aboutsummaryrefslogtreecommitdiffstats
path: root/security/sfs
diff options
context:
space:
mode:
authormdodd <mdodd@FreeBSD.org>2002-07-12 13:31:41 +0800
committermdodd <mdodd@FreeBSD.org>2002-07-12 13:31:41 +0800
commitc0299cd4059095c360c0a9ca189e427e147001d5 (patch)
tree525044d840be040002e493d15c3a88d76128324e /security/sfs
parent5bc095e912132c9c1ae5c295e08186aafd06b9d1 (diff)
downloadfreebsd-ports-gnome-c0299cd4059095c360c0a9ca189e427e147001d5.tar.gz
freebsd-ports-gnome-c0299cd4059095c360c0a9ca189e427e147001d5.tar.zst
freebsd-ports-gnome-c0299cd4059095c360c0a9ca189e427e147001d5.zip
- Update documentation.
- Sanitize install script. - Bump PORTREVISION. Submitted by: MAINTAINER
Diffstat (limited to 'security/sfs')
-rw-r--r--security/sfs/Makefile9
-rw-r--r--security/sfs/files/etc-sfsrwsd_config.sample27
-rw-r--r--security/sfs/files/share-doc-README195
-rw-r--r--security/sfs/files/share-doc-README.config64
-rw-r--r--security/sfs/files/share-doc-WELCOME23
-rw-r--r--security/sfs/pkg-comment2
-rw-r--r--security/sfs/pkg-deinstall9
-rw-r--r--security/sfs/pkg-descr20
-rw-r--r--security/sfs/pkg-install53
-rw-r--r--security/sfs/pkg-plist3
10 files changed, 294 insertions, 111 deletions
diff --git a/security/sfs/Makefile b/security/sfs/Makefile
index 6912dd4a81a5..79bc65b8ed78 100644
--- a/security/sfs/Makefile
+++ b/security/sfs/Makefile
@@ -1,5 +1,5 @@
# Ports collection makefile for: sfs
-# Date created: Thu Jul 4 2002
+# Date created: 2002-07-11
# Whom: Michael Handler <handler@grendel.net>
# Matthew Dodd <winter@jurai.net>
#
@@ -8,7 +8,7 @@
PORTNAME= sfs
PORTVERSION= 0.6
-PORTREVISION= 0
+PORTREVISION= 1
CATEGORIES= security net
MASTER_SITES= http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/dist/
@@ -65,8 +65,9 @@ post-install:
${MKDIR} ${PREFIX}/etc/sfs
${INSTALL_DATA} ${FILESDIR}/etc-sfsrwsd_config.sample ${PREFIX}/etc/sfs/sfsrwsd_config.sample
${MKDIR} ${PREFIX}/share/doc/sfs
- ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sfs/
- ${INSTALL_DATA} ${FILESDIR}/share-doc-README.config ${PREFIX}/share/doc/sfs/README.config
+ ${INSTALL_DATA} ${FILESDIR}/share-doc-WELCOME ${PREFIX}/share/doc/sfs/WELCOME
+ ${INSTALL_DATA} ${FILESDIR}/share-doc-README ${PREFIX}/share/doc/sfs/README
+ ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sfs/README.packageblurb
PKG_PREFIX=${PREFIX} ${SH} pkg-install ${PKGNAME} POST-INSTALL
.include <bsd.port.post.mk>
diff --git a/security/sfs/files/etc-sfsrwsd_config.sample b/security/sfs/files/etc-sfsrwsd_config.sample
index d60f032a305d..25845949cb34 100644
--- a/security/sfs/files/etc-sfsrwsd_config.sample
+++ b/security/sfs/files/etc-sfsrwsd_config.sample
@@ -1,25 +1,8 @@
-# To set up your own SFS server, copy this file (sfsrwsd_config.sample)
-# to sfsrwsd_config, and add any necessary lines. For most installations,
-# you only need to add Export lines for any directories you want to
-# export; the hostname should be picked up automatically from your
-# system unless you're doing something complex, and the keyfile path is
-# already set correctly from the port.
+# To configure sfsrwsd (part of the SFS server subsystem), copy this file
+# (sfsrwsd_config.sample) to sfsrwsd_config and edit as necessary.
#
-# N.B.: any directories exported in an Export statement must also be
-# exported to localhost via NFS, and must follow all NFS export rules,
-# i.e. no symlinks in the exported directory pathname, the exported
-# path must be absolute to the physical mount point. If you want to
-# export /usr/ports via SFS, and /usr/ports is really a symlink to
-# /vol/h0/ports, you have to use:
-#
-# Export /vol/h0/ports /ports
-#
-# not:
-#
-# Export /usr/ports /ports
-#
-# And then /vol/h0/ports must be added to /etc/export, rather than
-# /usr/ports.
+# Normally, it should not be necessary for you to specify Hostname
+# or Keyfile options, only Export statements.
#
# Configuration reference:
#
@@ -39,7 +22,7 @@
# to an export directive gives anonymous users read-only access to
# the file system (under user ID -2 and group ID -2). Appending W
# gives anonymous users both read and write access. See Quick server
-# setup, for an example of the Export directive. There is almost no
+# setup, for an example of the Export directive. There is almost no
# reason to use the W flag. The R flag lets anyone on the Internet
# issue NFS calls to your kernel as user -2. SFS filters these calls;
# it makes sure that they operate on files covered by the export
diff --git a/security/sfs/files/share-doc-README b/security/sfs/files/share-doc-README
new file mode 100644
index 000000000000..0feff27b0f75
--- /dev/null
+++ b/security/sfs/files/share-doc-README
@@ -0,0 +1,195 @@
+*** Notes on SFS configuration:
+
+SFS is a complex system to configure, and cannot be adequately
+described in these limited files. It is strongly suggested that you
+read the SFS documentation on <URL://www.fs.net/> before configuring
+any of the various programs. A limited roadmap is provided for
+reference here, but that is no substitute for a reading of the full
+documentation. GNU info documentation ("info sfs") and manual pages
+are installed as well.
+
+The various programs in the SFS package are configured via files
+in two directories: /usr/local/share/sfs/ (henceforth "share/sfs")
+and /usr/local/etc/sfs (henceforth "etc/sfs"). The port installs
+various configuration files into share/sfs directly from the
+compilation of the SFS package. These files should never be edited
+directly; they can be overridden by the creation of new files in
+etc/sfs, as detailed below.
+
+*** IMPORTANT SECURITY NOTE:
+
+SFS operates by interfacing with NFS processes on localhost
+(127.0.0.1). While every effort is taken to insure security, NFS
+is a large subsystem with a long history of security problems.
+Utilizing SFS thus may expose you to NFS-related problems and
+attacks. It is strongly suggested that you read and ponder the
+security considerations section of the SFS documentation before
+setting up an SFS client or server. Additionally, it is STRONGLY
+suggested that you set up a software firewall on any SFS client or
+server machine to block unauthorized traffic to NFS-related programs
+from other machines to the non-localhost IP addresses of your
+machine. Discussions of how best to do this are outside the scope
+of this document; consult your local guru, users group, mailing
+list, or search engine.
+
+*** Starting the SFS daemons (client and server):
+
+There are sample startup files for sfscd and sfssd in /usr/local/etc/rc.d,
+under the name sfscd.sh.sample and sfssd.sh.sample respectively.
+These startup files are not enabled by default. Copy the files to
+sfscd.sh or sfssd.sh to enable sfscd or sfssd (respectively) on
+system boot.
+
+sfscd and sfssd also run nicely under Daniel Bernstein's daemontools
+package (/usr/ports/sysutils/daemontools or
+<URL:http://cr.yp.to/daemontools.html>); the -d flag makes the main
+process stay in the foreground, and sends logs to stderr for easy
+processing by multilog.
+
+*** Setting up an SFS client
+
+1) Set up sfscd to start on boot, via /usr/local/etc/rc.d/sfscd.sh or
+ some other method of your preference.
+
+2) Put the following line into /etc/rc.conf:
+
+nfs_client_enable="YES"
+
+3) Set up a firewall to prevent NFS traffic from outside the machine from
+ contacting your NFS processes.
+
+4) Reboot. You should now have a working SFS client, which you can test
+ via the following command:
+
+$ cat /sfs/sfs.fs.net:eu4cvv6wcnzscer98yn4qjpjnn9iv6pi/CONGRATULATIONS
+You have set up a working SFS client.
+
+*** Setting up an SFS server
+
+(You do not need to set up an SFS host key on the server machine;
+the port installation does this for you in
+/usr/local/etc/sfs/sfs_host_key.)
+
+1) Set up sfssd to start on boot, via /usr/local/etc/rc.d/sfssd.sh or
+ some other method of your preference.
+
+2) Put the following lines into /etc/rc.conf:
+
+mountd_flags=""
+nfs_reserved_port_only="YES"
+nfs_server_enable="YES"
+portmap_enable="YES"
+
+ If the following line occurs in /etc/rc.conf, remove it:
+
+weak_mountd_authentication="YES"
+
+3) Set up a firewall to prevent NFS traffic from outside the machine from
+ contacting your NFS processes.
+
+4) Create a suitable /usr/local/etc/sfs/sfsrwsd_config file, e.g.:
+
+Export /root/sfsroot / R
+Export /usr/src /src R
+Export /usr/ports /ports R
+Export /local/baz /local/baz
+
+5) Add any local filesystems that are being exported to /etc/exports, and
+ export them to localhost, e.g.:
+
+/root/sfsroot 127.0.0.1
+/usr/src /usr/ports 127.0.0.1
+/local/baz 127.0.0.1
+
+ NOTA BENE: any directories exported via SFS must follow all NFS
+ export rules, i.e. no symlinks in the exported directory pathname,
+ the exported path must be absolute to the physical mount point. If
+ you want to export /usr/ports via SFS, and /usr/ports is really a
+ symlink to /vol/h0/ports, you have to use:
+
+Export /vol/h0/ports /ports
+
+ not:
+
+Export /usr/ports /ports
+
+ Similarly, /etc/exports must reference /vol/h0/ports rather than
+ /usr/ports.
+
+6) Make an empty directory structure mirroring your SFS namespace, e.g.:
+
+# mkdir /root/sfsroot
+# mkdir /root/sfsroot/src
+# mkdir /root/sfsroot/ports
+# mkdir /root/sfsroot/local
+# mkdir /root/sfsroot/local/baz
+
+7) Reboot. You should now have a working SFS server. sfssd will emit a
+ message into /var/log/messages like the following:
+
+sfsrwsd: serving <hostname>:<SFS key>
+
+ From a DIFFERENT machine with an SFS client already installed
+ and running, attempt to access /sfs/<hostname>:<SFS key>. Note
+ that the SFS client machine will have to be able to connect to
+ TCP port 4 on the SFS server machine. Note also that you must
+ test your SFS server from a separate SFS client machine to avoid
+ deadlock issues; see the SFS documentation for more details.
+
+ If your server setup has been successful, the client machine
+ should be able to see src, ports, and local/baz in the root
+ directory of the SFS mount.
+
+8) Consider using your machine's firewall to restrict who has access
+ to your SFS server by restricting access to TCP port 4.
+
+Advanced SFS server configurations, such as user authentication,
+is outside the scope of this document. Read the full SFS documentation
+for details.
+
+*** SFS configuration files:
+
+[ The following section is taken nearly verbatim from
+<URL:http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/sfs.html#SFS%20configuration>. ]
+
+SFS comprises a number of programs, many of which have configuration
+files. All programs look for configuration files in two directories--first
+/usr/local/etc/sfs, then, if they don't find the file there, in
+/usr/local/share/sfs.
+
+This port installs reasonable defaults in /usr/local/share/sfs
+for all configuration files except sfsrwsd_config. On particular
+hosts where you wish to change the default behavior, you can override
+the default configuration file by creating a new file of the same
+name in /usr/local/etc/sfs.
+
+The sfs_config file contains system-wide configuration parameters
+for most of the programs comprising SFS. Note that
+/usr/local/share/sfs/sfs_config is always parsed, even if
+/usr/local/etc/sfs/sfs_config exists. Options in
+/usr/local/etc/sfs/sfs_config simply override the defaults in
+/usr/local/share/sfs/sfs_config. For the other configuration files,
+a file in /usr/local/etc/sfs/ entirely overrides the version in
+/usr/local/share/sfs/.
+
+If you are running a server, you will need to create an sfsrwsd_config
+file to tell SFS what directories to export, and possibly an
+sfsauthd_config if you wish to share the database of user public
+keys across several file servers.
+
+The sfssd_config file contains information about which protocols
+and services to route to which daemons on an SFS server, including
+support for backwards compatibility across several versions of SFS.
+You probably don't need to change this file.
+
+sfs_srp_params contains some cryptographic parameters for retrieving
+keys securely over the network with a passphrase (as with the sfskey
+add usr@server command).
+
+sfscd_config contains information about extensions to the SFS
+protocol and which kinds of file servers to route to which daemons.
+You almost certainly should not touch this file unless you are
+developing new versions of the SFS software.
+
+Note that configuration command names are case-insensitive in all
+configuration files (though the arguments are not).
diff --git a/security/sfs/files/share-doc-README.config b/security/sfs/files/share-doc-README.config
deleted file mode 100644
index 4114ccde6bb8..000000000000
--- a/security/sfs/files/share-doc-README.config
+++ /dev/null
@@ -1,64 +0,0 @@
-Notes on SFS configuration:
-
-SFS is a complex system to configure, and cannot be adequately
-described in these limited files. It is strongly suggested that you
-read the SFS documentation on <URL://www.fs.net/> before configuring
-any of the various programs. A limited roadmap is provided for
-reference here, but that is no substitute for a reading of the full
-documentation. Also see /usr/local/share/sfs/doc/README and the
-manual page for sfsrwsd_config(5).
-
-The various programs in the SFS package are configured via files
-in two directories: /usr/local/share/sfs/ (henceforth "share/sfs")
-and /usr/local/etc/sfs (henceforth "etc/sfs"). The port installs
-various configuration files into share/sfs directly from the
-compilation of the SFS package. These files should never be edited
-directly; they can be overridden by the creation of new files in
-etc/sfs, as detailed below.
-
-[ The following section is taken nearly verbatim from
-<URL:http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/sfs.html#SFS%20configuration>. ]
-
-SFS configuration files:
-
-SFS comprises a number of programs, many of which have configuration
-files. All programs look for configuration files in two directories--first
-/usr/local/etc/sfs, then, if they don't find the file there, in
-/usr/local/share/sfs.
-
-This port installs reasonable defaults in /usr/local/share/sfs
-for all configuration files except sfsrwsd_config. On particular
-hosts where you wish to change the default behavior, you can override
-the default configuration file by creating a new file of the same
-name in /usr/local/etc/sfs.
-
-The sfs_config file contains system-wide configuration parameters
-for most of the programs comprising SFS. Note that
-/usr/local/share/sfs/sfs_config is always parsed, even if
-/usr/local/etc/sfs/sfs_config exists. Options in
-/usr/local/etc/sfs/sfs_config simply override the defaults in
-/usr/local/share/sfs/sfs_config. For the other configuration files,
-a file in /usr/local/etc/sfs/ entirely overrides the version in
-/usr/local/share/sfs/.
-
-If you are running a server, you will need to create an sfsrwsd_config
-file to tell SFS what directories to export, and possibly an
-sfsauthd_config if you wish to share the database of user public
-keys across several file servers.
-
-The sfssd_config file contains information about which protocols
-and services to route to which daemons on an SFS server, including
-support for backwards compatibility across several versions of SFS.
-You probably don't need to change this file.
-
-sfs_srp_params contains some cryptographic parameters for retrieving
-keys securely over the network with a passphrase (as with the sfskey
-add usr@server command).
-
-sfscd_config contains information about extensions to the SFS
-protocol and which kinds of file servers to route to which daemons.
-You almost certainly should not touch this file unless you are
-developing new versions of the SFS software.
-
-Note that configuration command names are case-insensitive in all
-configuration files (though the arguments are not).
diff --git a/security/sfs/files/share-doc-WELCOME b/security/sfs/files/share-doc-WELCOME
new file mode 100644
index 000000000000..dda96686d6bb
--- /dev/null
+++ b/security/sfs/files/share-doc-WELCOME
@@ -0,0 +1,23 @@
+SFS is now installed. To test your installation, try this (as root):
+
+# /usr/local/sbin/sfscd
+# cat /sfs/sfs.fs.net:eu4cvv6wcnzscer98yn4qjpjnn9iv6pi/CONGRATULATIONS
+
+If it worked, you will see:
+
+You have set up a working SFS client.
+
+Afterwards, kill sfscd:
+
+# kill -TERM `cat /var/run/sfscd.pid`
+
+SFS is a complex and potentially security-affecting set of programs,
+and if you wish to do more with it, e.g. setting up an SFS server
+of your own, it is strongly recommended that you read the documentation
+fully before proceeding. Start with the documentation link on
+<URL:http://www.fs.net>, and see any supplemental documentation in
+/usr/local/share/doc/sfs/.
+
+There are sample startup files for sfscd and sfssd in /usr/local/etc/rc.d,
+under the name sfscd.sh.sample and sfssd.sh.sample respectively.
+These startup files are not enabled by default.
diff --git a/security/sfs/pkg-comment b/security/sfs/pkg-comment
index 2c8b2b9c5f06..4215eff0beef 100644
--- a/security/sfs/pkg-comment
+++ b/security/sfs/pkg-comment
@@ -1 +1 @@
-A secure global network file system. (Self-certifying File System)
+Self-Certifying File System: A secure global network file system.
diff --git a/security/sfs/pkg-deinstall b/security/sfs/pkg-deinstall
index cf61b7097f18..0f4324c2ca45 100644
--- a/security/sfs/pkg-deinstall
+++ b/security/sfs/pkg-deinstall
@@ -1,19 +1,24 @@
#!/bin/sh
+if [ -n "${PACKAGE_BUILDING}" ]; then
+ exit 0
+fi
+
if [ "$2" != "POST-DEINSTALL" ]; then
exit 0
fi
USER=sfs
GROUP=sfs
+PW=/usr/sbin/pw
SFSDIR=/var/spool/sfs
-if pw groupshow "${GROUP}" >/dev/null 2>&1; then
+if ${PW} groupshow "${GROUP}" >/dev/null 2>&1; then
echo "If you're done with SFS permanently, delete the sfs group manually: pw groupdel ${GROUP}" | fmt
fi
-if pw usershow "${USER}" >/dev/null 2>&1; then
+if ${PW} usershow "${USER}" >/dev/null 2>&1; then
echo
echo "If you're done with SFS permanently, delete the sfs user manually: pw userdel ${USER}" | fmt
fi
diff --git a/security/sfs/pkg-descr b/security/sfs/pkg-descr
index 90f77a967a0d..931d73043207 100644
--- a/security/sfs/pkg-descr
+++ b/security/sfs/pkg-descr
@@ -1,12 +1,18 @@
WWW: http://www.fs.net/
-SFS (Self-certifying File System) is a secure, global network file
-system. SFS names file systems by public keys. Every remote file
-server is mounted on a self-certifying pathname--a directory of the
-form /sfs/LOCATION:HOSTID, where LOCATION is a DNS hostname and
-HOSTID is a cryptographic hash of a public key. This naming scheme
-allows for completely decentralized control--anyone can create a
-file server, and any user can access any file server from any client.
+SFS (Self-Certifying File System) is a secure, global file system
+with completely decentralized control. SFS lets you access your
+files from anywhere and share them with anyone, anywhere. Anyone
+can set up an SFS server, and any user can access any server from
+any client. SFS lets you share files across administrative realms
+without involving administrators or certification authorities.
+
+SFS names file systems by public keys. Every remote file server is
+mounted on a self-certifying pathname -- a directory of the form
+/sfs/LOCATION:HOSTID, where LOCATION is a DNS hostname and HOSTID
+is a cryptographic hash of a public key. This naming scheme allows
+for completely decentralized control -- anyone can create a file
+server, and any user can access any file server from any client.
Various key management schemes can be built on top of SFS using
symbolic links to map human-readable names to self-certifying
pathnames.
diff --git a/security/sfs/pkg-install b/security/sfs/pkg-install
index 468cdef3e4cc..631e08839f20 100644
--- a/security/sfs/pkg-install
+++ b/security/sfs/pkg-install
@@ -1,5 +1,9 @@
#!/bin/sh
+if [ -n "${PACKAGE_BUILDING}" ]; then
+ exit 0
+fi
+
if [ "$2" != "POST-INSTALL" ]; then
exit 0
fi
@@ -8,23 +12,36 @@ KEYFILE="$PKG_PREFIX/etc/sfs/sfs_host_key"
USER=sfs
GROUP=sfs
+UID=71
+GID=71
+PW=/usr/sbin/pw
SFSDIR=/var/spool/sfs
echo -n "Checking for group '$GROUP'... "
-if ! pw groupshow $GROUP >/dev/null 2>&1; then
- echo "doesn't exist, adding."
- pw groupadd $GROUP -g 71
+if ! ${PW} groupshow $GROUP >/dev/null 2>&1; then
+ echo -n "doesn't exist, adding... "
+ if ${PW} groupadd $GROUP -g ${GID}; then
+ echo "success."
+ else
+ echo "FAILED!"
+ exit 1
+ fi
else
echo "exists."
fi
echo -n "Checking for user '$USER'... "
-if ! pw usershow $USER >/dev/null 2>&1; then
- echo "doesn't exist, adding."
- pw useradd $USER -u 71 -c 'Self-Certifying File System' -d /nonexistent -g $GROUP -s /sbin/nologin -h -
+if ! ${PW} usershow $USER >/dev/null 2>&1; then
+ echo -n "doesn't exist, adding... "
+ if ${PW} useradd $USER -u ${UID} -c 'Self-Certifying File System' -d /nonexistent -g $GROUP -s /sbin/nologin -h -; then
+ echo "success."
+ else
+ echo "FAILED!"
+ exit 1
+ fi
else
echo "exists."
fi
@@ -34,12 +51,24 @@ echo -n "Checking for SFS directory ($SFSDIR)... "
if [ -d "$SFSDIR" ]; then
echo "already exists."
else
- echo "creating."
- mkdir $SFSDIR
+ echo -n "creating... "
+ if mkdir $SFSDIR; then
+ echo "success."
+ else
+ echo "FAILED!"
+ exit 1
+ fi
+fi
+
+if ! chmod 750 $SFSDIR; then
+ echo "chmod 750 $SFSDIR FAILED!"
+ exit 1
fi
-chmod 750 $SFSDIR
-chown $USER:$GROUP $SFSDIR
+if ! chown $USER:$GROUP $SFSDIR; then
+ echo "chown $USER:$GROUP $SFSDIR FAILED!"
+ exit 1
+fi
echo -n "Checking for SFS host key ($KEYFILE)... "
@@ -57,3 +86,7 @@ else
kill -TERM `cat /var/run/sfscd.pid`
echo "done."
fi
+
+cat $PKG_PREFIX/share/doc/sfs/WELCOME
+
+exit 0
diff --git a/security/sfs/pkg-plist b/security/sfs/pkg-plist
index 7ef59ff7a53e..e054bbaf0a7f 100644
--- a/security/sfs/pkg-plist
+++ b/security/sfs/pkg-plist
@@ -162,8 +162,9 @@ lib/sfs-0.6/xfer
sbin/funmount
sbin/sfscd
sbin/sfssd
+share/doc/sfs/WELCOME
share/doc/sfs/README
-share/doc/sfs/README.config
+share/doc/sfs/README.packageblurb
@dirrm share/doc/sfs
share/sfs/sfs_config
share/sfs/sfs_srp_parms