ports/152226: [PATCH] security/sancp: Fix a bug in RC script + other changes
Sevan Janiyan
venture37 at geeklan.co.uk
Sun Nov 14 04:00:17 UTC 2010
>Number: 152226
>Category: ports
>Synopsis: [PATCH] security/sancp: Fix a bug in RC script + other changes
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 14 04:00:16 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Sevan Janiyan
>Release: FreeBSD 8.1-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD tinderbox.home.thingamajig-systems.co.uk 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #5: Mon Nov 1 18:06:15 GMT
>Description:
Dont declare ${sancp_flags} in command_args
This fixes http://taosecurity.blogspot.com/2010/11/calling-freebsd-startup-script-experts.html, fix by Colin Percival
Drop .sh extension from RC script
Drop MD5 checksum from distinfo
Switch from adding & removing users by hand to using $USERS & $GROUPS , patch for UIDs & GIDs in ports/152225
Dont remove data gathered by app on uninstall, notify user to do it manually should they wish to
Added file(s):
- files/sancp.in
Removed file(s):
- files/sancp.sh.in
Port maintainer (pauls at utdallas.edu) is cc'd.
Generated with FreeBSD Port Tools 0.99
>How-To-Repeat:
>Fix:
--- sancp-1.6.1_4.patch begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/sancp/Makefile,v
retrieving revision 1.6
diff -u -u -r1.6 Makefile
--- Makefile 22 Aug 2009 00:35:04 -0000 1.6
+++ Makefile 14 Nov 2010 03:26:29 -0000
@@ -8,7 +8,7 @@
PORTNAME= sancp
PORTVERSION= 1.6.1
DISTVERSIONSUFFIX= -stable
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= security
MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}-stable
@@ -16,9 +16,12 @@
COMMENT= A network connection profiler
ALL_TARGET= bsd
-USE_RC_SUBR= sancp.sh
+USE_RC_SUBR= sancp
SUB_FILES= pkg-message
+USERS= sancp
+GROUPS= sancp
+
PORTDOCS= CHANGES INSTALL ISSUES README \
SETUP fields.LIST LICENSE
@@ -26,7 +29,6 @@
@cd ${WRKSRC} && ${MV} LICENSE docs/
do-install:
- @${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
@${INSTALL_PROGRAM} ${WRKSRC}/sancp ${PREFIX}/bin
@${INSTALL_DATA} ${WRKSRC}/etc/sancp/sancp.conf ${PREFIX}/etc/sancp.conf-dist
@${CP} -n ${PREFIX}/etc/sancp.conf-dist ${PREFIX}/etc/sancp.conf
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/sancp/distinfo,v
retrieving revision 1.4
diff -u -u -r1.4 distinfo
--- distinfo 14 Jul 2007 22:21:13 -0000 1.4
+++ distinfo 14 Nov 2010 03:26:29 -0000
@@ -1,3 +1,2 @@
-MD5 (sancp-1.6.1-stable.tar.gz) = ffa64f2fdb49afd7ef16fbefda21e251
SHA256 (sancp-1.6.1-stable.tar.gz) = 9836262aaf02bde116a9e79d342ea3af8b4991c7ba27b816fb54ed6c0863ff48
SIZE (sancp-1.6.1-stable.tar.gz) = 71748
Index: pkg-deinstall
===================================================================
RCS file: /home/ncvs/ports/security/sancp/pkg-deinstall,v
retrieving revision 1.3
diff -u -u -r1.3 pkg-deinstall
--- pkg-deinstall 14 Jul 2007 22:21:13 -0000 1.3
+++ pkg-deinstall 14 Nov 2010 03:26:29 -0000
@@ -4,28 +4,6 @@
exit 0
fi
-PATH=/bin:/usr/sbin
-USER=sancp
-GROUP=${USER}
-LOG_DIR=/var/log/sancp
+PATH=/bin:/usr/bin
-# Remove the log directory
-if [ -d ${LOG_DIR} ];
-then
- rmdir ${LOG_DIR} >/dev/null 2>&1;
-fi
-
-if pw user show "${USER}" >/dev/null 2>&1; then
- if ! pw userdel ${USER} ;
- then
- echo "Unable to remove user: ${USER}, remove it manually"
- fi
-fi
-
-
-if pw group show "${GROUP}" >/dev/null 2>&1; then
- if ! pw groupdel ${GROUP} ;
- then
- echo "Unable to remove group: ${GROUP}, remove it manually"
- fi
-fi
+echo "* If you nolonger plan to run sancp delete /var/log/sancp, the user & group created during install *"
Index: pkg-install
===================================================================
RCS file: /home/ncvs/ports/security/sancp/pkg-install,v
retrieving revision 1.2
diff -u -u -r1.2 pkg-install
--- pkg-install 14 Jul 2007 22:21:13 -0000 1.2
+++ pkg-install 14 Nov 2010 03:26:29 -0000
@@ -5,42 +5,6 @@
fi
PATH=/bin:/usr/sbin
-USER=sancp
-GROUP=${USER}
LOG_DIR=/var/log/sancp
-if [ ! -d ${LOG_DIR} ]; then mkdir ${LOG_DIR}; fi
-
-if pw group show "${GROUP}" 2>/dev/null; then
- echo "You already have a group \"${GROUP}\", so I will use it."
-else
- if pw groupadd ${GROUP}; then
- echo "Added group \"${GROUP}\"."
- else
- echo "Adding group \"${GROUP}\" failed..."
- exit 1
- fi
-fi
-
-if pw user show "${USER}" 2>/dev/null; then
- echo "You already have a user \"${USER}\", so I will use it."
- if pw usermod ${USER} -d ${LOG_DIR}
- then
- echo "Changed home directory of \"${USER}\" to \"${LOG_DIR}\""
- else
- echo "Changing home directory of \"${USER}\" to \"${LOG_DIR}\" failed..."
- exit 1
- fi
-else
- if pw useradd ${USER} -g ${GROUP} -h - \
- -d ${LOG_DIR} -s /sbin/nologin -c "SANCP Daemon"
- then
- echo "Added user \"${USER}\"."
- else
- echo "Adding user \"${USER}\" failed..."
- exit 1
- fi
-fi
-
-chown -R ${USER}:${GROUP} ${LOG_DIR}
chmod 750 ${LOG_DIR}
Index: files/sancp.in
===================================================================
RCS file: files/sancp.in
diff -N files/sancp.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/sancp.in 14 Nov 2010 03:26:29 -0000
@@ -0,0 +1,80 @@
+#!/bin/sh
+#
+
+# PROVIDE: sancp
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf to enable sancp:
+# sancp_enable (bool): Set to YES to enable sancp
+# Default: NO
+# sancp_flags (str): Extra flags passed to sancp
+# Default: -D
+# sancp_conf (str): Sancp configuration file
+# Default: %%PREFIX%%/etc/sancp.conf
+# sancp_interface (str): Default: none - MUST BE SET
+#
+# Command Line Options: (cmdline)
+# ---------------------
+#
+# -? or -h this help screen
+# -c <filename> specify the configuration/rules filename
+# -d <directory> specify the directory for output files
+# -i <device> set the network device to listen on (default: 'any')
+# -g <gid> set a group identity
+# -u <uid> set a user identity
+# -r <pcapfile> pcap file to read (overrides -i)
+# -B "<bpf expression>" set a bpf expression (alternative to -F <filename>)
+# -D (daemon) forks, prints msgs to syslog only and overrides -C option
+# -K (console) enable additional printing of 'realtimes' to stdout (suppressed by option -D)
+# -F <bpf filename> file containing a bpf filter expression, overrides (alternative to -B)
+# -H --human-readable write IP addresses in dotted notation and TCPflag fields in hex
+# -R Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override
+# -S Set default for stats to 'pass' (default is 'log') disables stats, but rules can override
+# -P Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override
+# -I or --enable_icmp_mixed record 'code' and 'type' fields for ICMP
+# to the fields 's_port' and 'd_port'.
+# note: affects how related icmp packets are correlated
+# -V display version
+# --shift (debug) force interpretation of packet starting at byte[2]
+# normally performed when reading from the 'any' interface
+# --strip-80211 strip 802.1Q headers from 802.1Q packets; used to
+# decode 802.1Q encapsulated packets - affects -A option,
+# --log-facility <facility> where facility can be 'LOCAL1' - 'LOCAL7'
+# The default log facility used by SANCP is LOG_DAEMON
+#
+# Debug mode for pcap data logging
+# -A records ALL traffic frames to a pcap file named 'debug_pcap_raw'
+# (despite rules). Packets are logged here prior to decoding or handling.
+# Use -F or -B option to restrict what is collectedi.
+# Pcap data logged using this option is affected by the --strip-80211 cmdline option
+# The configuration file equivalent to this is 'default debug_pcap_raw enable'
+
+. /etc/rc.subr
+
+name="sancp"
+rcvar=`set_rcvar`
+
+command="%%PREFIX%%/bin/sancp"
+
+start_precmd=start_precmd
+
+start_precmd()
+{
+ if [ -z "${sancp_interface}" ]; then
+ err 1 "sancp_interface must set."
+ fi
+}
+
+# set some defaults
+load_rc_config $name
+
+: ${sancp_enable="NO"}
+: ${sancp_flags="-D"}
+: ${sancp_conf="%%PREFIX%%/etc/sancp.conf"}
+: ${sancp_interface=""}
+
+command_args="-c ${sancp_conf} -i ${sancp_interface}"
+
+run_rc_command "$1"
Index: files/sancp.sh.in
===================================================================
RCS file: files/sancp.sh.in
diff -N files/sancp.sh.in
--- files/sancp.sh.in 27 Mar 2010 00:14:47 -0000 1.4
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,80 +0,0 @@
-#!/bin/sh
-#
-
-# PROVIDE: sancp
-# REQUIRE: DAEMON
-# BEFORE: LOGIN
-# KEYWORD: shutdown
-
-# Add the following lines to /etc/rc.conf to enable sancp:
-# sancp_enable (bool): Set to YES to enable sancp
-# Default: NO
-# sancp_flags (str): Extra flags passed to sancp
-# Default: -D
-# sancp_conf (str): Sancp configuration file
-# Default: %%PREFIX%%/etc/sancp.conf
-# sancp_interface (str): Default: none - MUST BE SET
-#
-# Command Line Options: (cmdline)
-# ---------------------
-#
-# -? or -h this help screen
-# -c <filename> specify the configuration/rules filename
-# -d <directory> specify the directory for output files
-# -i <device> set the network device to listen on (default: 'any')
-# -g <gid> set a group identity
-# -u <uid> set a user identity
-# -r <pcapfile> pcap file to read (overrides -i)
-# -B "<bpf expression>" set a bpf expression (alternative to -F <filename>)
-# -D (daemon) forks, prints msgs to syslog only and overrides -C option
-# -K (console) enable additional printing of 'realtimes' to stdout (suppressed by option -D)
-# -F <bpf filename> file containing a bpf filter expression, overrides (alternative to -B)
-# -H --human-readable write IP addresses in dotted notation and TCPflag fields in hex
-# -R Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override
-# -S Set default for stats to 'pass' (default is 'log') disables stats, but rules can override
-# -P Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override
-# -I or --enable_icmp_mixed record 'code' and 'type' fields for ICMP
-# to the fields 's_port' and 'd_port'.
-# note: affects how related icmp packets are correlated
-# -V display version
-# --shift (debug) force interpretation of packet starting at byte[2]
-# normally performed when reading from the 'any' interface
-# --strip-80211 strip 802.1Q headers from 802.1Q packets; used to
-# decode 802.1Q encapsulated packets - affects -A option,
-# --log-facility <facility> where facility can be 'LOCAL1' - 'LOCAL7'
-# The default log facility used by SANCP is LOG_DAEMON
-#
-# Debug mode for pcap data logging
-# -A records ALL traffic frames to a pcap file named 'debug_pcap_raw'
-# (despite rules). Packets are logged here prior to decoding or handling.
-# Use -F or -B option to restrict what is collectedi.
-# Pcap data logged using this option is affected by the --strip-80211 cmdline option
-# The configuration file equivalent to this is 'default debug_pcap_raw enable'
-
-. /etc/rc.subr
-
-name="sancp"
-rcvar=`set_rcvar`
-
-command="%%PREFIX%%/bin/sancp"
-
-start_precmd=start_precmd
-
-start_precmd()
-{
- if [ -z "${sancp_interface}" ]; then
- err 1 "sancp_interface must set."
- fi
-}
-
-# set some defaults
-load_rc_config $name
-
-: ${sancp_enable="NO"}
-: ${sancp_flags="-D"}
-: ${sancp_conf="%%PREFIX%%/etc/sancp.conf"}
-: ${sancp_interface=""}
-
-command_args="${sancp_flags} -c ${sancp_conf} -i ${sancp_interface}"
-
-run_rc_command "$1"
--- sancp-1.6.1_4.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list