Clean up compiler flag handling w/fix from upstream, and add dedicated user/group for tlsdate to use when dropping root #447018 by Maxim Kammerer.

(Portage version: 2.2.0_alpha144/cvs/Linux x86_64, signed Manifest commit with key FB7C4156)

2 files changed, 138 insertions, 0 deletions

diff --git a/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch b/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch
new file mode 100644
index 000000000000..dbccaabe597f
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdate-0.0.4-compiler-flags.patch
@@ -0,0 +1,72 @@
+fix in upstream now
+
+From 8b94e111e58fc5d8a2cf47effaaf410a6e4eca46 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Tue, 18 Dec 2012 15:38:51 -0500
+Subject: [PATCH] make hardened compiler flags optional
+
+First note: the default behavior is unchanged.
+
+For people building tlsdate themselves with a known toolchain env, the
+checked flags can be redundant, or even harmful.  A compile/link check
+for PIE behavior for example might not catch the full supported status
+for some architectures/C libraries.
+
+Further, the current code starts by throwing away the user's compiler
+settings which can also be harmful.  Those often times include settings
+related to ABI or target cpu selection and ignoring them can produce an
+unusable binary.
+
+So add a flag that people (including distros) can leverage to bypass
+all of the checks.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ configure.ac | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 555ae28..f6efb0b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -67,19 +67,28 @@ AC_SUBST(RT_LIB)
+ 
+ # Debug and hardening flags all in one shot
+ # Alwas do this at the end, otherwise you end up filtering system/other libraries
++AC_ARG_ENABLE([hardened-checks],
++              [AS_HELP_STRING([--disable-hardened-checks],
++                              [Disable automatically enabling hardened toolchain options])])
+ AC_DEFUN([LOCAL_CHECK_FLAGS],[
+           AC_REQUIRE([AX_CHECK_LINK_FLAG])
+           AC_REQUIRE([AX_APPEND_COMPILE_FLAGS])
+           AC_LANG_PUSH([C])
+-          CFLAGS=
+-          LIBS=
+-          AX_APPEND_COMPILE_FLAGS([-g -O1 -Wall])
+-          AX_APPEND_COMPILE_FLAGS([-fno-strict-aliasing])
+-          AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all])
+-          AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector])
+-          AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1])
+-          AX_CHECK_LINK_FLAG([-z relro -z now])
+-          AX_CHECK_LINK_FLAG([-pie])
++          AS_IF([test "x$enable_hardened_checks" != xno], [
++              CFLAGS=
++              LIBS=
++              AX_APPEND_COMPILE_FLAGS([-g -O1])
++          ], [
++              AC_MSG_WARN([using hardened flags is HIGHLY RECOMMENDED and disabling them is a BAD IDEA])
++          ])
++          AX_APPEND_COMPILE_FLAGS([-Wall -fno-strict-aliasing])
++          AS_IF([test "x$enable_hardened_checks" != xno], [
++              AX_APPEND_COMPILE_FLAGS([-D_FORTIFY_SOURCE=2 -fstack-protector-all])
++              AX_APPEND_COMPILE_FLAGS([-fwrapv -fPIE -Wstack-protector])
++              AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1])
++              AX_CHECK_LINK_FLAG([-z relro -z now])
++              AX_CHECK_LINK_FLAG([-pie])
++          ])
+           AC_LANG_POP
+           ])
+ LOCAL_CHECK_FLAGS
+-- 
+1.8.0
+
diff --git a/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch b/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch
new file mode 100644
index 000000000000..8cd2472cf44e
--- /dev/null
+++ b/net-misc/tlsdate/files/tlsdate-0.0.4-configure-user-group.patch
@@ -0,0 +1,66 @@
+From e6edd1f581b59dffbc1e21d2221af049a5f0b38a Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 19 Dec 2012 15:48:22 -0500
+Subject: [PATCH] add configure flags for setting droppriv user/group
+
+In order to override the default user/group, you have to append your
+CPPFLAGS before compiling.  Since you also have to pass along double
+quotes, it can get ugly/messy fast in shell (due to the escaping).
+Plus, the existing code always defines UNPRIV_USER to "nobody" which
+leads to compile time warnings.
+
+Add dedicated configure flags to make the interface simple for people
+to control.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+---
+ configure.ac  | 20 ++++++++++++++++++++
+ src/tlsdate.h |  1 -
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f6efb0b..c95090e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -57,6 +57,26 @@ AC_CHECK_HEADERS([unistd.h], ,[AC_MSG_ERROR([Required headers missing; compilati
+ AC_CHECK_FUNCS([setresuid])
+ AC_CHECK_FUNCS([gettimeofday])
+ 
++AC_MSG_CHECKING([user/group to drop privs to])
++
++AC_ARG_WITH([unpriv-user],
++            [AS_HELP_STRING([--with-unpriv-user=<user>],
++                            [User to drop privs to @<:@default: nobody@:>@])])
++AS_CASE([$with_unpriv_user],
++        [""|yes|no], [UNPRIV_USER="nobody"],
++        [*], [UNPRIV_USER=$with_unpriv_user])
++AC_DEFINE_UNQUOTED([UNPRIV_USER], ["${UNPRIV_USER}"], [Unprivileged user])
++
++AC_ARG_WITH([unpriv-group],
++            [AS_HELP_STRING([--with-unpriv-group=<group>],
++                            [Group to drop privs to @<:@default: nogroup@:>@])])
++AS_CASE([$with_unpriv_group],
++        [""|yes|no], [UNPRIV_GROUP="nogroup"],
++        [*], [UNPRIV_GROUP=$with_unpriv_group])
++AC_DEFINE_UNQUOTED([UNPRIV_GROUP], ["${UNPRIV_GROUP}"], [Unprivileged group])
++
++AC_MSG_RESULT(${UNPRIV_USER}:${UNPRIV_GROUP})
++
+ # Check for -lrt
+ AC_CHECK_LIB([rt], [clock_gettime], [
+               RT_LIB="-lrt"
+diff --git a/src/tlsdate.h b/src/tlsdate.h
+index 4db56c1..4c918cd 100644
+--- a/src/tlsdate.h
++++ b/src/tlsdate.h
+@@ -18,7 +18,6 @@
+ #include <time.h>
+ #include <unistd.h>
+ 
+-#define UNPRIV_USER "nobody"
+ #define DEFAULT_HOST "www.ptb.de"
+ #define DEFAULT_PORT "443"
+ #define DEFAULT_PROTOCOL "tlsv1"
+-- 
+1.8.0
+