedc6 Mon Sep 17 00:00:00 2001
From: Thomas Danckaert <thomas.danckaert@gmail.com>
Date: Thu, 26 Jan 2017 11:35:50 +0100
Subject: [PATCH] gnu: Add xinetd.

* gnu/packages/web.scm (xinetd): New variable.
* gnu/packages/patches/xinetd-CVE-2013-4342.patch: New file.
* gnu/packages/patches/xinetd-fix-fd-leak.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
 gnu/local.mk                                    |  2 ++
 gnu/packages/patches/xinetd-CVE-2013-4342.patch | 27 +++++++++++++++++++++++++
 gnu/packages/patches/xinetd-fix-fd-leak.patch   | 18 +++++++++++++++++
 gnu/packages/web.scm                            | 25 +++++++++++++++++++++++
 4 files changed, 72 insertions(+)
 create mode 100644 gnu/packages/patches/xinetd-CVE-2013-4342.patch
 create mode 100644 gnu/packages/patches/xinetd-fix-fd-leak.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 59fc1a8..160a4aa 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -953,6 +953,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/xfce4-panel-plugins.patch		\
   %D%/packages/patches/xfce4-session-fix-xflock4.patch		\
   %D%/packages/patches/xfce4-settings-defaults.patch		\
+  %D%/packages/patches/xinetd-fix-fd-leak.patch			\
+  %D%/packages/patches/xinetd-CVE-2013-4342.patch		\
   %D%/packages/patches/xmodmap-asprintf.patch 			\
   %D%/packages/patches/libyaml-CVE-2014-9130.patch 		\
   %D%/packages/patches/zathura-plugindir-environment-variable.patch
diff --git a/gnu/packages/patches/xinetd-CVE-2013-4342.patch b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
new file mode 100644
index 0000000..f095a44
--- /dev/null
+++ b/gnu/packages/patches/xinetd-CVE-2013-4342.patch
@@ -0,0 +1,27 @@
+From 91e2401a219121eae15244a6b25d2e79c1af5864 Mon Sep 17 00:00:00 2001
+From: Thomas Swan <thomas.swan@gmail.com>
+Date: Wed, 2 Oct 2013 23:17:17 -0500
+Subject: [PATCH] CVE-2013-4342: xinetd: ignores user and group directives for
+ TCPMUX services
+
+Originally reported to Debian in 2005 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324678> and rediscovered <https://bugzilla.redhat.com/show_bug.cgi?id=1006100>, xinetd would execute TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process (root).
+---
+ xinetd/builtins.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xinetd/builtins.c b/xinetd/builtins.c
+index 3b85579..34a5bac 100644
+--- a/xinetd/builtins.c
++++ b/xinetd/builtins.c
+@@ -617,7 +617,7 @@ static void tcpmux_handler( const struct server *serp )
+    if( SC_IS_INTERNAL( scp ) ) {
+       SC_INTERNAL(scp, nserp);
+    } else {
+-      exec_server(nserp);
++      child_process(nserp);
+    }
+ }
+ 
+-- 
+2.7.4
+
diff --git a/gnu/packages/patches/xinetd-fix-fd-leak.patch b/gnu/packages/patches/xinetd-fix-fd-leak.patch
new file mode 100644
index 0000000..70a4ec2
--- /dev/null
+++ b/gnu/packages/patches/xinetd-fix-fd-leak.patch
@@ -0,0 +1,18 @@
+Reported upstream at https://github.com/xinetd-org/xinetd/pull/26.
+
+diff --git a/xinetd/xgetloadavg.c b/xinetd/xgetloadavg.c
+index 5a26214..fe0f872 100644
+--- a/xinetd/xgetloadavg.c
++++ b/xinetd/xgetloadavg.c
+@@ -34,7 +34,7 @@ double xgetloadavg(void)
+ 
+    if( fscanf(fd, "%lf", &ret) != 1 ) {
+       perror("fscanf");
+-      return -1;
++      ret = -1;
+    }
+ 
+    fclose(fd);
+-- 
+2.7.4
+
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 67b9797..80f52ee 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3995,3 +3995,28 @@ programs' code.  Its architecture is optimized for security, portability, and
 scalability (including load-balancing), making it suitable for large
 deployments.")
   (license l:gpl2+)))
+
+(define-public xinetd
+  (package
+    (name "xinetd")
+    (version "2.3.15")
+    (source
+     (origin
+       (method url-fetch)
+       (uri "https://github.com/xinetd-org/xinetd/archive/xinetd-2-3-15.tar.gz")
+       (patches (search-patches "xinetd-CVE-2013-4342.patch" "xinetd-fix-fd-leak.patch"))
+       (sha256
+        (base32
+         "0k59x52cbzp5fw0n8zn0y54j1ps0x9b72y8k5grzswjdmgs2a2v2"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags '("--with-loadavg")
+       #:tests? #f )) ; no tests
+    (home-page "https://github.com/xinetd-org/xinetd")
+    (synopsis "Internet services daemon")
+    (description "@code{xinetd}, a more secure replacement for @code{inetd},
+listens for incoming requests over a network and launches the appropriate
+service for that request.  Requests are made using port numbers as identifiers
+and xinetd usually launches another daemon to handle the request.  It can be
+used to start services with both privileged and non-privileged port numbers.")
+    (license (l:non-copyleft "file://COPYRIGHT"))))
-- 
2.7.4

Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Leo Famulari]

On Tue, Jan 31, 2017 at 08:49:16AM +0100, Thomas Danckaert wrote:
> From: Leo Famulari <leo@famulari.name>
> I've added a patch that fixes a file descriptor leak (and created a pull
> request for it).  There's also a patch to fix compilation on hurd, but
> that's probably something that should be fixed upstream?

We will find out :)

> The other patches are corrections to the man pages, which have made it into
> upstream master as well, so perhaps we do not need to add them all to Guix.

Agreed.

> From 7a10feac4ec4035214a8fc212344aacec83bedc6 Mon Sep 17 00:00:00 2001
> From: Thomas Danckaert <thomas.danckaert@gmail.com>
> Date: Thu, 26 Jan 2017 11:35:50 +0100
> Subject: [PATCH] gnu: Add xinetd.
> 
> * gnu/packages/web.scm (xinetd): New variable.
> * gnu/packages/patches/xinetd-CVE-2013-4342.patch: New file.
> * gnu/packages/patches/xinetd-fix-fd-leak.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.

I pushed with the following changes.

I added more comments to the patch files. I think that patches should
include a link to upstream bug reports and upstream source, assuming
they exist.

> +    (license (l:non-copyleft "file://COPYRIGHT"))))

I changed the license to 'fsf-free', since the FSF does describe it as a
copyleft license:

https://www.gnu.org/licenses/license-list.en.html#xinetd

"This is a copyleft free software license, incompatible with the GPL.
It is incompatible because it places extra restrictions on
redistribution of modified versions that contradict the redistribution
requirements in the GPL."

Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.

[Thomas Danckaert]

From: Leo Famulari <leo@famulari.name>
Subject: Re: [PATCH] gnu: Add xinetd.,Re: [PATCH] gnu: Add xinetd.
Date: Tue, 31 Jan 2017 15:10:22 -0500

> I pushed with the following changes.
> 
> I added more comments to the patch files. I think that patches should
> include a link to upstream bug reports and upstream source, assuming
> they exist.

Thanks!  I'll be more precise with the patches next time.

Thomas

Re: [PATCH] gnu: Add xinetd.

[Ludovic Courtès]

Hi!

Thomas Danckaert <post@thomasdanckaert.be> skribis:

> This patch provides the xinetd executables, I'll try my hand at
> writing a xinetd service next...  Unless there is already an
> alternative to xinetd on GuixSD?

There no such thing, but GNU Inetutils includes ‘inetd’ and it would be
nice to have it as the primary option if you’re going to write a
service.

(In the future I’d like the Shepherd to subsume inetd functionality…)

Ludo’.