Request 1194743: Submit crowdsec-firewall-bouncer

You're not reviewing the full diff of request 1194743 , but the diff to the superseded request 1193773 (Show full diff)

Overview

Request 1194743 revoked

Supplement to the "crowdsec" package. We're currently missing packaged Remediators ("Bouncers").

Created by aeneas_jaissle 3 months ago
In state revoked
Package maintainer: aeneas_jaissle
Supersedes 1193773

Submit crowdsec-firewall-bouncer

Comments for request 1194743 3
Comments for request 1193773 3

Johannes Kastl (ojkastl_buildservice) - 3 months ago

target maintainer

Thanks for reworking the SR.

There is a leftover line #install -D -m 0644 config/%%{name}.service %%{buildroot}%%{_unitdir}/%%{name}.service
You can remove the Set executable bit line from the changelog, as the package was not submitted there is not yet a need for a strict changelog. And unless this is the only change, packaging changes do not always have to be in the changelog (depends on the packager's opinion).
You can also (if you like) remove all version information, as this is the first version of the package, having version updates in the changelog is not really necessary.

I had a copy&paste error in my last comment (on the previous SR). I think we can loosen up the permissions on the %{_sysconfdir}/crowdsec/bouncers/%{name}.yaml file. As it belongs to root:root, I think we can go with 640 permission. You would need to set them in the %files section, I believe:

%config(noreplace) %attrs(0640,root,root) %{_sysconfdir}/crowdsec/bouncers/%{name}.yaml

Have a nice day!

Johannes

Aeneas Jaißle (aeneas_jaissle) - 3 months ago

author target maintainer

What’s the benefit loosening permissions on the config yaml?

Staging Bot (staging-bot) - 2 months ago

@Alexander_Naumov, @WernerFink, @ahodgkinson, @bitshuffler, @dbuss, @duwe, @gregfreemyer, @jjolly, @jsegitz, @lrupp, @mseben, @msmeissn, @ojkastl_buildservice, @psmt, @varkoly, @vpereirabr: review reminder

Staging Bot (staging-bot) - 3 months ago

Johannes Kastl (ojkastl_buildservice) - 3 months ago

target maintainer

Looks good, thanks for the SR.

install -D -m 0600 scripts/_bouncer.sh %{buildroot}%{_usr}/lib/%{name}/_bouncer.sh

Shouldn't the file be executable? And why only allow root access to that file? There should be no "secrets" in it.

install -D -m 0600 scripts/_bouncer.sh %{buildroot}%{_usr}/lib/%{name}/_bouncer.sh

Why allow everyone read access (755 on the directory) and then restrict everyone but root to read this file?

I take it the service needs to be run as root to have permissions for using iptables etc?

Aeneas Jaißle (aeneas_jaissle) - 3 months ago

author target maintainer

Good catch, that wasn't intended. The script is now 0755, but should normally only be used by root (-scripts). It does configuration manipulation like adding a local API key to the bouncer config. New SR on its' way.

Request History

aeneas_jaissle created request 3 months ago

Supplement to the "crowdsec" package. We're currently missing packaged Remediators ("Bouncers").

ojkastl_buildservice revoked request 2 months ago

The source project 'home:aeneas_jaissle:branches:security2' has been removed

Places

Overview

Request 1194743 revoked

Request History

Places