Install a "refuse" file to protect the mirror's scripts and

configuration files from a malicious or compromised master site.

3 files changed, 10 insertions, 1 deletions

diff --git a/net/cvsup-mirror/Makefile b/net/cvsup-mirror/Makefile
index a10bc83f343b..9c58c78dbeda 100644
--- a/net/cvsup-mirror/Makefile
+++ b/net/cvsup-mirror/Makefile
@@ -22,6 +22,7 @@ NO_PACKAGE=	too interactive
 SCRIPTS_ENV=	USA_RESIDENT=${USA_RESIDENT}
 
 base=${PREFIX}/etc/cvsup
+distrib=${base}/sup.client/distrib
 rc=${PREFIX}/etc/rc.d
 
 do-extract:
@@ -29,13 +30,14 @@ do-extract:
 
 do-install:
 	@${ECHO_MSG} "Installing files"
-	@test -d ${base} || ${MKDIR} ${base}
+	@test -d ${distrib} || ${MKDIR} ${distrib}
 	@test -d ${rc} || ${MKDIR} ${rc}
 	@${INSTALL_DATA} ${WRKSRC}/config.sh ${base}
 	@${INSTALL_SCRIPT} ${FILESDIR}/update.sh ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile.crypto ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile.non-crypto ${base}
+	@${INSTALL_DATA} ${FILESDIR}/refuse.self ${distrib}
 	@${INSTALL_SCRIPT} ${FILESDIR}/cvsupd.sh ${rc}
 	@${CP} /dev/null ${base}/.start_server
 
diff --git a/net/cvsup-mirror/files/refuse.self b/net/cvsup-mirror/files/refuse.self
new file mode 100644
index 000000000000..a69dfec5c2a8
--- /dev/null
+++ b/net/cvsup-mirror/files/refuse.self
@@ -0,0 +1,6 @@
+*.sh
+cvsupd.access
+cvsupd.passwd
+prefixes
+sup.client
+supfile*
diff --git a/net/cvsup-mirror/pkg-plist b/net/cvsup-mirror/pkg-plist
index cd07ad92cf0f..d7f66c09b269 100644
--- a/net/cvsup-mirror/pkg-plist
+++ b/net/cvsup-mirror/pkg-plist
@@ -1,4 +1,5 @@
 etc/cvsup/config.sh
+etc/cvsup/sup.client/distrib/refuse.self
 etc/cvsup/supfile
 etc/cvsup/supfile.crypto
 etc/cvsup/supfile.non-crypto