From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] sslh: update to 1.20
Date: Mon, 13 May 2019 14:33:59 +0100
Message-ID: <D03B82C6-B297-438C-AE8C-3C3C5B336729@ipfire.org>
In-Reply-To: <20190512042407.30144-1-ummeegge@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8115272182085439055=="
List-Id: <development.lists.ipfire.org>

--===============8115272182085439055==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I think this patch is mostly fine. Just a couple of small questions.

> On 12 May 2019, at 05:24, Erik Kapfer <ummeegge(a)ipfire.org> wrote:
>=20
> - New user and group sslh has been added.
> - Added USELIBCAP to make transparent mode possible.
> - red.up script has been added. If red IP changes, sslh will be restarted t=
o run with the new IP.
> - red.up script searches for sslh symlink in rc3.d, if nothing can be found=
, it will not start so it can be disabled via WUI (services.cgi).
> - Symlinks for runlevels has been nevertheless added to sslh package to con=
trol it also via services.cgi.
> - Configuration block has been added to sslh initscript.
> - External IP address check will also be used for configure options.
> - Configure provides currently only OpenVPN
> - OpenVPN port will be automatically investigated.
>=20
> Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
> ---
> config/rootfiles/packages/sslh |  1 +
> config/sslh/25-sslh            | 17 +++++++++++++++++
> lfs/initscripts                |  3 ---
> lfs/sslh                       | 16 +++++++++-------
> src/initscripts/packages/sslh  | 41 +++++++++++++++++++++++++++++++++------=
--
> src/paks/sslh/install.sh       | 16 +++++++++++++++-
> src/paks/sslh/uninstall.sh     |  4 +++-
> 7 files changed, 78 insertions(+), 20 deletions(-)
> create mode 100644 config/sslh/25-sslh
>=20
> diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh
> index 2c67aad3a..15d5ff8f9 100644
> --- a/config/rootfiles/packages/sslh
> +++ b/config/rootfiles/packages/sslh
> @@ -1,2 +1,3 @@
> +etc/rc.d/init.d/networking/red.up/25-sslh
> etc/rc.d/init.d/sslh
> usr/sbin/sslh
> diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh
> new file mode 100644
> index 000000000..0b65d4309
> --- /dev/null
> +++ b/config/sslh/25-sslh
> @@ -0,0 +1,17 @@
> +#!/bin/bash
> +
> +# Check if SSLH has been enabled in WUI
> +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then

I do not think that this is very elegant. Calling ls is shell scripts has man=
y disadvantages.

Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We know the r=
eal path.

> +	# If SSLH is enabled and running but red0 gets a new IP, restart SSLH
> +	if pgrep 'sslh' > /dev/null; then
> +		/etc/init.d/sslh restart
> +	else
> +		# If sslh is not running yet, start it
> +		/etc/init.d/sslh start
> +	fi

This is fine.

> +else
> +	# If SSLH has been disabled on boot via services WUI, stop service
> +	/etc/init.d/sslh stop

It should not be running in the first place here.

> +fi
> +
> +# EOF
> diff --git a/lfs/initscripts b/lfs/initscripts
> index 055e106d0..3173a04e4 100644
> --- a/lfs/initscripts
> +++ b/lfs/initscripts
> @@ -136,9 +136,6 @@ $(TARGET) :
> 	ln -sf ../init.d/client175   /etc/rc.d/rc0.d/K34client175
> 	ln -sf ../init.d/client175   /etc/rc.d/rc3.d/S66client175
> 	ln -sf ../init.d/client175   /etc/rc.d/rc6.d/K34client175
> -	ln -sf ../init.d/sslh        /etc/rc.d/rc3.d/S98sslh
> -	ln -sf ../init.d/sslh        /etc/rc.d/rc0.d/K02sslh
> -	ln -sf ../init.d/sslh        /etc/rc.d/rc6.d/K02sslh
> 	ln -sf ../init.d/vdradmin    /etc/rc.d/rc3.d/S99vdradmin
> 	ln -sf ../init.d/vdradmin    /etc/rc.d/rc0.d/K01vdradmin
> 	ln -sf ../init.d/vdradmin    /etc/rc.d/rc6.d/K01vdradmin
> diff --git a/lfs/sslh b/lfs/sslh
> index 100cec065..ab453c75d 100644
> --- a/lfs/sslh
> +++ b/lfs/sslh
> @@ -1,7 +1,7 @@
> ###########################################################################=
####
> #                                                                          =
   #
> # IPFire.org - A linux based firewall                                      =
   #
> -# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>               =
      #
> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>               =
      #
> #                                                                          =
   #
> # This program is free software: you can redistribute it and/or modify     =
   #
> # it under the terms of the GNU General Public License as published by     =
   #
> @@ -24,7 +24,7 @@
>=20
> include Config
>=20
> -VER        =3D 1.7a
> +VER        =3D 1.20
>=20
> THISAPP    =3D sslh-$(VER)
> DL_FILE    =3D $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM    =3D $(URL_IPFIRE)
> DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
> TARGET     =3D $(DIR_INFO)/$(THISAPP)
> PROG       =3D sslh
> -PAK_VER    =3D 5
> +PAK_VER    =3D 6
>=20
> DEPS       =3D ""
>=20
> @@ -44,7 +44,7 @@ objects =3D $(DL_FILE)
>=20
> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>=20
> -$(DL_FILE)_MD5 =3D ee124654412198a5e11fe28acf10634d
> +$(DL_FILE)_MD5 =3D 0db26ed2825b1ef6c83959a988279912
>=20
> install : $(TARGET)
>=20
> @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@$(PREBUILD)
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> -	cd $(DIR_APP) && make CFLAGS=3D"$(CFLAGS)" $(MAKETUNING) USELIBWRAP=3D
> -	cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin
> +	cd $(DIR_APP) && make CFLAGS=3D"$(CFLAGS)" $(MAKETUNING) USELIBCAP=3D1 US=
ELIBWRAP=3D
> +	cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh
>=20
> -	#install initscripts
> +	# Install initscripts
> 	$(call INSTALL_INITSCRIPT,sslh)
> +	# Install red.up
> +	install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh /etc/rc.d/init.d/networking=
/red.up/25-sslh
>=20
> 	@rm -rf $(DIR_APP)
> 	@$(POSTBUILD)
> diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh
> index 43e58f392..f227ae9fb 100644
> --- a/src/initscripts/packages/sslh
> +++ b/src/initscripts/packages/sslh
> @@ -3,31 +3,56 @@
>=20
> # Based on sysklogd script from LFS-3.1 and earlier.
> # Rewritten by Gerard Beekmans  - gerard(a)linuxfromscratch.org
> +#
> +#############################################################
> +#
>=20
> . /etc/sysconfig/rc
> . $rc_functions
>=20
> +DAEMON=3D"/usr/sbin/sslh"
> +PID=3D"/var/run/sslh.pid"
> +
> +# Check external IP address and ports
> +EXTERNAL_IP_ADDRESS=3D"$(</var/ipfire/red/local-ipaddress)"
> +
> +# Investigate OpenVPN port
> +IPFIREOPENVPN=3D$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf)
> +
> +# Loopback interface
> +LO=3D"127.0.0.1"
> +
> +# Used TCP ports
> +LISTENPORT=3D"443"
> +OPENVPNPORT=3D${IPFIREOPENVPN}
> +
> +# Configuration options
> +DAEMON_OPTS=3D"
> +--user sslh
> +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT}
> +--openvpn ${LO}:${OPENVPNPORT}
> +--pidfile ${PID}
> +-C /var/empty
> +"
> +
> case "$1" in
> 	start)
> 		boot_mesg "Starting SSLH Deamon..."
> -
> -		LOCAL_IP_ADDRESS=3D"$(</var/ipfire/red/local-ipaddress)"
> -		if [ -z "${LOCAL_IP_ADDRESS}" ]; then
> +		if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then
> 			echo_failure
> 			boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE}
> 			boot_mesg -n " your external IP address."
> 			boot_mesg "" ${NORMAL}
> 			exit 1
> 		fi
> -
> -		loadproc /usr/sbin/sslh -u nobody \
> -			-p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444
> +		loadproc ${DAEMON} ${DAEMON_OPTS}
> 		evaluate_retval
> 		;;
>=20
> 	stop)
> 		boot_mesg "Stopping SSLH Deamon..."
> -		killproc /usr/sbin/sslh
> +		killproc ${DAEMON}
> +		rm -f ${PID}
> 		evaluate_retval
> 		;;
>=20
> @@ -38,7 +63,7 @@ case "$1" in
> 		;;
>=20
> 	status)
> -		statusproc /usr/sbin/sslh
> +		statusproc ${DAEMON}
> 		;;
>=20
> 	*)
> diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh
> index 626884bdd..410dc9d83 100644
> --- a/src/paks/sslh/install.sh
> +++ b/src/paks/sslh/install.sh
> @@ -23,5 +23,19 @@
> #
> . /opt/pakfire/lib/functions.sh
> extract_files
> -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh
> +
> +# Add user and group for sslh if not already done
> +if ! getent group sslh &>/dev/null; then
> +       groupadd -g 131 sslh
> +fi
> +
> +if ! getent passwd sslh; then
> +       useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty -s /bin/=
false sslh
> +fi

Why are the user and group ID different? Is there a reason why they cannot be=
 the same?

> +
> +# Set symlink for runlevels
> +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh
> +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh
> +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh
> +
> start_service --background ${NAME}
> diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh
> index dca34ccbd..4dfa0b274 100644
> --- a/src/paks/sslh/uninstall.sh
> +++ b/src/paks/sslh/uninstall.sh
> @@ -24,4 +24,6 @@
> . /opt/pakfire/lib/functions.sh
> stop_service ${NAME}
> remove_files
> -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh
> +
> +# Delete symlinks in runlevels
> +rm -f /etc/rc.d/rc?.d/???sslh;
> --=20
> 2.12.2

-Michael


--===============8115272182085439055==--