From 95f461e7a8d254bcb592521041cf32bf12af974b Mon Sep 17 00:00:00 2001 From: Lennart Weller Date: Mon, 5 Sep 2016 10:54:46 +0200 Subject: copyright change for avl implementation. additional dependency on python re-add home directory in case user wants to use a registry updated systemd unit file Patches: - whitespace changes in patches - remove extra root uid/gid check in favour of config - maintain shebangs for scripts --- debian/changelog | 5 +- debian/control | 1 + debian/copyright | 32 +-- debian/netdata.conf | 2 +- debian/netdata.install | 1 + debian/netdata.postinst.in | 11 +- debian/netdata.postrm | 9 +- debian/netdata.service | 5 +- ...001-linked-js-css-fonts-removed-from-make.patch | 4 +- ...ile-serve-ownership-restrictions-for-root.patch | 72 ------- ...move-file-serve-restrictions-for-symlinks.patch | 72 +++++++ debian/patches/0003-hide-update-button.patch | 24 +-- .../0004-readd-shebang-to-chart-scripts.patch | 216 +++++++++++++++++++++ debian/patches/series | 3 +- 14 files changed, 343 insertions(+), 114 deletions(-) delete mode 100644 debian/patches/0002-remove-file-serve-ownership-restrictions-for-root.patch create mode 100644 debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch create mode 100644 debian/patches/0004-readd-shebang-to-chart-scripts.patch diff --git a/debian/changelog b/debian/changelog index 5be08135c..841046564 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,10 @@ -netdata (1.2.0+dfsg-3) UNRELEASED; urgency=medium +netdata (1.3.0+dfsg-1) UNRELEASED; urgency=medium + * New upstream version. Fixes license issues * Add missing config files * Further restrict process permissions - -- Lennart Weller Mon, 01 Aug 2016 12:52:00 +0200 + -- Lennart Weller Mon, 05 Sep 2016 10:59:21 +0200 netdata (1.2.0+dfsg-2) unstable; urgency=low diff --git a/debian/control b/debian/control index bf27f42e9..6dad4aee7 100644 --- a/debian/control +++ b/debian/control @@ -27,6 +27,7 @@ Depends: adduser, libjs-raphael (>= 2.1.0), lsb-base (>= 3.1-23.2), netdata-data, + python, ${misc:Depends}, ${misc:Pre-Depends}, ${shlibs:Depends} diff --git a/debian/copyright b/debian/copyright index 07a5a0e2d..6304a07b6 100644 --- a/debian/copyright +++ b/debian/copyright @@ -26,9 +26,10 @@ Copyright: 2016 Matthew Newton 2016 Federico Ceratto License: GPL-3+ -Files: src/avl.h -Copyright: 2000 Daniel Nagy -License: GPL-2 +Files: src/avl.* +Copyright: 2004 Free Software Foundation Inc. + 2016 Costa Tsaousis +License: LGPL-3+ Files: node.d/node_modules/ber/* @@ -121,21 +122,22 @@ Files: Copyright: 2016 Marc J. Schmidt License: Expat -License: GPL-2 - This package is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation version 2 of the License. +License: LGPL-3+ + This library is free software; you can redistribute it and/or modify it under + the terms of the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your option) any + later version. . - This package is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + This library is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more + details. . - You should have received a copy of the GNU General Public License - along with this program. If not, see + You should have received a copy of the GNU Lesser General Public + License along with this library; If not, see . . - On Debian systems, the complete text of the GNU General Public - License version 2 can be found in "/usr/share/common-licenses/GPL-2". + On Debian systems, the complete text of the GNU Lesser General Public + License version 3 can be found in /usr/share/common-licenses/LGPL-3. License: GPL-3+ This program is free software: you can redistribute it and/or modify it under diff --git a/debian/netdata.conf b/debian/netdata.conf index 1f6bcf361..effb794c2 100644 --- a/debian/netdata.conf +++ b/debian/netdata.conf @@ -13,7 +13,7 @@ [global] run as user = netdata web files owner = root - web files group = netdata + web files group = root # Netdata is not designed to be exposed to potentially hostile # networks.See https://github.com/firehol/netdata/issues/164 bind socket to IP = 127.0.0.1 diff --git a/debian/netdata.install b/debian/netdata.install index 002dfee1d..e4f5ad774 100644 --- a/debian/netdata.install +++ b/debian/netdata.install @@ -8,3 +8,4 @@ usr/lib/*/netdata/plugins.d/charts.d.plugin usr/lib/*/netdata/plugins.d/loopsleepms.sh.inc usr/lib/*/netdata/plugins.d/tc-qos-helper.sh usr/lib/*/netdata/plugins.d/cgroup-name.sh +usr/lib/*/netdata/plugins.d/alarm-email.sh diff --git a/debian/netdata.postinst.in b/debian/netdata.postinst.in index ab37de186..643b99d55 100644 --- a/debian/netdata.postinst.in +++ b/debian/netdata.postinst.in @@ -10,13 +10,16 @@ case "$1" in fi if ! getent passwd netdata >/dev/null; then - adduser --quiet --system --ingroup netdata --home /run/netdata --no-create-home netdata + adduser --quiet --system --ingroup netdata --home /var/lib/netdata --no-create-home netdata + mkdir -p /var/lib/netdata fi - if ! dpkg-statoverride --list /var/cache/netdata >/dev/null 2>&1; then - dpkg-statoverride --update --add netdata netdata 0755 /var/cache/netdata - fi + for dir_name in /var/cache/netdata /var/lib/netdata; do + if ! dpkg-statoverride --list "$dir_name" >/dev/null 2>&1; then + dpkg-statoverride --update --add netdata netdata 0755 "$dir_name" + fi + done fi chown -R root:netdata /usr/lib/@DEB_HOST_MULTIARCH@/netdata/plugins.d diff --git a/debian/netdata.postrm b/debian/netdata.postrm index 5df19783d..81a657881 100644 --- a/debian/netdata.postrm +++ b/debian/netdata.postrm @@ -7,9 +7,12 @@ case "$1" in ;; purge) - if dpkg-statoverride --list | grep -qw "/var/cache/netdata"; then - dpkg-statoverride --remove "$dir_name" - fi + for dir_name in /var/cache/netdata /var/lib/netdata; do + if dpkg-statoverride --list | grep -qw "$dir_name"; then + dpkg-statoverride --remove "$dir_name" + fi + done + rm -rf /var/cache/netdata /var/log/netdata if getent passwd netdata >/dev/null; then diff --git a/debian/netdata.service b/debian/netdata.service index 424651b24..b936eddd6 100644 --- a/debian/netdata.service +++ b/debian/netdata.service @@ -12,7 +12,7 @@ ConditionPathExists=/etc/netdata/netdata.conf [Service] Type=simple Environment="netdata_LOG_LOCATION=/var/log/netdata/log" -ExecStart=/usr/sbin/netdata -nd +ExecStart=/usr/sbin/netdata -D ExecReload=/usr/sbin/netdata reload TimeoutStopSec=10 KillMode=mixed @@ -36,7 +36,8 @@ ProtectHome=read-only ProtectSystem=full ReadOnlyDirectories=/ -ReadWriteDirectories=/run +ReadWriteDirectories=/proc/self +ReadWriteDirectories=/var/lib/netdata ReadWriteDirectories=/var/log/netdata ReadWriteDirectories=/var/cache/netdata diff --git a/debian/patches/0001-linked-js-css-fonts-removed-from-make.patch b/debian/patches/0001-linked-js-css-fonts-removed-from-make.patch index d3e860180..0bdfad7ec 100644 --- a/debian/patches/0001-linked-js-css-fonts-removed-from-make.patch +++ b/debian/patches/0001-linked-js-css-fonts-removed-from-make.patch @@ -7,10 +7,10 @@ Subject: linked js/css/fonts removed from make 1 file changed, 27 deletions(-) diff --git a/web/Makefile.am b/web/Makefile.am -index 174ef22..6a33a1e 100644 +index 0432f8a..8078e67 100644 --- a/web/Makefile.am +++ b/web/Makefile.am -@@ -20,59 +20,32 @@ dist_web_DATA = \ +@@ -21,59 +21,32 @@ dist_web_DATA = \ version.txt \ $(NULL) diff --git a/debian/patches/0002-remove-file-serve-ownership-restrictions-for-root.patch b/debian/patches/0002-remove-file-serve-ownership-restrictions-for-root.patch deleted file mode 100644 index 1bcb6978e..000000000 --- a/debian/patches/0002-remove-file-serve-ownership-restrictions-for-root.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Lennart Weller -Date: Wed, 25 May 2016 13:43:32 +0200 -Subject: remove file serve ownership restrictions for root - ---- - src/web_client.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/src/web_client.c b/src/web_client.c -index 601dda0..3582c33 100644 ---- a/src/web_client.c -+++ b/src/web_client.c -@@ -331,33 +331,33 @@ int mysendfile(struct web_client *w, char *filename) - snprintfz(webfilename, FILENAME_MAX, "%s/%s", web_dir, filename); - - // check if the file exists -- struct stat stat; -- if(lstat(webfilename, &stat) != 0) { -+ struct stat wstat; -+ if(stat(webfilename, &wstat) != 0) { - debug(D_WEB_CLIENT_ACCESS, "%llu: File '%s' is not found.", w->id, webfilename); - buffer_sprintf(w->response.data, "File '%s' does not exist, or is not accessible.", webfilename); - return 404; - } - - // check if the file is owned by expected user -- if(stat.st_uid != web_files_uid()) { -- error("%llu: File '%s' is owned by user %d (expected user %d). Access Denied.", w->id, webfilename, stat.st_uid, web_files_uid()); -+ if(wstat.st_uid != web_files_uid() && wstat.st_uid != 0) { -+ error("%llu: File '%s' is owned by user %d (expected user %d). Access Denied.", w->id, webfilename, wstat.st_uid, web_files_uid()); - buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); - return 403; - } - - // check if the file is owned by expected group -- if(stat.st_gid != web_files_gid()) { -- error("%llu: File '%s' is owned by group %d (expected group %d). Access Denied.", w->id, webfilename, stat.st_gid, web_files_gid()); -+ if(wstat.st_gid != web_files_gid() && wstat.st_gid != 0) { -+ error("%llu: File '%s' is owned by group %d (expected group %d). Access Denied.", w->id, webfilename, wstat.st_gid, web_files_gid()); - buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); - return 403; - } - -- if((stat.st_mode & S_IFMT) == S_IFDIR) { -+ if((wstat.st_mode & S_IFMT) == S_IFDIR) { - snprintfz(webfilename, FILENAME_MAX, "%s/index.html", filename); - return mysendfile(w, webfilename); - } - -- if((stat.st_mode & S_IFMT) != S_IFREG) { -+ if(!((wstat.st_mode & S_IFMT) & (S_IFREG | S_IFLNK))) { - error("%llu: File '%s' is not a regular file. Access Denied.", w->id, webfilename); - buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); - return 403; -@@ -403,14 +403,14 @@ int mysendfile(struct web_client *w, char *filename) - else if(strstr(filename, ".icns") != NULL) w->response.data->contenttype = CT_IMAGE_ICNS; - else w->response.data->contenttype = CT_APPLICATION_OCTET_STREAM; - -- debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, stat.st_size, w->ifd, w->ofd); -+ debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, wstat.st_size, w->ifd, w->ofd); - - w->mode = WEB_CLIENT_MODE_FILECOPY; - w->wait_receive = 1; - w->wait_send = 0; - buffer_flush(w->response.data); -- w->response.rlen = stat.st_size; -- w->response.data->date = stat.st_mtim.tv_sec; -+ w->response.rlen = wstat.st_size; -+ w->response.data->date = wstat.st_mtim.tv_sec; - - return 200; - } diff --git a/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch b/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch new file mode 100644 index 000000000..ecf97b65a --- /dev/null +++ b/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch @@ -0,0 +1,72 @@ +From: Lennart Weller +Date: Mon, 5 Sep 2016 14:53:06 +0200 +Subject: remove file serve restrictions for symlinks + +--- + src/web_client.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/web_client.c b/src/web_client.c +index 4036d4c..a7cc424 100644 +--- a/src/web_client.c ++++ b/src/web_client.c +@@ -325,33 +325,33 @@ int mysendfile(struct web_client *w, char *filename) + snprintfz(webfilename, FILENAME_MAX, "%s/%s", web_dir, filename); + + // check if the file exists +- struct stat stat; +- if(lstat(webfilename, &stat) != 0) { ++ struct stat wstat; ++ if(stat(webfilename, &wstat) != 0) { + debug(D_WEB_CLIENT_ACCESS, "%llu: File '%s' is not found.", w->id, webfilename); + buffer_sprintf(w->response.data, "File '%s' does not exist, or is not accessible.", webfilename); + return 404; + } + + // check if the file is owned by expected user +- if(stat.st_uid != web_files_uid()) { +- error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, stat.st_uid, web_files_uid()); ++ if(wstat.st_uid != web_files_uid()) { ++ error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, wstat.st_uid, web_files_uid()); + buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); + return 403; + } + + // check if the file is owned by expected group +- if(stat.st_gid != web_files_gid()) { +- error("%llu: File '%s' is owned by group %u (expected group %u). Access Denied.", w->id, webfilename, stat.st_gid, web_files_gid()); ++ if(wstat.st_gid != web_files_gid()) { ++ error("%llu: File '%s' is owned by group %d (expected group %d). Access Denied.", w->id, webfilename, wstat.st_gid, web_files_gid()); + buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); + return 403; + } + +- if((stat.st_mode & S_IFMT) == S_IFDIR) { ++ if((wstat.st_mode & S_IFMT) == S_IFDIR) { + snprintfz(webfilename, FILENAME_MAX, "%s/index.html", filename); + return mysendfile(w, webfilename); + } + +- if((stat.st_mode & S_IFMT) != S_IFREG) { ++ if((wstat.st_mode & S_IFMT) != S_IFREG) { + error("%llu: File '%s' is not a regular file. Access Denied.", w->id, webfilename); + buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); + return 403; +@@ -399,14 +399,14 @@ int mysendfile(struct web_client *w, char *filename) + else if(strstr(filename, ".icns") != NULL) w->response.data->contenttype = CT_IMAGE_ICNS; + else w->response.data->contenttype = CT_APPLICATION_OCTET_STREAM; + +- debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, stat.st_size, w->ifd, w->ofd); ++ debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, wstat.st_size, w->ifd, w->ofd); + + w->mode = WEB_CLIENT_MODE_FILECOPY; + w->wait_receive = 1; + w->wait_send = 0; + buffer_flush(w->response.data); +- w->response.rlen = stat.st_size; +- w->response.data->date = stat.st_mtim.tv_sec; ++ w->response.rlen = wstat.st_size; ++ w->response.data->date = wstat.st_mtim.tv_sec; + + return 200; + } diff --git a/debian/patches/0003-hide-update-button.patch b/debian/patches/0003-hide-update-button.patch index ad554f0e8..5395dc47f 100644 --- a/debian/patches/0003-hide-update-button.patch +++ b/debian/patches/0003-hide-update-button.patch @@ -1,5 +1,5 @@ -From: Federico Ceratto -Date: Fri, 22 Jul 2016 14:21:13 +0200 +From: Lennart Weller +Date: Mon, 5 Sep 2016 10:52:35 +0200 Subject: hide update button --- @@ -7,15 +7,15 @@ Subject: hide update button 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/index.html b/web/index.html -index 9cc2b4b..949d3e8 100644 +index 3e6c221..0026f94 100644 --- a/web/index.html +++ b/web/index.html -@@ -465,7 +465,7 @@ -
    - - -- -+ - - + + +- ++ + +