437234 – net-p2p/bittorrent - bittorrent-tracker should not run as root

Bug 437234 - net-p2p/bittorrent - bittorrent-tracker should not run as root

Summary: net-p2p/bittorrent - bittorrent-tracker should not run as root

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Ryan Hill (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-10-04 20:53 UTC by Octavian
Modified:	2015-12-31 12:07 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
bittorrent-4.4.0-r11.ebuild (bittorrent-4.4.0-r11.ebuild,2.59 KB, text/plain) 2013-02-28 12:46 UTC, Regna	Details
bittorrent-tracker.initd (bittorrent-tracker.initd,640 bytes, text/plain) 2013-02-28 12:47 UTC, Regna	Details
bittorrent-tracker.confd (bittorrent-tracker.confd,708 bytes, text/plain) 2013-02-28 12:47 UTC, Regna	Details
bttrack.logrotate (bttrack.logrotate,124 bytes, text/plain) 2013-02-28 12:48 UTC, Regna	Details
bittorrent-tracker.initd (bittorrent-tracker.initd,661 bytes, text/plain) 2013-03-02 10:56 UTC, Regna	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Octavian 2012-10-04 20:53:42 UTC

bittorent-tracker runs unnecessarily/dangerously as root, when started with  /etc/init.d/bittorrent-tracker start. 

I propose the following changes to the ebuild:

1. For the init script
remove --make-pid and --pidfile /var/run/bttrack.pid and replace them with bittorent-tracker own --pid option as shown below. Furthermore use --user bttrack , or user nobody, if you don't want to add another user, 

start-stop-daemon --start --quiet --background \
      --user bttrack \
      --exec /usr/bin/bittorrent-tracker -- --port ${PORT} \
      --dfile ${DFILE} --favicon ${FAVICON} --logfile ${LOGFILE} \
      --pid ${PIDFILE}

2. 
files/bittorrent-tracker.confd should have an additional variable specifying the PIDFILE=/var/run/bttrack/bttrack.pid

As you can see PID file is moved one level lower under bttrack directory to allow for ownership change of the bttrack directory. Is there a better solution?

3. The DFILE=/usr/share/bittorrent/tracker.dfile location is a bit strange. Is var/lib/bittorent-tracker a better location? 
Or even better, for name consistency be located at /var/lib/bttrack/bttrack.dfile

4. Log file /var/log/bttrack.log should be created before the daemon starts, and have the ownership set to bttrack user. I do not know how to do that from init.d script. Is there an easy way?

5. Last, a logrotate should be provided.

Thank you in advance for looking at these enhancements,
Octavian

P.S. Let me know if I can create some parts.

Comment 1 Ryan Hill (RETIRED) gentoo-dev

2012-10-07 04:31:24 UTC

Please do.  Somehow I've managed to completely avoid init scripts and adding users for the last 5 years.  I'll have to look at some examples.

Comment 2 Regna 2013-02-28 12:46:33 UTC

Created attachment 340480 [details]
bittorrent-4.4.0-r11.ebuild

Wrote this a while ago, added logrotate just now.
${P}-no-version-check.patch, ${P}-pkidir.patch, ${P}-fastresume.patch, ${P}-pygtk-thread-warnings.patch, ${P}-python26-syntax.patch, ${P}-bencode-float.patch, ${P}-keyerror.patch, ${P}-hashlib.patch, ${PN}.desktop are the same as in gentoo portage tree.

Comment 3 Regna 2013-02-28 12:47:31 UTC

Created attachment 340484 [details]
bittorrent-tracker.initd

Comment 4 Regna 2013-02-28 12:47:48 UTC

Created attachment 340488 [details]
bittorrent-tracker.confd

Comment 5 Regna 2013-02-28 12:48:20 UTC

Created attachment 340490 [details]
bttrack.logrotate

Comment 6 Regna 2013-03-02 10:56:34 UTC

Created attachment 340740 [details]
bittorrent-tracker.initd

Comment 7 Pacho Ramos gentoo-dev

2015-12-31 12:07:57 UTC

removed from the tree