sys-devel/distcc: improve init.d script, secure pidfile handling

removed unneeded start/stop functions

removed gcc spec/path loading, it's useless because
path whitelist is handled by compiler-shadow and we no longer
use gcc specs.

pidfile is now owned by root and created by s-s-d
pidfile path is now controlled by service name (/run/distccd.pid)
initfile no longer runs chmod on pidfile and parent directory.

Bug: https://bugs.gentoo.org/650854
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Georgy Yakovlev <[email protected]>

sys-devel/distcc/distcc-3.3.2-r1.ebuild

@@ -0,0 +1,196 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python3_{5,6} )
+
+inherit autotools flag-o-matic python-single-r1 systemd \
+	toolchain-funcs user xdg-utils prefix
+
+DESCRIPTION="Distribute compilation of C code across several machines on a network"
+HOMEPAGE="http://distcc.org/"
+SRC_URI="https://github.com/${PN}/${PN}/releases/download/v${PV}/${P}.tar.gz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="gnome gssapi gtk hardened ipv6 selinux xinetd zeroconf"
+
+RESTRICT="test"
+
+CDEPEND="${PYTHON_DEPS}
+	dev-libs/popt
+	gnome? (
+		>=gnome-base/libgnome-2
+		>=gnome-base/libgnomeui-2
+		x11-libs/gtk+:2
+		x11-libs/pango
+	)
+	gssapi? ( net-libs/libgssglue )
+	gtk? ( x11-libs/gtk+:2 )
+	zeroconf? ( >=net-dns/avahi-0.6[dbus] )
+"
+DEPEND="${CDEPEND}
+	sys-libs/binutils-libs
+	virtual/pkgconfig"
+RDEPEND="${CDEPEND}
+	!net-misc/pump
+	dev-util/shadowman
+	>=sys-devel/gcc-config-1.4.1
+	selinux? ( sec-policy/selinux-distcc )
+	xinetd? ( sys-apps/xinetd )"
+
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+S="${WORKDIR}/distcc"
+
+pkg_setup() {
+	enewuser distcc 240 -1 -1 daemon
+	python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	eapply "${FILESDIR}/${PN}-3.0-xinetd.patch"
+	# bug #255188
+	eapply "${FILESDIR}/${PN}-3.3.2-freedesktop.patch"
+	# SOCKSv5 support needed for Portage, bug #537616
+	eapply "${FILESDIR}/${PN}-3.2_rc1-socks5.patch"
+	eapply_user
+
+	# Bugs #120001, #167844 and probably more. See patch for description.
+	use hardened && eapply "${FILESDIR}/distcc-hardened.patch"
+
+	sed -i \
+		-e "/PATH/s:\$distcc_location:${EPREFIX}/usr/lib/distcc/bin:" \
+		-e "s:@PYTHON@:${EPYTHON}:" \
+		pump.in || die "sed failed"
+
+	sed \
+		-e "s:@EPREFIX@:${EPREFIX:-/}:" \
+		-e "s:@libdir@:/usr/lib:" \
+		"${FILESDIR}/3.2/distcc-config" > "${T}/distcc-config" || die
+
+	hprefixify update-distcc-symlinks.py src/{serve,daemon}.c
+	python_fix_shebang update-distcc-symlinks.py "${T}/distcc-config"
+	eautoreconf
+}
+
+src_configure() {
+	local myconf=(
+		--disable-Werror
+		$(use_enable ipv6 rfc2553)
+		$(use_with gtk)
+		$(use_with gnome)
+		$(use_with gssapi auth)
+		$(use_with zeroconf avahi)
+	)
+
+	econf "${myconf[@]}"
+}
+
+src_install() {
+	# override GZIP_BIN to stop it from compressing manpages
+	emake DESTDIR="${D}" GZIP_BIN=false install
+	python_optimize
+
+	newinitd "${FILESDIR}/distccd.initd" distccd
+	systemd_dounit "${FILESDIR}/distccd.service"
+	systemd_install_serviced "${FILESDIR}/distccd.service.conf"
+
+	cp "${FILESDIR}/distccd.confd" "${T}/distccd" || die
+	if use zeroconf; then
+		cat >> "${T}/distccd" <<-EOF || die
+
+		# Enable zeroconf support in distccd
+		DISTCCD_OPTS="\${DISTCCD_OPTS} --zeroconf"
+		EOF
+
+		sed -i '/ExecStart/ s|$| --zeroconf|' "${D}$(systemd_get_systemunitdir)"/distccd.service || die
+	fi
+	doconfd "${T}/distccd"
+
+	newenvd - 02distcc <<-EOF || die
+	# This file is managed by distcc-config; use it to change these settings.
+	# DISTCC_LOG and DISTCC_DIR should not be set.
+	DISTCC_VERBOSE="${DISTCC_VERBOSE:-0}"
+	DISTCC_FALLBACK="${DISTCC_FALLBACK:-1}"
+	DISTCC_SAVE_TEMPS="${DISTCC_SAVE_TEMPS:-0}"
+	DISTCC_TCP_CORK="${DISTCC_TCP_CORK}"
+	DISTCC_SSH="${DISTCC_SSH}"
+	UNCACHED_ERR_FD="${UNCACHED_ERR_FD}"
+	DISTCC_ENABLE_DISCREPANCY_EMAIL="${DISTCC_ENABLE_DISCREPANCY_EMAIL}"
+	DCC_EMAILLOG_WHOM_TO_BLAME="${DCC_EMAILLOG_WHOM_TO_BLAME}"
+	EOF
+
+	keepdir /usr/lib/distcc
+
+	dobin "${T}/distcc-config"
+
+	if use gnome || use gtk; then
+		einfo "Renaming /usr/bin/distccmon-gnome to /usr/bin/distccmon-gui"
+		einfo "This is to have a little sensability in naming schemes between distccmon programs"
+		mv "${ED}/usr/bin/distccmon-gnome" "${ED}/usr/bin/distccmon-gui" || die
+		dosym distccmon-gui /usr/bin/distccmon-gnome
+	fi
+
+	if use xinetd; then
+		insinto /etc/xinetd.d
+		newins "doc/example/xinetd" distcc
+	fi
+
+	insinto /usr/share/shadowman/tools
+	newins - distcc <<<"${EPREFIX}/usr/lib/distcc/bin"
+	newins - distccd <<<"${EPREFIX}/usr/lib/distcc"
+
+	rm -r "${ED}/etc/default" || die
+	rm "${ED}/etc/distcc/clients.allow" || die
+	rm "${ED}/etc/distcc/commands.allow.sh" || die
+}
+
+pkg_postinst() {
+	# remove the old paths when switching from libXX to lib
+	if [[ $(get_libdir) != lib && ${SYMLINK_LIB} != yes && \
+			-d ${EROOT%/}/usr/$(get_libdir)/distcc ]]; then
+		rm -r -f "${EROOT%/}/usr/$(get_libdir)/distcc" || die
+	fi
+
+	if [[ ${ROOT} == / ]]; then
+		eselect compiler-shadow update distcc
+		eselect compiler-shadow update distccd
+	fi
+
+	use gnome && xdg_desktop_database_update
+
+	elog
+	elog "Tips on using distcc with Gentoo can be found at"
+	elog "https://wiki.gentoo.org/wiki/Distcc"
+	elog
+	elog "distcc-pump is known to cause breakage with multiple packages."
+	elog "Do NOT enable it globally."
+	elog
+	elog "To use the distccmon programs with Gentoo you should use this command:"
+	elog "# DISTCC_DIR=\"${DISTCC_DIR:-${BUILD_PREFIX}/.distcc}\" distccmon-text 5"
+
+	if use gnome || use gtk; then
+		elog "Or:"
+		elog "# DISTCC_DIR=\"${DISTCC_DIR:-${BUILD_PREFIX}/.distcc}\" distccmon-gnome"
+	fi
+
+	elog
+	elog "***SECURITY NOTICE***"
+	elog "Since distcc-3.3, whitelist is used for what distccd could execute. The whilelist"
+	elog "has been generated by compiler-shadow distccd.  To revert to the old behavior, "
+	elog "you need to pass --make-me-a-botnet to distccd in /etc/conf.d/distccd."
+	elog "Cf. https://github.com/distcc/distcc/pull/243."
+}
+
+pkg_prerm() {
+	if [[ -z ${REPLACED_BY_VERSION} && ${ROOT} == / ]]; then
+		eselect compiler-shadow remove distcc
+	fi
+}
+
+pkg_postrm() {
+	use gnome && xdg_desktop_database_update
+}

sys-devel/distcc/files/distccd.confd

@@ -0,0 +1,37 @@
+# /etc/conf.d/distccd: config file for /etc/init.d/distccd
+
+DISTCCD_OPTS=""
+
+# this is the distccd executable
+DISTCCD_EXEC="/usr/bin/distccd"
+
+# set this option to run distccd with extra parameters
+# Default port is 3632.  For most people the default is okay.
+DISTCCD_OPTS="${DISTCCD_OPTS} --port 3632"
+
+# Logging
+# You can change some logging options here:
+# --log-file FILE
+# --log-level LEVEL  [critical,error,warning, notice, info, debug]
+#
+# Leaving --log-file blank will log to syslog
+# example: --log-file /dev/null --log-level warning
+# example: --log-level critical
+
+DISTCCD_OPTS="${DISTCCD_OPTS} --log-level critical"
+
+# SECURITY NOTICE:
+# It is HIGHLY recommended that you use the --listen option
+# for increased security. You can specify an IP to permit connections
+# from or a CIDR mask
+# --listen accepts only a single IP
+# --allow is now mandatory as of distcc-2.18.
+# example:  --allow 192.168.0.0/24
+# example:  --allow 192.168.0.5 --allow 192.168.0.150
+# example:  --listen 192.168.0.2
+DISTCCD_OPTS="${DISTCCD_OPTS} --allow 192.168.0.0/24"
+#DISTCCD_OPTS="${DISTCCD_OPTS} --listen 192.168.0.2"
+
+# set this for niceness
+# Default is 15
+DISTCCD_OPTS="${DISTCCD_OPTS} -N 15"

sys-devel/distcc/files/distccd.initd

@@ -0,0 +1,13 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	need net
+	use avahi-daemon ypbind
+}
+
+command="${DISTCCD_EXEC:-usr/bin/distccd}"
+command_args="--user distcc --daemon --no-detach ${DISTCCD_OPTS}"
+command_background="true"
+pidfile="/run/${RC_SVCNAME}.pid"