From 472dde05def41d92a5c203ca98242e45ecaee9e9 Mon Sep 17 00:00:00 2001 From: Steve Muskiewicz Date: Thu, 19 Aug 2021 08:14:50 -0400 Subject: [PATCH 1/3] apply permission fix suggested by @hornos (for #1457) --- src/Cedar/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Cedar/CMakeLists.txt b/src/Cedar/CMakeLists.txt index ac9343c6..7818d790 100644 --- a/src/Cedar/CMakeLists.txt +++ b/src/Cedar/CMakeLists.txt @@ -101,6 +101,6 @@ if(UNIX) install(TARGETS cedar COMPONENT "common" DESTINATION "${CMAKE_INSTALL_LIBDIR}" - PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE ) endif() From 0eb01524373687c78333aa0dfeb0ee93dd3c4e5b Mon Sep 17 00:00:00 2001 From: Steve Muskiewicz Date: Thu, 19 Aug 2021 09:10:26 -0400 Subject: [PATCH 2/3] reapply other RPM fixes from prior PR (service file updates and systemd path exclusions) --- CMakeLists.txt | 3 +++ systemd/softether-vpnserver.service | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index a6edcc0f..9ced8d4a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -95,6 +95,9 @@ if(UNIX) COMMAND tr \n \; OUTPUT_VARIABLE CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION ERROR_QUIET) + list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib") + list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib/systemd") + list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib/systemd/system") endif() include(CPack) diff --git a/systemd/softether-vpnserver.service b/systemd/softether-vpnserver.service index 15427ad6..37adff98 100644 --- a/systemd/softether-vpnserver.service +++ b/systemd/softether-vpnserver.service @@ -16,8 +16,11 @@ Restart=on-failure PrivateTmp=yes ProtectHome=yes ProtectSystem=full -ReadOnlyDirectories=/ -ReadWriteDirectories=-@DIR@/softether/vpnserver +ReadOnlyPaths=/ +ReadWritePaths=-@DIR@/softether/vpnserver +ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/run/softether +ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/var/log/softether +ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/var/lib/softether CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID [Install] From fcd00547aa6ce00fb6b57f64c83970f7b1b4f9df Mon Sep 17 00:00:00 2001 From: Steve Muskiewicz Date: Thu, 19 Aug 2021 09:50:30 -0400 Subject: [PATCH 3/3] Revert "reapply other RPM fixes from prior PR (service file updates and systemd path exclusions)" This reverts commit 0eb01524373687c78333aa0dfeb0ee93dd3c4e5b. --- CMakeLists.txt | 3 --- systemd/softether-vpnserver.service | 7 ++----- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 9ced8d4a..a6edcc0f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -95,9 +95,6 @@ if(UNIX) COMMAND tr \n \; OUTPUT_VARIABLE CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION ERROR_QUIET) - list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib") - list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib/systemd") - list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib/systemd/system") endif() include(CPack) diff --git a/systemd/softether-vpnserver.service b/systemd/softether-vpnserver.service index 37adff98..15427ad6 100644 --- a/systemd/softether-vpnserver.service +++ b/systemd/softether-vpnserver.service @@ -16,11 +16,8 @@ Restart=on-failure PrivateTmp=yes ProtectHome=yes ProtectSystem=full -ReadOnlyPaths=/ -ReadWritePaths=-@DIR@/softether/vpnserver -ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/run/softether -ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/var/log/softether -ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/var/lib/softether +ReadOnlyDirectories=/ +ReadWriteDirectories=-@DIR@/softether/vpnserver CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID [Install]