Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#75434 - [geoipupdate] add geoipupdate system user/group and use it for the service
Attached to Project:
Community Packages
Opened by Daniel Micay (thestinger) - Wednesday, 27 July 2022, 03:26 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Thursday, 28 July 2022, 20:23 GMT
Opened by Daniel Micay (thestinger) - Wednesday, 27 July 2022, 03:26 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Thursday, 28 July 2022, 20:23 GMT
|
DetailsThe geoipupdate service currently unnecessarily runs the command as root. It would be nice to add a dedicated geoipupdate user to the package and switch the service to using it. I currently make these changes locally but it would be nice to have it in the official package.
The package needs to add a geoipupdate system user/group with /var/lib/GeoIP as the home directory and the usual /usr/bin/nologin shell. Change ownership/permissions of package files (with geoipupdate replaced with the appropriate uid/gid): chown root:geoipupdate etc/GeoIP.conf chmod 640 etc/GeoIP.conf chown geoipupdate:geoipupdate -R var/lib/GeoIP This allows it to read the configuration file via the geoipupdate group and allows it to write to the GeoIP databases in /var/lib/GeoIP. The service could have the usual systemd hardening applied but it's not particularly important compared to simply using a dedicated system user/group. |
This task depends upon
Closed by Massimiliano Torromeo (mtorromeo)
Thursday, 28 July 2022, 20:23 GMT
Reason for closing: Implemented
Additional comments about closing: geoipupdate-4.9.0-3
Thursday, 28 July 2022, 20:23 GMT
Reason for closing: Implemented
Additional comments about closing: geoipupdate-4.9.0-3
[1] https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/geoipupdate/files/hardening.conf