Recently, there was added libcap-ng to OpenWrt packages feed,
which is optional for Knot DNS. It enables POSIX 1003.1e capabilities.
This can restrict root (by default it runs as root) permissions and
might harm and as there isn't systemd on OpenWrt it can interfere.
There is an added patch, which introduced an option to disable libcap-ng.
This will be part of the next release.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* Replace creating an empty PYTHON3_PKG_DIR with setting filespec to an
empty value
* Disable the default Python package build recipe (with
PYTHON3_PKG_BUILD:=0) and set an empty Build/Compile
* Remove VARIANT:=python3 and PROVIDES (providing the same name as the
package)
* Add PKG_BUILD_PARALLEL:=1
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
start if kernel has missing ipv6 support
add libcap-ng support
fix some errors displayed on syslog
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.
Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.
This also does away with uidmin/gidmin 99. The default is 100, which is
fine.
Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.
It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.
[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Explain which are the options supported by the protocol, and also
which are the supported values in each (if the field has value
validation).
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
ModemManager allows specifying which are the authentication protocols
to be used during the user/password context authentication with the
peer.
This protocol update allows users to provide a new 'allowedauth'
option in the interface configuration, which is then used in two
different places:
* It is sent to ModemManager in the --simple-connect call so that
modems with a network interface can perform the authentication
using their own vendor-specific protocol.
* If the connection is done using PPP, this list of protocols is used
to configure the pppd call.
If the new 'allowedauth' option is not given, all auth protocols are
implicitly allowed.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Use the upstream value for NGX_MAX_PROCESSES (=1024) again.
So it is safe to use `worker_processes auto;` (which sets it to
the number of CPUs). Also use this directive in the conf instead
of calculating the number in the init and passing it as argument.
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
The upstream package supports it with a configure switch.
Defaulting to 'with SNMP support' as it was before.
Signed-off-by: Christophe Lermytte <gentoo@lermytte.be>
According to a comment in programs/pluto/kernel_xfrm_interface.c:177:
* IFLA_XFRM_IF_ID was added to mainline kernel 4.19 linux/if_link.h
with older kernel headers 'make USE_XFRM_INTERFACE_IFLA_HEADER=true'
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Integrate with uci to support 'enabled/disabled' startup option and
override netify's default auto network selection.
config netifyd
option enabled 0
option autoconfig 1
autoconfig: Use netify's in-built interface selection
else use 'internal/external_if' definitions.
Also persist important agent config across sysupgrade
agent.uuid, serial.uuid, site.uuid
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
hotplug scripts are sourced not exec'd so #!/bin/sh /etc/rc.common
doesn't pull in the functions defined in /etc/rc.common thus since
'enabled' isn't defined the following sequence always fails:
enabled miniupnpd || exit 0
Unfortunately sourcing /etc/rc.common doesn't appear to work so come up
with some alternatives.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Review of my PR to add readsb requested to use codeload. Update vallumd
to use codeload as well, so that things are consistent.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
As reported in https://github.com/openwrt/packages/issues/12072, the
imagebuilder fails due to a dependency resolution error when the userspace
packages are built using a target that has a different kernel version than
that which is being run. To resolve this, move the sqm-scripts dependency
to a new virtual package, which hopefully should be consistent with the
actual kernel module being built.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
fping requires either root or CAP_NET_PING to work, otherwise it is
useless. Use INSTALL_SUID so that fping will be setuid root, and thus
it will be usable by non-root users.
fping knows to drop root priviledges after it parses the command line
and creates the ping socket. You actually get a lot less code running
as root when you make it setuid root and run it from an unprivileged
user.
This is the same way net/iputils already handles "ping", which has the
same requirements.
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Linux kernel and iproute2 together now implement strict checking of the
existence of route tables.
Previously kernel does not support filtering by table id, now it does
and will error with nlmsgerr "ipv4: FIB table does not exist".
Previously iproute2 dump all routes and filter by table id in userspace,
now this has changed with iproute2 commit c7e6371bc4af ("ip route: Add
protocol, table id and device to dump request")
Error scene
root@OpenWrt:/# ip route flush table 100
Error: ipv4: FIB table does not exist.
Flush terminated
root@OpenWrt:/# echo $?
2
Fixes: https://github.com/openwrt/packages/issues/12095
Ref: https://lists.openwall.net/netdev/2019/05/02/105
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
When libevhtp is added to a package's PKG_BUILD_DEPENDS (i.e. for
seafile-server), libevhtp's target package dependencies are not
automatically selected, in particular libevent2-openssl and
libevent2-pthreads.
Moreover, if libevent-openssl and libevent2-pthreads are not selected,
OpenSSL and thread support are disabled when compiling libevent2, which
in turn causes a compile error when building libevhtp.
This adds a config option, LIBEVHTP_BUILD_DEPENDS, that will select
libevent2-openssl and libevent2-pthreads (via LIBEVHTP_BUILD_SELECT)
when it is selected.
Other build dependencies are moved to PKG_BUILD_DEPENDS.
This also updates seafile-server to remove the (indirect) dependencies
added in 13d843fec1 and instead select
LIBEVHTP_BUILD_DEPENDS.
This also updates the maintainer's email address and adds myself as
another maintainer.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The init.d script for sshd never generates an ecdsa HostKey as seen
here:
for type in rsa ed25519
do
# check for keys
key=/etc/ssh/ssh_host_${type}_key
[ ! -f $key ] && {
# generate missing keys
[ -x /usr/bin/ssh-keygen ] && {
/usr/bin/ssh-keygen -N '' -t $type -f $key 2>&- >&-
}
}
done
so we'll never succeed at loading one. Get rid of the resultant
error message in logging:
May 5 17:13:59 OpenWrt sshd[20070]: error: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>