aboutsummaryrefslogtreecommitdiffstats
path: root/security/logcheck
diff options
context:
space:
mode:
authorglarkin <glarkin@FreeBSD.org>2008-09-11 08:30:09 +0800
committerglarkin <glarkin@FreeBSD.org>2008-09-11 08:30:09 +0800
commit5e9fbaf4b4842cb0266521cc52a6a7107563bc0c (patch)
tree253f1181d526472810f1a35e3a3154ab1293d3cc /security/logcheck
parent85c8655a2b24dc83a8ee153b796809348eff6dae (diff)
downloadfreebsd-ports-gnome-5e9fbaf4b4842cb0266521cc52a6a7107563bc0c.tar.gz
freebsd-ports-gnome-5e9fbaf4b4842cb0266521cc52a6a7107563bc0c.tar.zst
freebsd-ports-gnome-5e9fbaf4b4842cb0266521cc52a6a7107563bc0c.zip
- Fixed logcheck script silent failure in previous commit
- Added handling for crontab installation problems - Incorported security fixes from PR opened after previous commit - Added UPDATING entry since configuration options have changed fairly significantly PR: ports/122842 Submitted by: Cezary Morga <cm@therek.net> PR: ports/127255 Submitted by: Yasuhiro KIMURA <yasu at utahime dot org> Reviewed by: glarkin Approved by: beech (mentor, implicit) Approved by: portmgr (marcus) Security: Incorrect addition of logcheck user to wheel group
Diffstat (limited to 'security/logcheck')
-rw-r--r--security/logcheck/Makefile46
-rw-r--r--security/logcheck/files/patch-src__logcheck20
-rw-r--r--security/logcheck/files/pkg-deinstall.in4
-rw-r--r--security/logcheck/files/pkg-install.in25
-rw-r--r--security/logcheck/files/pkg-message.in4
-rw-r--r--security/logcheck/pkg-plist6
6 files changed, 66 insertions, 39 deletions
diff --git a/security/logcheck/Makefile b/security/logcheck/Makefile
index 56d16ea35824..e63fafa95738 100644
--- a/security/logcheck/Makefile
+++ b/security/logcheck/Makefile
@@ -7,10 +7,9 @@
PORTNAME= logcheck
PORTVERSION= 1.2.54
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security
-MASTER_SITES= ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \
- http://ftp.de.debian.org/debian/pool/main/l/logcheck/
+MASTER_SITES= ${MASTER_SITE_DEBIAN_POOL}
DISTNAME= ${PORTNAME}_${PORTVERSION}
MAINTAINER= glarkin@FreeBSD.org
@@ -18,12 +17,23 @@ COMMENT= Auditing tool for system logs on Unix boxes
BUILD_DEPENDS= docbook-to-man:${PORTSDIR}/textproc/docbook-to-man
RUN_DEPENDS= lockfile:${PORTSDIR}/mail/procmail \
- bash:${PORTSDIR}/shells/bash \
- perl:${PORTSDIR}/lang/perl5
+ bash:${PORTSDIR}/shells/bash
+
+LOGCHECK_USER= logcheck
+LOGCHECK_UID= 915
+LOGCHECK_GROUP= ${LOGCHECK_USER}
+LOGCHECK_GID= ${LOGCHECK_UID}
+
+# Enable Perl dependency for logtail script
+USE_PERL5= 5.8.0+
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
BINMODE= 755
SHAREMODE= 640
+SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \
+ LOGCHECK_UID=${LOGCHECK_UID} \
+ LOGCHECK_GROUP=${LOGCHECK_GROUP} \
+ LOGCHECK_GID=${LOGCHECK_GID}
SUB_FILES= pkg-install pkg-deinstall pkg-message
CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \
ignore.d.workstation violations.d violations.ignore.d
@@ -31,39 +41,39 @@ DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README*
PORTDOCS= ${DOCS:T}
MAN8= logcheck.8 logtail.8
-LOGCHECK_USER= logcheck
-LOGCHECK_GROUP= ${LOGCHECK_USER}
-
do-build:
${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
- ${WRKSRC}/etc/logcheck.logfiles
- ${REINPLACE_CMD} -e 's!/etc/logcheck!/usr/local/etc/logcheck!' \
- -e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \
- ${WRKSRC}/docs/logcheck.sgml
+ ${WRKSRC}/etc/logcheck.logfiles
+ ${REINPLACE_CMD} -e 's!/etc/logcheck!${ETCDIR}!' \
+ -e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \
+ ${WRKSRC}/docs/logcheck.sgml
docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8
do-install:
${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin
${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin
@PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
- @${INSTALL} -d /var/lib/logcheck
+ @${INSTALL} -d /var/db/logcheck
@${INSTALL} -d /var/run/logcheck
- ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck
+ ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck
@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
- /var/lib/logcheck' >> ${TMPPLIST}
+ /var/db/logcheck' >> ${TMPPLIST}
${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck
@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
/var/run/logcheck' >> ${TMPPLIST}
@${INSTALL} -d ${ETCDIR}
- @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf ${ETCDIR}/logcheck.conf.sample
- @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles ${ETCDIR}/logcheck.logfiles.sample
+ @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf \
+ ${ETCDIR}/logcheck.conf.sample
+ @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles \
+ ${ETCDIR}/logcheck.logfiles.sample
.for i in ${CONFIG_DIRS}
@${INSTALL} -d ${ETCDIR}/${i}
@${INSTALL_DATA} ${WRKSRC}/rulefiles/linux/${i}/* ${ETCDIR}/${i}
.endfor
.if !defined(NOPORTEXAMPLES)
@${INSTALL} -d ${EXAMPLESDIR}
- @${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d ${EXAMPLESDIR}/crontab.in
+ @${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d \
+ ${EXAMPLESDIR}/crontab.in
.endif
${CHOWN} -R root:${LOGCHECK_GROUP} ${ETCDIR}
@${ECHO_CMD} '@exec ${CHOWN} -R root:${LOGCHECK_GROUP} \
diff --git a/security/logcheck/files/patch-src__logcheck b/security/logcheck/files/patch-src__logcheck
index faf0954ce518..8e06c99a8a6f 100644
--- a/security/logcheck/files/patch-src__logcheck
+++ b/security/logcheck/files/patch-src__logcheck
@@ -1,5 +1,5 @@
--- ./src/logcheck.orig 2007-01-16 01:13:27.000000000 -0500
-+++ ./src/logcheck 2008-09-06 19:11:28.000000000 -0400
++++ ./src/logcheck 2008-09-09 18:10:02.000000000 -0400
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/local/bin/bash
@@ -11,7 +11,7 @@
if [ $UID == 0 ]; then
echo "logcheck should not be run as root. Use su to invoke logcheck:"
- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
-+ echo "su logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\""
++ echo "su -m logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\""
echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
# you may want to uncomment that hack to let logcheck invoke itself.
- # su -s /bin/bash -c "$0 $*" logcheck
@@ -32,19 +32,20 @@
# Set the default paths
-RULEDIR="/etc/logcheck"
-CONFFILE="/etc/logcheck/logcheck.conf"
-+RULEDIR="/usr/local/etc/logcheck"
-+CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
- STATEDIR="/var/lib/logcheck"
+-STATEDIR="/var/lib/logcheck"
-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
-LOGFILE_FALLBACK="/var/log/syslog"
-LOGTAIL="/usr/sbin/logtail"
++RULEDIR="/usr/local/etc/logcheck"
++CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
++STATEDIR="/var/db/logcheck"
+LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles"
+LOGFILE_FALLBACK="/var/log/messages"
+LOGTAIL="/usr/local/sbin/logtail"
CAT="/bin/cat"
SYSLOG_SUMMARY="/usr/bin/syslog-summary"
-@@ -87,20 +80,15 @@
+@@ -87,26 +80,21 @@
SORTUNIQ=0
SUPPORT_CRACKING_IGNORE=0
SYSLOGSUMMARY=0
@@ -69,6 +70,13 @@
fi
if [ -d $TMPDIR ]; then
+ # Remove the tmp directory
+ if [ $NOCLEANUP -eq 0 ];then
+- cd /var/lib/logcheck
++ cd /var/db/logcheck
+ debug "cleanup: Removing - $TMPDIR"
+ rm -r $TMPDIR
+ else
@@ -142,14 +130,9 @@
if [ "$2" = "noclean" ]; then
debug "error: Not removing lockfile"
diff --git a/security/logcheck/files/pkg-deinstall.in b/security/logcheck/files/pkg-deinstall.in
index da113018941a..998bb95121eb 100644
--- a/security/logcheck/files/pkg-deinstall.in
+++ b/security/logcheck/files/pkg-deinstall.in
@@ -1,7 +1,7 @@
#!/bin/sh
-user="logcheck"
-group="logcheck"
+user="%%LOGCHECK_USER%%"
+group="%%LOGCHECK_GROUP%%"
configfiles="logcheck.conf logcheck.logfiles"
case $2 in
diff --git a/security/logcheck/files/pkg-install.in b/security/logcheck/files/pkg-install.in
index 4186b190eb42..b5e5d2005e32 100644
--- a/security/logcheck/files/pkg-install.in
+++ b/security/logcheck/files/pkg-install.in
@@ -1,10 +1,12 @@
#!/bin/sh
-user="logcheck"
-group="logcheck"
+user="%%LOGCHECK_USER%%"
+uid="%%LOGCHECK_UID%%"
+group="%%LOGCHECK_GROUP%%"
+gid="%%LOGCHECK_GID%%"
descr="Logcheck system account"
-homedir="/var/lib/logcheck"
-shell="/usr/bin/false"
+homedir="/var/db/logcheck"
+shell="/usr/local/bin/bash"
configfiles="logcheck.conf logcheck.logfiles"
case $2 in
@@ -12,13 +14,13 @@ PRE-INSTALL)
if pw group show ${group} > /dev/null 2>&1; then
echo "---> You already have a group \"${group}\", so I will use it."
else
- pw group add "${group}"
+ pw group add "${group}" -g "${gid}"
echo "---> Created group \"${group}\"."
fi
if pw user show ${user} > /dev/null 2>&1; then
echo "---> You already have a user \"${user}\", so I will use it."
else
- pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel
+ pw user add -n ${user} -c "${descr}" -d "${homedir}" -s "${shell}" -g ${group} -u "${uid}"
echo "---> Created user \"${user}\"."
fi
;;
@@ -34,8 +36,15 @@ POST-INSTALL)
echo "---> Installed crontab(5) file for user \"${user}\""
fi
else
- /usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1
- echo "---> Created crontab(5) file for user \"${user}\""
+ if grep -q "are not allowed to use this program" /tmp/logchecktab$$ ; then
+ echo "---> The logcheck user is not allowed to run crontab."
+ echo "---> Please check the contents of /var/cron/allow and /var/cron/deny"
+ echo "---> and grant access, if necessary."
+ exit 1
+ else
+ /usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1
+ echo "---> Created crontab(5) file for user \"${user}\""
+ fi
fi
rm -f /tmp/logchecktab$$
fi
diff --git a/security/logcheck/files/pkg-message.in b/security/logcheck/files/pkg-message.in
index 2879b0aa129e..91b969820534 100644
--- a/security/logcheck/files/pkg-message.in
+++ b/security/logcheck/files/pkg-message.in
@@ -3,8 +3,8 @@ Please make sure that all files listed in
%%PREFIX%%/etc/logcheck/logcheck.logfiles
-are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove
-them from the aforementioned logcheck configuration file.
+are readable to the '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf),
+or remove them from the aforementioned logcheck configuration file.
For information on how to write local rulesets see
diff --git a/security/logcheck/pkg-plist b/security/logcheck/pkg-plist
index fe15aa1ec1a6..1cc35e3c53a7 100644
--- a/security/logcheck/pkg-plist
+++ b/security/logcheck/pkg-plist
@@ -182,7 +182,7 @@ sbin/logtail
@dirrm %%ETCDIR%%/ignore.d.paranoid
@dirrm %%ETCDIR%%/cracking.d
@dirrm %%ETCDIR%%
-@exec mkdir -p /var/lib/logcheck
-@unexec rm -rf /var/lib/logcheck 2> /dev/null || true
+@exec mkdir -p /var/db/logcheck
+@dirrmtry /var/db/logcheck
@exec mkdir -p /var/run/logcheck
-@unexec rm -rf /var/run/logcheck 2> /dev/null || true
+@dirrmtry /var/run/logcheck