diff options
Diffstat (limited to 'network/nss-tls')
| -rw-r--r-- | network/nss-tls/README | 23 | ||||
| -rw-r--r-- | network/nss-tls/README_SBo.txt | 64 | ||||
| -rw-r--r-- | network/nss-tls/doinst.sh | 12 | ||||
| -rw-r--r-- | network/nss-tls/nss-tls.SlackBuild | 120 | ||||
| -rw-r--r-- | network/nss-tls/nss-tls.conf | 27 | ||||
| -rw-r--r-- | network/nss-tls/nss-tls.info | 10 | ||||
| -rw-r--r-- | network/nss-tls/nss-tlsd-user.sh | 20 | ||||
| -rw-r--r-- | network/nss-tls/nss-tlsd.default | 8 | ||||
| -rw-r--r-- | network/nss-tls/per_user_dir.diff | 23 | ||||
| -rw-r--r-- | network/nss-tls/rc.nss-tlsd | 55 | ||||
| -rw-r--r-- | network/nss-tls/slack-desc | 19 |
11 files changed, 381 insertions, 0 deletions
diff --git a/network/nss-tls/README b/network/nss-tls/README new file mode 100644 index 0000000000..fe975e3661 --- /dev/null +++ b/network/nss-tls/README @@ -0,0 +1,23 @@ +nss-tls (DNS-over-HTTPS resolver) + +nss-tls is an alternative, encrypted name resolving library for Linux +distributions with glibc which uses DNS-over-HTTPS. The glibc name +resolver can be configured through nsswitch.conf(5) to use nss-tls +instead of the DNS resolver, or fall back to DNS when nss-tls fails. + +This way, all applications that use the standard resolver API +(getaddrinfo(), gethostbyname(), etc'), are transparently +migrated from DNS to encrypted means of name resolving, with +zero application-side changes and minimal resource consumption +footprint. However, nss-tls does not deal with applications that use +their own, built-in DNS resolver. + +See README_SBo.txt for instructions on setting things up, once the +package is installed. It won't "just work", you really do have to +configure it. + +The default servers in the config file are provided by Google, Quad9, +and Cloudflare. If you'd like to change these, there is a list of +public DoH servers here: + +https://zenodo.org/records/4923371 diff --git a/network/nss-tls/README_SBo.txt b/network/nss-tls/README_SBo.txt new file mode 100644 index 0000000000..6c82bc23ee --- /dev/null +++ b/network/nss-tls/README_SBo.txt @@ -0,0 +1,64 @@ +Slackware-specific nss-tls HOWTO +-------------------------------- + +1. Make sure /etc/nss-tls.conf has at least one DNS-over-HTTPS server URL + listed. The default config file has 3, so you shouldn't need to + change it unless you don't trust the default servers (one of which + belongs to Google). Although it's possible to use hostnames in the + config file, I highly recommend using IP addresses. + +2. Add this code to your /etc/rc.d/rc.local: + + [ -x /etc/rc.d/rc.nss-tlsd ] && /etc/rc.d/rc.nss-tlsd start + +3. Make sure /etc/rc.d/rc.nss-tlsd is executable (it is, by default). + +4. Manually start the daemon with the command: /etc/rc.d/rc.nss-tlsd start + Or, you could reboot instead. + + At this point, you should be able to use the tlslookup(1) tool to + do some test lookups. Try "tlslookup www.slackware.com". You should + get output similar to: + + $ tlslookup www.slackware.com + 23.218.93.137 + 23.218.93.171 + 2600:1402:9800:d::b833:2ac7 + 2600:1402:9800:d::b833:2acd + +5. Edit /etc/nsswitch.conf and find the line that reads "hosts: files dns". + Replace the "dns" with "tls", so the line looks like: + + hosts: files tls + + Now, try "ping www.slackware.com". If this works, you should be + able to use normal clients (web browsers, mail, etc). nss-tls + transparently replaces the DNS resolver... but not everything + will work. In particular, git, curl, and alpine (the mail client) + are known not to work in this configuration. To support these + applications, see the next step. + +6. To keep regular DNS as a fallback option, change the line in + /etc/nss-tls.conf again, so it looks like: + + hosts: files tls dns + + This allows applications that don't work with nss-tls to use regular + DNS instead. Notably, git won't work without fallback DNS. + +7. Optional: users can run their own instances of the daemon, with + caching support. Run the command /usr/bin/nss-tlsd-user from + your startup scripts (~/.bash_profile for console logins, or + whatever your desktop environment uses if you use GUI login). + + This isn't really required, though it can provide some extra + security on multi-user systems. If you're the only person who uses + your Slackware box, you probably don't need this. + +Running a server +---------------- + +nss-tls is just the client side of DNS-over-HTTPS. If you want to run +a server, look into unbound (on SBo). In future Slackware versions, +you may be able to use Slackware's bind for this (the version in 15.0 +doesn't support it, but the one in -current should). diff --git a/network/nss-tls/doinst.sh b/network/nss-tls/doinst.sh new file mode 100644 index 0000000000..6f2d8b6559 --- /dev/null +++ b/network/nss-tls/doinst.sh @@ -0,0 +1,12 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + rm $NEW + fi +} + +config etc/nss-tls.conf.new +config etc/default/nss-tls.new diff --git a/network/nss-tls/nss-tls.SlackBuild b/network/nss-tls/nss-tls.SlackBuild new file mode 100644 index 0000000000..88db43b377 --- /dev/null +++ b/network/nss-tls/nss-tls.SlackBuild @@ -0,0 +1,120 @@ +#!/bin/bash + +# Slackware build script for nss-tls + +# Written by B. Watson (urchlay@slackware.uk) + +# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details. + +# Notes: + +# Building with --buildtype=debug makes the daemon write HTTP request +# and response headers to its stdout. This isn't very useful, so this +# script doesn't support it. + +# It would be nice if the daemon would log to syslog, or had some +# runtime-configurable verbose/debug options. + +# I wish git would work with this. If it would, it'd be possible +# to use 'hosts: files tls' in nsswitch.conf (curl and alpine still +# wouldn't work, but there are decent workarounds for those). + +# By default, when the daemon runs as root, it switches UID/GID to +# daemon/daemon. This seems fine to me. It would be possible to +# reserve a UID/GID and build with -Duser=<blah> -Dgroup=<blah>, if +# there were any real need for it. + +cd $(dirname $0) ; CWD=$(pwd) + +PRGNAM=nss-tls +VERSION=${VERSION:-1.1} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} +PKGTYPE=${PKGTYPE:-tgz} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" + exit 0 +fi + +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . -perm /111 -a \! -perm 755 -a -exec chmod 755 {} + -o \ + \! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} + + +# This patch makes the client and server agree on the per-user socket path. +patch -p1 < $CWD/per_user_dir.diff + +mkdir build +cd build + CFLAGS="$SLKCFLAGS" \ + CXXFLAGS="$SLKCFLAGS" \ + meson .. \ + --buildtype=release \ + --infodir=/usr/info \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --localstatedir=/var \ + --mandir=/usr/man \ + --prefix=/usr \ + --sysconfdir=/etc \ + -Dstrip=true + "${NINJA:=ninja}" + DESTDIR=$PKG $NINJA install +cd .. + +gzip -9 $PKG/usr/man/man*/* +rm -f $PKG/etc/nss-tls.conf +cat $CWD/nss-tls.conf > $PKG/etc/nss-tls.conf.new + +install -D -m0755 -oroot -groot $CWD/nss-tlsd-user.sh $PKG/usr/bin/nss-tlsd-user + +mkdir -p $PKG/etc/rc.d $PKG/etc/default +cat $CWD/rc.nss-tlsd > $PKG/etc/rc.d/rc.nss-tlsd +cat $CWD/nss-tlsd.default > $PKG/etc/default/nss-tlsd.new +chmod 755 $PKG/etc/rc.d/rc.nss-tlsd + +PKGDOC=$PKG/usr/doc/$PRGNAM-$VERSION +mkdir -p $PKGDOC +cp -a AUTHORS COPYING README* $PKGDOC +cat $CWD/README_SBo.txt > $PKGDOC/README_SBo.txt +cat $CWD/$PRGNAM.SlackBuild > $PKGDOC/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE diff --git a/network/nss-tls/nss-tls.conf b/network/nss-tls/nss-tls.conf new file mode 100644 index 0000000000..5227d4d752 --- /dev/null +++ b/network/nss-tls/nss-tls.conf @@ -0,0 +1,27 @@ +# nss-tls.conf - config for nss-tlsd daemon, part of nss-tls SBo package. + +# The only setting here is 'resolvers=', which must be a comma-separated +# list of one or more DNS-over-HTTPS server URLs. Although it's possible +# to use hostnames, it's better to use IP addresses in the URLs. + +# There's a list of public DoH servers found by port-scanning, here: +# https://zenodo.org/records/4923371 + +# Or, you could run your own (with unbound). + +# Do not remove this line: +[global] + +# Google, DNS9, Cloudflare. These are the default servers from Debian's +# nss-tls package. +resolvers=https://9.9.9.9/dns-query,https://1.1.1.1/dns-query,https://8.8.8.8/dns-query + +# AdGuards's default (ad/tracker blocking, but no content filtering) servers. +# These can be IPv6, too. See https://adguard-dns.io/en/public-dns.html +# resolvers=https://94.140.14.14/dns-query,https://94.140.15.15/dns-query + +# AdGuards's non-filtering servers +# resolvers=https://94.140.14.140/dns-query,https://94.140.15.141/dns-query + +# AdGuards's "family protection" content-filtering server +# resolvers=https://94.140.14.15/dns-query,https://94.140.15.16/dns-query diff --git a/network/nss-tls/nss-tls.info b/network/nss-tls/nss-tls.info new file mode 100644 index 0000000000..ada3217a79 --- /dev/null +++ b/network/nss-tls/nss-tls.info @@ -0,0 +1,10 @@ +PRGNAM="nss-tls" +VERSION="1.1" +HOMEPAGE="https://github.com/dimkr/nss-tls/" +DOWNLOAD="https://github.com/dimkr/nss-tls/archive/1.1/nss-tls-1.1.tar.gz" +MD5SUM="a9e8c63856bf63ad2d1bedf46a01a48d" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="" +MAINTAINER="B. Watson" +EMAIL="urchlay@slackware.uk" diff --git a/network/nss-tls/nss-tlsd-user.sh b/network/nss-tls/nss-tlsd-user.sh new file mode 100644 index 0000000000..0b395ea2ba --- /dev/null +++ b/network/nss-tls/nss-tlsd-user.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Launch a per-user nss-tlsd process, with caching. +# Part of the SBo nss-tls build, by B. Watson, WTFPL licensed. +# Other distributions use systemd to launch this when a user logs +# in, we have to have users launch it from e.g. .bash_profile. This +# wrapper script simplifies the setup. + +# Note that launching the user daemon isn't required, but since the +# system daemon doesn't do caching for security reasons, the user +# daemon might help performance a bit. + +# Using setsid --fork here prevents this script from hanging around +# waiting for nss-tlsd to exit. + +if [ -x /usr/sbin/nss-tlsd ]; then + [ -e ~/.cache/nss-tlsd.sock ] || setsid --fork /usr/sbin/nss-tlsd -c &>/dev/null & +fi + +exit 0 diff --git a/network/nss-tls/nss-tlsd.default b/network/nss-tls/nss-tlsd.default new file mode 100644 index 0000000000..60cbbdf542 --- /dev/null +++ b/network/nss-tls/nss-tlsd.default @@ -0,0 +1,8 @@ +# Default options for the nss-tlsd daemon: +# +# Supported options: +# -c: cache results. This is really intended for per-user daemons. +# -r: use a random server, when multiple servers are configured. +# By default, all the above are disabled. + +NSS_TLSD_OPTS="" diff --git a/network/nss-tls/per_user_dir.diff b/network/nss-tls/per_user_dir.diff new file mode 100644 index 0000000000..d833c6ea95 --- /dev/null +++ b/network/nss-tls/per_user_dir.diff @@ -0,0 +1,23 @@ +diff -Naur nss-tls-1.1/nss-tls.c nss-tls-1.1.patched/nss-tls.c +--- nss-tls-1.1/nss-tls.c 2020-07-16 19:09:59.000000000 -0400 ++++ nss-tls-1.1.patched/nss-tls.c 2024-01-17 15:57:03.989437314 -0500 +@@ -68,7 +68,7 @@ + if (geteuid() == 0) + strcpy(sun.sun_path, NSS_TLS_SOCKET_PATH); + else { +- dir = getenv("XDG_RUNTIME_DIR"); ++ dir = getenv("HOME"); + if (dir) { + len = strlen(dir); + if (len > sizeof(sun.sun_path) - sizeof("/"NSS_TLS_SOCKET_NAME)) +@@ -77,6 +77,10 @@ + memcpy(sun.sun_path, dir, len); + sun.sun_path[len] = '/'; + ++len; ++ memcpy(sun.sun_path + len, ".cache", 6); ++ len += 6; ++ sun.sun_path[len] = '/'; ++ ++len; + strncpy(sun.sun_path + len, + NSS_TLS_SOCKET_NAME, + sizeof(sun.sun_path) - len); diff --git a/network/nss-tls/rc.nss-tlsd b/network/nss-tls/rc.nss-tlsd new file mode 100644 index 0000000000..752027b0f5 --- /dev/null +++ b/network/nss-tls/rc.nss-tlsd @@ -0,0 +1,55 @@ +#!/bin/sh + +# rc.nss-tlsd - by B. Watson (urchlay@slackware.uk). Part of the +# SlackBuilds.org nss-tlsd package. WTFPL licensed. + +DAEMON=/usr/sbin/nss-tlsd +PIDFILE=/run/nss-tlsd.pid + +[ -f /etc/default/nss-tlsd ] && . /etc/default/nss-tlsd + +# we try to make sure not only that the PID file exists, but that the +# PID is actually that of a running nss-tlsd process. the 'cut' stuff +# is in case the package was upgraded, which results in /proc/<pid>/exe +# pointing to "/usr/sbin/nss-tlsd (deleted)". +daemon_is_running() { + [ -e "$PIDFILE" ] || return 1 + [ "$( readlink /proc/$( cat $PIDFILE )/exe 2>/dev/null | cut -d' ' -f1 )" = "$DAEMON" ] || return 1 + return 0 +} + +start_daemon() { + if daemon_is_running; then + echo "$DAEMON is already running, PID $( cat $PIDFILE )" + else + echo "Starting $DAEMON" + nohup $DAEMON $NSS_TLSD_OPTS >/dev/null 2>&1 & + echo "${!}" > $PIDFILE + fi +} + +stop_daemon() { + if daemon_is_running; then + echo "Stopping $DAEMON" + kill "$( cat $PIDFILE )" + sleep 1 + kill -9 "$( cat $PIDFILE )" >/dev/null 2>&1 + rm -f $PIDFILE + else + echo "$DAEMON not running" + fi +} + +# most rc scripts don't need this: daemons will fail to start as non-root. +# this one is designed to work either way. +if [ "$(id -u)" != "0" ]; then + echo "$0: must run as root." + exit 1 +fi + +case "$1" in + start|"") start_daemon ;; + stop) stop_daemon ;; + restart) stop_daemon; sleep 1; start_daemon ;; + *) echo "Usage: $0 start|stop|restart" ;; +esac diff --git a/network/nss-tls/slack-desc b/network/nss-tls/slack-desc new file mode 100644 index 0000000000..8965e2029d --- /dev/null +++ b/network/nss-tls/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +nss-tls: nss-tls (DNS-over-HTTPS resolver) +nss-tls: +nss-tls: nss-tls is an alternative, encrypted name resolving library for Linux +nss-tls: distributions with glibc which uses DNS-over-HTTPS. The glibc name +nss-tls: resolver can be configured through nsswitch.conf(5) to use nss-tls +nss-tls: instead of the DNS resolver, or fall back to DNS when nss-tls fails. +nss-tls: +nss-tls: +nss-tls: +nss-tls: +nss-tls: |