Created attachment 491060 [details] openerp-3 The latest openerp init script makes its PID file directory writable by the openerp user: start() { checkpath -q -d -m 0755 -o openerp:openerp /run/openerp This is a minor security issue, because the "openerp" user can write whatever he wants into that PID file, and then later, root will send a SIGTERM to its contents when he tries to stop the daemon. The reason that the "checkpath" call exists is a little confusing. Right now, openerp is running with *two* PID files -- one created by start-stop-daemon, and one created by openerp itself. The permissions above are needed for the PID file that openerp creates, but not for the one that start-stop-daemon creates (which is the one that actually gets used). So the solution is to, 1. Disable the PID file that openerp creates itself. 2. Move the start-stop-daemon PID file to /run. 3. Drop the call to checkpath. 4. Remove the PIDFILE variable from the conf.d file. I'm attaching a new init script, conf.d file, and openerp.cfg with those changes. You'll notice that I've also removed the $USER variable from the conf.d file. At the moment, it doesn't need to be there, because changing it doesn't work: the ebuild sets permissions for "openerp", and if you wanted to make the user switchable at runtime, you would have to move that code from the ebuild to the init script.
Created attachment 491062 [details] openerp-confd-3
Created attachment 491064 [details] openerp.cfg.3 The new cfg file is identical to the old one, except I deleted the pidfile line.
This is badly outdated (hasn't been bumped since the it's in git!), vulnerable, unmaintained. It has a lot of dependencies, probably many of them where openerp is their only revdep. Should we treeclean it?
Given how many bugs are filed for this package, and that nobody has even bothered to update the maintainer on them, I'd say: yes, please.
Alright, last-riting app-office/openerp as well as orphans, listed below (all under the python project unmbrella): dev-python/pychart dev-python/pywebdav dev-python/vatnumber
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9c0bdddcfb6b77ef3d999493a85e286cca0020c commit e9c0bdddcfb6b77ef3d999493a85e286cca0020c Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-07 21:23:12 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-07 21:24:39 +0000 profiles: last-rite app-office/openerp Bug: https://bugs.gentoo.org/629270 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
As a user of both dev-python/pychart dev-python/vatnumber without having app-office/openerp installed, I'm wondering what is the possibility of keeping them in the tree for now, albeit without a maintainer? If a maintainer is required I'll probably volunteer in the future but not now, if no one else wants to. I'd be happy to make a new ebuild now for vatnumber to update it to latest upstream 1.2 and test it, if someone as a proxy can review and commit it. dev-python/pychart is already at latest upstream version.
No problem, I'll unmask them. Libraries with single revdeps like these often have no other purpose, which is why I last-rited them. If they're used, let's keep them. It's indeed preferable to adopt them if you want to keep them because orphan libraries like this that are maintained by no one else than the python project are subject to random last-riting.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99126be0a6f47fa0d35cbe6f305afe71366c4d61 commit 99126be0a6f47fa0d35cbe6f305afe71366c4d61 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-10-19 11:49:51 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-10-19 11:49:51 +0000 profiles: unmask last-rited packages pychart and vatnumber are apparently still needed. Cancelling last-riting. Bug: https://bugs.gentoo.org/629270 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> profiles/package.mask | 2 -- 1 file changed, 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=976bc8af740fe5b78ae71df52e3ca9ad73800051 commit 976bc8af740fe5b78ae71df52e3ca9ad73800051 Author: Virgil Dupras <vdupras@gentoo.org> AuthorDate: 2018-11-07 12:22:14 +0000 Commit: Virgil Dupras <vdupras@gentoo.org> CommitDate: 2018-11-07 12:25:22 +0000 app-office/openerp: remove last-rited package and orphan dependency. Bug: https://bugs.gentoo.org/629270 Signed-off-by: Virgil Dupras <vdupras@gentoo.org> app-office/openerp/Manifest | 2 - app-office/openerp/files/openerp | 22 ----- app-office/openerp/files/openerp-2 | 23 ----- app-office/openerp/files/openerp-confd | 3 - app-office/openerp/files/openerp-confd-2 | 3 - app-office/openerp/files/openerp.cfg | 64 ------------- app-office/openerp/files/openerp.cfg.2 | 65 -------------- app-office/openerp/files/openerp.logrotate | 9 -- app-office/openerp/metadata.xml | 8 -- app-office/openerp/openerp-7.0.20140125.ebuild | 119 ------------------------- app-office/openerp/openerp-8.0.20140125.ebuild | 119 ------------------------- dev-python/pywebdav/Manifest | 1 - dev-python/pywebdav/metadata.xml | 14 --- dev-python/pywebdav/pywebdav-0.9.8-r1.ebuild | 29 ------ profiles/package.mask | 6 -- 15 files changed, 487 deletions(-)
