rsync: run as regular user rather than as root

Rsyncd only needs a subset of all capabilities so create
a dedicated user with these capabilities. This is better from both a
security and an isolation perspective than running as root.

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc

Signed-off-by: John Audia <[email protected]>

diff --git a/net/rsync/Makefile b/net/rsync/Makefile
index 4fd7185f8b733ae7c04a8e2edee1bc6f6d8bf406..ed5a9c832cae6c5151e8c168511bcc6f73f55ba5 100644 (file)
--- a/net/rsync/Makefile
+++ b/net/rsync/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=rsync
 PKG_VERSION:=3.4.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
@@ -67,6 +67,7 @@ define Package/rsyncd
   SUBMENU:=File Transfer
   TITLE:=Rsync daemon
   DEPENDS:=+rsync
+  USERID:=rsyncd=976:rsyncd=976
   URL:=https://rsync.samba.org/
 endef
 
@@ -108,6 +109,8 @@ define Package/rsyncd/install
        $(INSTALL_DATA) ./files/rsyncd.conf $(1)/etc/
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/rsyncd.init $(1)/etc/init.d/rsyncd
+       $(INSTALL_DIR) $(1)/etc/capabilities
+       $(INSTALL_DATA) ./files/rsyncd.json $(1)/etc/capabilities
 endef
 
 define Package/rrsync/description

diff --git a/net/rsync/files/rsyncd.init b/net/rsync/files/rsyncd.init
index d226d0f3fa99d4064f777e5fe7b531c5495a3223..bbcd99db805d5863d423df61a075097c708291a7 100644 (file)
--- a/net/rsync/files/rsyncd.init
+++ b/net/rsync/files/rsyncd.init
@@ -10,5 +10,12 @@ PROG=/usr/bin/rsync
 start_service() {
        procd_open_instance
        procd_set_param command "$PROG" --daemon --no-detach
+       [ -x /sbin/ujail -a -e /etc/capabilities/rsyncd.json ] && {
+               procd_add_jail rsyncd
+               procd_set_param capabilities /etc/capabilities/rsyncd.json
+               procd_set_param user rsyncd
+               procd_set_param group rsyncd
+               procd_set_param no_new_privs 1
+       }
        procd_close_instance
 }

diff --git a/net/rsync/files/rsyncd.json b/net/rsync/files/rsyncd.json
new file mode 100644 (file)
index 0000000..0f3f40f
--- /dev/null
+++ b/net/rsync/files/rsyncd.json
@@ -0,0 +1,37 @@
+{
+       "bounding": [
+               "CAP_NET_BIND_SERVICE",
+               "CAP_SYS_CHROOT",
+               "CAP_SETUID",
+               "CAP_SETGID",
+               "CAP_DAC_OVERRIDE"
+       ],
+       "effective": [
+               "CAP_NET_BIND_SERVICE",
+               "CAP_SYS_CHROOT",
+               "CAP_SETUID",
+               "CAP_SETGID",
+               "CAP_DAC_OVERRIDE"
+       ],
+       "ambient": [
+               "CAP_NET_BIND_SERVICE",
+               "CAP_SYS_CHROOT",
+               "CAP_SETUID",
+               "CAP_SETGID",
+               "CAP_DAC_OVERRIDE"
+       ],
+       "permitted": [
+               "CAP_NET_BIND_SERVICE",
+               "CAP_SYS_CHROOT",
+               "CAP_SETUID",
+               "CAP_SETGID",
+               "CAP_DAC_OVERRIDE"
+       ],
+       "inheritable": [
+               "CAP_NET_BIND_SERVICE",
+               "CAP_SYS_CHROOT",
+               "CAP_SETUID",
+               "CAP_SETGID",
+               "CAP_DAC_OVERRIDE"
+       ]
+}