File apt-cacher-ng.spec of Package apt-cacher-ng

#
# spec file for package apt-cacher-ng
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


%define debian_release 1
Name:           apt-cacher-ng
Version:        3.1
Release:        0
Summary:        A caching proxy specialized for Linux distribution packages
License:        BSD-4-Clause AND MIT
Group:          Productivity/Networking/Web/Proxy
Url:            http://www.unix-ag.uni-kl.de/~bloch/acng/
Source0:        http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/%{name}_%{version}.orig.tar.xz
Source1:        http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/%{name}_%{version}-%{debian_release}.debian.tar.xz
Patch0:         CVE-2020-5202.patch
BuildRequires:  cmake
BuildRequires:  gcc-c++
BuildRequires:  pkgconfig
BuildRequires:  systemd-rpm-macros
BuildRequires:  pkgconfig(bzip2)
BuildRequires:  pkgconfig(fuse)
BuildRequires:  pkgconfig(liblzma)
BuildRequires:  pkgconfig(openssl)
BuildRequires:  pkgconfig(zlib)
Requires(pre):  pwdutils
Suggests:       cron
Suggests:       logrotate
%{?systemd_requires}

%description
Apt-Cacher NG is a caching proxy for downloading packages from Debian-style
software repositories (or possibly from other types).

The main principle is that a central machine hosts the proxy for a local
network, and clients configure their APT setup to download through it.
Apt-Cacher NG keeps a copy of all useful data that passes through it, and when
a similar request is made, the cached copy of the data is delivered without
being re-downloaded.

Apt-Cacher NG has been designed from scratch as a replacement for apt-cacher,
but with a focus on maximizing throughput with low system resource
requirements. It can also be used as replacement for apt-proxy and approx with
no need to modify clients' sources.list files.

%prep
%setup -qa1
%patch0 -p1
# systemd in openSUSE is at /usr/lib/
sed -i 's@lib/systemd@usr/&@' systemd/CMakeLists.txt

%build
%cmake -DDOCDIR=%{_docdir}/%{name} -DSDINSTALL:BOOL=ON -DSYSCONFDIR=%{_sysconfdir}
%make_jobs

%install

%cmake_install

# Add the service symlink
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}

# Debian file to control daemon options
install -m 644 -D debian/%{name}.default %{buildroot}%{_sysconfdir}/default/%{name}

# Debian logrotate file
install -m 644 -D debian/%{name}.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
# Debian cron file
install -m 755 -D debian/%{name}.cron.daily %{buildroot}%{_sysconfdir}/cron.daily/%{name}

# default configuration
for dir in log cache; do
    mkdir -p %{buildroot}%{_localstatedir}/$dir/%{name}
done

%pre
%{_sbindir}/groupadd -r apt-cacher-ng &>/dev/null || :
%{_sbindir}/useradd -r -M -g apt-cacher-ng -s /sbin/nologin \
    -c "apt-cacher-ng proxy" apt-cacher-ng &> /dev/null || :
%service_add_pre apt-cacher-ng.service

# fix the mess caused by CVE-2019-18899

fix_cve=false
restart_service=false

# we need a place to carry on status information to the %post section
%define cve_restart_state_file %{_localstatedir}/cache/%{name}/.zypper_update_restart_service

# These dirs have been owned by root before the CVE fix, now we need to change
# ownership to the unprivileged user. Doing this as root in the scriptlet
# context is rather uncritical security wise, since we're only dropping
# privileges.
# However we need to shutdown a possibly already running service, to avoid
# inconsistencties (the daemon writes out cache data during shutdown as root,
# for example).
# Do this in %pre, because otherwise during RPM install the ownership of these
# dirs will be unknowingly changed, opening further attack vector for
# apt-cacher-ng.
for root_owned_dir in %{_localstatedir}/log/%{name} %{_localstatedir}/cache/%{name}; do
	owner=`/usr/bin/stat --format "%u" "${root_owned_dir}" 2>/dev/null` || continue
	# not owned by root, nothing to do
	[ "$owner" != "0" ] && continue

	if ! ${fix_cve}; then
		# remember that we're in the CVE fix situation
		fix_cve=true

		# if we need to apply changes then stop a possibly running instance,
		# otherwise the daemon will later on write out files as root, breaking
		# things again.
		if $(/usr/bin/systemctl -q is-active %{name}); then
			restart_service=true
			/usr/bin/systemctl -q stop %{name}
		fi
	fi

	# using chown here is sufficiently safe, it uses the f*at() APIs
	/usr/bin/chown -R --no-dereference apt-cacher-ng:apt-cacher-ng "${root_owned_dir}"
done

$restart_service && touch "%{cve_restart_state_file}"
true

%post

# second part of fixing the mess caused by CVE-2019-18899
#
# /run/apt-cacher-ng was already owned by the unprivileged user before the CVE
# fix, because of the systemd-tmpfiles config file setup below. But the
# contents are owned by root, *if* the service was running since the last
# reboot.
#
# This is difficult to fix in a safe manner when operating as root. But
# luckily the package already has a systemd-tmpfiles configuration that is
# going to help us fixing the permissions in a safe way.
#
# so as a side-effect of this directive all files in /run/apt-cacher-ng will
# be fixed. In the CVE fix case this will happen while the service is stopped,
# avoiding any further security issues or inconsistencies.
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
%service_add_post %{name}.service

restart_service_state_file="%{cve_restart_state_file}"

if [ -e "${restart_service_state_file}" ]; then
	# restart the service after fixing the CVE, now running under
	# apt-cacher-ng user
	rm "${restart_service_state_file}"
	/usr/bin/systemctl -q start %{name}
fi

%preun
%service_del_preun %{name}.service

%postun
%service_del_postun %{name}.service

%files
%dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/acng.conf
%config(noreplace) %{_sysconfdir}/%{name}/security.conf
%dir %{_sysconfdir}/default
%config(noreplace) %{_sysconfdir}/default/%{name}
%dir %{_sysconfdir}/avahi/services
%dir %{_sysconfdir}/avahi
%config %{_sysconfdir}/avahi/services/%{name}.service
%config %{_sysconfdir}/logrotate.d/%{name}
%config %{_sysconfdir}/cron.daily/%{name}
%{_sbindir}/%{name}
%{_sbindir}/rc%{name}
%{_libexecdir}/%{name}/
%{_docdir}/%{name}/
%{_mandir}/man8/*.8%{ext_man}
%dir %{_unitdir}
%{_unitdir}/%{name}.service
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/%{name}.conf
%dir %ghost /run/%{name}
%attr(-,apt-cacher-ng,apt-cacher-ng) %dir %{_localstatedir}/log/%{name}
%attr(-,apt-cacher-ng,apt-cacher-ng) %dir %{_localstatedir}/cache/%{name}

%changelog