Arch Linux User Repository

@codeswhite, could you file a GitHub issue on Radarr? This is actually just a binary package. In the issue, it is worth mentioning that lidarr and readarr probably have the same issue.

Hi, i've noticed that the binary is compiled without the recommended exploit protection:

$ sudo checksec --proc=Radarr
...snip...
         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
          Radarr    123 Partial RELRO   Canary found            No Seccomp       NX enabled    No PIE                  No

Those Partial RELRO and No PIE will result in a much easier arbitrary code execution exploit in the Radarr binary.

@jlanzobr: You can see radarr.service right up there in Sources and see that it is not using the mono binary. So instead, you need to stop using your custom service and use the one from the package. And you should switch to using a systemd override via systemctl edit when you want to modify parts of a .service file.

The systemd init file needs to be updated. The path (/usr/bin/mono --debug /usr/lib/radarr/bin/Radarr -nobrowser -data=/var/lib/radarr) is no longer correct.

@emphire: I'll probably never do a script because I find it annoying to control options in two places. But before tmpfiles, all my packages used the .install file. The systemd tmpfiles seemed like the suggested way, but I'll have another look. I don't care either way about that, would go w/ which ever is the "Arch" way there. You can do so much w/ tmpfiles, like links and folders and ownership and ... seems like its original intent doesn't match its capabilities. :)

Thanks for the response @fryfrog. Sorry it took me a while to get back. In the first line of the docs (https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html), it says it's for volatile and temporary files. Using tmpfiles works but feels a bit hacky for this reason. I find the script file is handy to have for troubleshooting and running it manually instead of as a service. Thanks for maintaining the package.

Hey @emphire, check out the radarr-aphrodite package which has done a little of what you're talking about.

They added a package_info that lets me disable the built in updater and display a message, so I've put /usr/lib/radarr back to root:root which I think you'll appreciate. I'm waiting for that to come to the normal version, then I'll change it there too.

I moved all my packages from doing it in the .install file to using tmpfiles, I believe based on feedback from #archlinux-aur. Do you have some packaging guidelines that talk about doing this as part of the package vs via tmpfiles? I mean, the name obviously implies it... but I prefer it over doing it in the install precisely because it'll fix permissions more often if needed. And can be easily overridden by the user, unlike doing it from the package.

Finally, the script that runs mono that runs Radarr... that is one of the things that bugs me a little about the sonarr package I don't own, for some reason I just don't like it. Also, the next version of Radarr is dotnet core so doesn't even need Mono, you just run it directly. If you want to change some parameters, now you need to hunt down that file if they're mono options or edit the script if they're not... or don't edit the script because the package is going to blow it away, edit the .service.

Thanks for the feedback, if you can convince me of any of these specific changes, I'll be happy to make them and I'll then do it for all the packages I own. But at the very least, I think the most import part of it (the root:root ownership of /usr/lib/radarr) is coming eventually. :)

I made some tweaks to the package I was hoping you could include in the next release.

Here is the git diff: http://ix.io/2lup

The changes are:

1. The /usr/lib/radarr directory and its contents was owned by the radarr user. It's more secure to have it owned by root so radarr has readonly access to it so that variable data can be restricted to /var/lib/radarr.

2. tmpfiles.d is intended for temporary and volatile files. I moved the directory permissions setting into an install file - this also means that the permissions won't get set on every boot (just on install).

3. I added /usr/bin/radarr so it can be run in browser mode from the commandline as a regular user if desired (untested). It also cleans-up the .service file a little.

Here are the changed files if the diff is hard to read: PKGBUILD: http://ix.io/2luu radarr.install: http://ix.io/2luq radarr.service: http://ix.io/2lur radarr.sh: http://ix.io/2lus radarr.tmpfiles: http://ix.io/2lut

Thanks!

It didn't seem worth bumping pkgrel for, but if you refresh you'll get it. I did it to sonarr-develop, radarr-develop, sonarr-phantom and lidarr too. But radarr-aphrodite and lidarr-develop have switched to dotnet core so they don't need it.

Thanks for the great idea.

@joehillen: Great idea, will do! :)