diff options
author | sergei <sergei@FreeBSD.org> | 2004-03-17 15:06:46 +0800 |
---|---|---|
committer | sergei <sergei@FreeBSD.org> | 2004-03-17 15:06:46 +0800 |
commit | 570831be33f695ee49bdc697d69026e99429a713 (patch) | |
tree | 8e96b083ea5ade328bc3777942f4e12a1352f1fb /www/squid27/files | |
parent | 337cf650753876eb7866d3f4e277cb35c42df8ae (diff) | |
download | freebsd-ports-gnome-570831be33f695ee49bdc697d69026e99429a713.tar.gz freebsd-ports-gnome-570831be33f695ee49bdc697d69026e99429a713.tar.zst freebsd-ports-gnome-570831be33f695ee49bdc697d69026e99429a713.zip |
- update to squid-2.5.STABLE5, including two vendor patches issued so far
- provide more OPTIONS, including (untested) support for pf(4)
- integrate the follow-XFF-patch from devel.squid-cache.org (submitted by
Michael Ranner), this should improve interaction with dansguardian
- use id 100 for the squid pseudo user instead of choosing the first free
id greater than 3127, a behaviour introduced with PORTVERSION 2.5.4_6.
Provide a 'changeuser' target to make migration from a high id to id 100
possible (requested by Kris Kennaway)
- don't let the port CONFLICT with itself (criticized by Oliver Eikemeier)
- provide rcNG support in squid.sh only on systems with /etc/rc.subr
PR: ports/64061
Submitted by: Thomas-Martin Seck (maintainer)
Diffstat (limited to 'www/squid27/files')
-rw-r--r-- | www/squid27/files/follow_xff-2.5.patch | 412 | ||||
-rw-r--r-- | www/squid27/files/follow_xff-configure.patch | 52 | ||||
-rw-r--r-- | www/squid27/files/patch-configure | 11 | ||||
-rw-r--r-- | www/squid27/files/patch-helpers-basic_auth-SMB-smb_auth.sh | 13 | ||||
-rw-r--r-- | www/squid27/files/squid.sh | 24 |
5 files changed, 497 insertions, 15 deletions
diff --git a/www/squid27/files/follow_xff-2.5.patch b/www/squid27/files/follow_xff-2.5.patch new file mode 100644 index 000000000000..6f062e5c3317 --- /dev/null +++ b/www/squid27/files/follow_xff-2.5.patch @@ -0,0 +1,412 @@ +! This is a reduced part of the original follow-XFF patchset from +! devel.squid-cache.org for use with the FreeBSD squid-2.5 port. +Index: src/acl.c +--- src/acl.c 13 May 2003 02:14:12 -0000 1.43.2.16 ++++ src/acl.c 23 Nov 2003 14:20:12 -0000 +@@ -2001,6 +2001,11 @@ + cbdataLock(A); + if (request != NULL) { + checklist->request = requestLink(request); ++#if FOLLOW_X_FORWARDED_FOR ++ if (Config.onoff.acl_uses_indirect_client) { ++ checklist->src_addr = request->indirect_client_addr; ++ } else ++#endif /* FOLLOW_X_FORWARDED_FOR */ + checklist->src_addr = request->client_addr; + checklist->my_addr = request->my_addr; + checklist->my_port = request->my_port; +Index: src/cf.data.pre +--- src/cf.data.pre 7 Nov 2003 03:14:30 -0000 1.49.2.46 ++++ src/cf.data.pre 23 Nov 2003 14:20:17 -0000 +@@ -2065,6 +2065,92 @@ + NOCOMMENT_END + DOC_END + ++NAME: follow_x_forwarded_for ++TYPE: acl_access ++IFDEF: FOLLOW_X_FORWARDED_FOR ++LOC: Config.accessList.followXFF ++DEFAULT: none ++DEFAULT_IF_NONE: deny all ++DOC_START ++ Allowing or Denying the X-Forwarded-For header to be followed to ++ find the original source of a request. ++ ++ Requests may pass through a chain of several other proxies ++ before reaching us. The X-Forwarded-For header will contain a ++ comma-separated list of the IP addresses in the chain, with the ++ rightmost address being the most recent. ++ ++ If a request reaches us from a source that is allowed by this ++ configuration item, then we consult the X-Forwarded-For header ++ to see where that host received the request from. If the ++ X-Forwarded-For header contains multiple addresses, and if ++ acl_uses_indirect_client is on, then we continue backtracking ++ until we reach an address for which we are not allowed to ++ follow the X-Forwarded-For header, or until we reach the first ++ address in the list. (If acl_uses_indirect_client is off, then ++ it's impossible to backtrack through more than one level of ++ X-Forwarded-For addresses.) ++ ++ The end result of this process is an IP address that we will ++ refer to as the indirect client address. This address may ++ be treated as the client address for access control, delay ++ pools and logging, depending on the acl_uses_indirect_client, ++ delay_pool_uses_indirect_client and log_uses_indirect_client ++ options. ++ ++ SECURITY CONSIDERATIONS: ++ ++ Any host for which we follow the X-Forwarded-For header ++ can place incorrect information in the header, and Squid ++ will use the incorrect information as if it were the ++ source address of the request. This may enable remote ++ hosts to bypass any access control restrictions that are ++ based on the client's source addresses. ++ ++ For example: ++ ++ acl localhost src 127.0.0.1 ++ acl my_other_proxy srcdomain .proxy.example.com ++ follow_x_forwarded_for allow localhost ++ follow_x_forwarded_for allow my_other_proxy ++DOC_END ++ ++NAME: acl_uses_indirect_client ++COMMENT: on|off ++TYPE: onoff ++IFDEF: FOLLOW_X_FORWARDED_FOR ++DEFAULT: on ++LOC: Config.onoff.acl_uses_indirect_client ++DOC_START ++ Controls whether the indirect client address ++ (see follow_x_forwarded_for) is used instead of the ++ direct client address in acl matching. ++DOC_END ++ ++NAME: delay_pool_uses_indirect_client ++COMMENT: on|off ++TYPE: onoff ++IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS ++DEFAULT: on ++LOC: Config.onoff.delay_pool_uses_indirect_client ++DOC_START ++ Controls whether the indirect client address ++ (see follow_x_forwarded_for) is used instead of the ++ direct client address in delay pools. ++DOC_END ++ ++NAME: log_uses_indirect_client ++COMMENT: on|off ++TYPE: onoff ++IFDEF: FOLLOW_X_FORWARDED_FOR ++DEFAULT: on ++LOC: Config.onoff.log_uses_indirect_client ++DOC_START ++ Controls whether the indirect client address ++ (see follow_x_forwarded_for) is used instead of the ++ direct client address in the access log. ++DOC_END ++ + NAME: http_access + TYPE: acl_access + LOC: Config.accessList.http +Index: src/client_side.c +--- src/client_side.c 2 Sep 2003 02:13:45 -0000 1.47.2.39 ++++ src/client_side.c 23 Nov 2003 14:20:22 -0000 +@@ -109,6 +109,11 @@ + #if USE_IDENT + static IDCB clientIdentDone; + #endif ++#if FOLLOW_X_FORWARDED_FOR ++static void clientFollowXForwardedForStart(void *data); ++static void clientFollowXForwardedForNext(void *data); ++static void clientFollowXForwardedForDone(int answer, void *data); ++#endif /* FOLLOW_X_FORWARDED_FOR */ + static int clientOnlyIfCached(clientHttpRequest * http); + static STCB clientSendMoreData; + static STCB clientCacheHit; +@@ -177,10 +182,179 @@ + return ch; + } + ++#if FOLLOW_X_FORWARDED_FOR ++/* ++ * clientFollowXForwardedForStart() copies the X-Forwarded-For ++ * header into x_forwarded_for_iterator and passes control to ++ * clientFollowXForwardedForNext(). ++ * ++ * clientFollowXForwardedForNext() checks the indirect_client_addr ++ * against the followXFF ACL and passes the result to ++ * clientFollowXForwardedForDone(). ++ * ++ * clientFollowXForwardedForDone() either grabs the next address ++ * from the tail of x_forwarded_for_iterator and loops back to ++ * clientFollowXForwardedForNext(), or cleans up and passes control to ++ * clientAccessCheck(). ++ */ ++ ++static void ++clientFollowXForwardedForStart(void *data) ++{ ++ clientHttpRequest *http = data; ++ request_t *request = http->request; ++ if (Config.accessList.followXFF ++ && httpHeaderHas(&request->header, HDR_X_FORWARDED_FOR)) ++ { ++ request->x_forwarded_for_iterator = httpHeaderGetList( ++ &request->header, HDR_X_FORWARDED_FOR); ++ debug(33, 5) ("clientFollowXForwardedForStart: indirect_client_addr=%s XFF='%s'\n", ++ inet_ntoa(request->indirect_client_addr), ++ strBuf(request->x_forwarded_for_iterator)); ++ clientFollowXForwardedForNext(http); ++ } else { ++ /* not configured to follow X-Forwarded-For, or nothing to follow */ ++ debug(33, 5) ("clientFollowXForwardedForStart: nothing to do\n"); ++ clientFollowXForwardedForDone(-1, http); ++ } ++} ++ ++static void ++clientFollowXForwardedForNext(void *data) ++{ ++ clientHttpRequest *http = data; ++ request_t *request = http->request; ++ debug(33, 5) ("clientFollowXForwardedForNext: indirect_client_addr=%s XFF='%s'\n", ++ inet_ntoa(request->indirect_client_addr), ++ strBuf(request->x_forwarded_for_iterator)); ++ if (strLen(request->x_forwarded_for_iterator) != 0) { ++ /* check the acl to see whether to believe the X-Forwarded-For header */ ++ http->acl_checklist = clientAclChecklistCreate( ++ Config.accessList.followXFF, http); ++ aclNBCheck(http->acl_checklist, clientFollowXForwardedForDone, http); ++ } else { ++ /* nothing left to follow */ ++ debug(33, 5) ("clientFollowXForwardedForNext: nothing more to do\n"); ++ clientFollowXForwardedForDone(-1, http); ++ } ++} ++ ++static void ++clientFollowXForwardedForDone(int answer, void *data) ++{ ++ clientHttpRequest *http = data; ++ request_t *request = http->request; ++ /* ++ * answer should be be ACCESS_ALLOWED or ACCESS_DENIED if we are ++ * called as a result of ACL checks, or -1 if we are called when ++ * there's nothing left to do. ++ */ ++ if (answer == ACCESS_ALLOWED) { ++ /* ++ * The IP address currently in request->indirect_client_addr ++ * is trusted to use X-Forwarded-For. Remove the last ++ * comma-delimited element from x_forwarded_for_iterator and use ++ * it to to replace indirect_client_addr, then repeat the cycle. ++ */ ++ const char *p; ++ const char *asciiaddr; ++ int l; ++ struct in_addr addr; ++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s is trusted\n", ++ inet_ntoa(request->indirect_client_addr)); ++ p = strBuf(request->x_forwarded_for_iterator); ++ l = strLen(request->x_forwarded_for_iterator); ++ ++ /* ++ * XXX x_forwarded_for_iterator should really be a list of ++ * IP addresses, but it's a String instead. We have to ++ * walk backwards through the String, biting off the last ++ * comma-delimited part each time. As long as the data is in ++ * a String, we should probably implement and use a variant of ++ * strListGetItem() that walks backwards instead of forwards ++ * through a comma-separated list. But we don't even do that; ++ * we just do the work in-line here. ++ */ ++ /* skip trailing space and commas */ ++ while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1]))) ++ l--; ++ strCut(request->x_forwarded_for_iterator, l); ++ /* look for start of last item in list */ ++ while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1]))) ++ l--; ++ asciiaddr = p+l; ++ if (inet_aton(asciiaddr, &addr) == 0) { ++ /* the address is not well formed; do not use it */ ++ debug(33, 3) ("clientFollowXForwardedForDone: malformed address '%s'\n", ++ asciiaddr); ++ goto done; ++ } ++ debug(33, 3) ("clientFollowXForwardedForDone: changing indirect_client_addr from %s to '%s'\n", ++ inet_ntoa(request->indirect_client_addr), ++ asciiaddr); ++ request->indirect_client_addr = addr; ++ strCut(request->x_forwarded_for_iterator, l); ++ if (! Config.onoff.acl_uses_indirect_client) { ++ /* ++ * If acl_uses_indirect_client is off, then it's impossible ++ * to follow more than one level of X-Forwarded-For. ++ */ ++ goto done; ++ } ++ clientFollowXForwardedForNext(http); ++ return; ++ } else if (answer == ACCESS_DENIED) { ++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s not trusted\n", ++ inet_ntoa(request->indirect_client_addr)); ++ } else { ++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s nothing more to do\n", ++ inet_ntoa(request->indirect_client_addr)); ++ } ++done: ++ /* clean up, and pass control to clientAccessCheck */ ++ debug(33, 6) ("clientFollowXForwardedForDone: cleanup\n"); ++ if (Config.onoff.log_uses_indirect_client) { ++ /* ++ * Ensure that the access log shows the indirect client ++ * instead of the direct client. ++ */ ++ ConnStateData *conn = http->conn; ++ conn->log_addr = request->indirect_client_addr; ++ conn->log_addr.s_addr &= Config.Addrs.client_netmask.s_addr; ++ debug(33, 3) ("clientFollowXForwardedForDone: setting log_addr=%s\n", ++ inet_ntoa(conn->log_addr)); ++ } ++ stringClean(&request->x_forwarded_for_iterator); ++ request->flags.done_follow_x_forwarded_for = 1; ++ http->acl_checklist = NULL; /* XXX do we need to aclChecklistFree() ? */ ++ clientAccessCheck(http); ++} ++#endif /* FOLLOW_X_FORWARDED_FOR */ ++ + void + clientAccessCheck(void *data) + { + clientHttpRequest *http = data; ++#if FOLLOW_X_FORWARDED_FOR ++ if (! http->request->flags.done_follow_x_forwarded_for ++ && httpHeaderHas(&http->request->header, HDR_X_FORWARDED_FOR)) ++ { ++ /* ++ * There's an X-ForwardedFor header and we haven't yet tried ++ * to follow it to find the indirect_client_addr. Follow it now. ++ * clientFollowXForwardedForDone() will eventually pass control ++ * back to us. ++ * ++ * XXX perhaps our caller should have called ++ * clientFollowXForwardedForStart instead. Then we wouldn't ++ * need to do this little dance transferring control over ++ * there and then back here, and we wouldn't need the ++ * done_follow_x_forwarded_for flag. ++ */ ++ clientFollowXForwardedForStart(data); ++ return; ++ } ++#endif /* FOLLOW_X_FORWARDED_FOR */ + if (checkAccelOnly(http)) { + /* deny proxy requests in accel_only mode */ + debug(33, 1) ("clientAccessCheck: proxy request denied in accel_only mode\n"); +@@ -325,6 +499,9 @@ + new_request->http_ver = old_request->http_ver; + httpHeaderAppend(&new_request->header, &old_request->header); + new_request->client_addr = old_request->client_addr; ++#if FOLLOW_X_FORWARDED_FOR ++ new_request->indirect_client_addr = old_request->indirect_client_addr; ++#endif /* FOLLOW_X_FORWARDED_FOR */ + new_request->my_addr = old_request->my_addr; + new_request->my_port = old_request->my_port; + new_request->flags.redirected = 1; +@@ -3051,6 +3228,9 @@ + safe_free(http->log_uri); + http->log_uri = xstrdup(urlCanonicalClean(request)); + request->client_addr = conn->peer.sin_addr; ++#if FOLLOW_X_FORWARDED_FOR ++ request->indirect_client_addr = request->client_addr; ++#endif /* FOLLOW_X_FORWARDED_FOR */ + request->my_addr = conn->me.sin_addr; + request->my_port = ntohs(conn->me.sin_port); + request->http_ver = http->http_ver; +Index: src/delay_pools.c +--- src/delay_pools.c 19 Jun 2003 02:13:57 -0000 1.5.54.6 ++++ src/delay_pools.c 23 Nov 2003 14:20:23 -0000 +@@ -318,6 +318,11 @@ + r = http->request; + + memset(&ch, '\0', sizeof(ch)); ++#if FOLLOW_X_FORWARDED_FOR ++ if (Config.onoff.delay_pool_uses_indirect_client) { ++ ch.src_addr = r->indirect_client_addr; ++ } else ++#endif /* FOLLOW_X_FORWARDED_FOR */ + ch.src_addr = r->client_addr; + ch.my_addr = r->my_addr; + ch.my_port = r->my_port; +Index: src/structs.h +*** src/structs.h.orig Thu Feb 26 20:32:47 2004 +--- src/structs.h Thu Feb 26 20:34:51 2004 +*************** +*** 594,599 **** +--- 594,604 ---- + int pipeline_prefetch; + int request_entities; + int detect_broken_server_pconns; ++ #if FOLLOW_X_FORWARDED_FOR ++ int acl_uses_indirect_client; ++ int delay_pool_uses_indirect_client; ++ int log_uses_indirect_client; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + } onoff; + acl *aclList; + struct { +*************** +*** 615,620 **** +--- 620,628 ---- + acl_access *reply; + acl_address *outgoing_address; + acl_tos *outgoing_tos; ++ #if FOLLOW_X_FORWARDED_FOR ++ acl_access *followXFF; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + } accessList; + acl_deny_info_list *denyInfoList; + struct _authConfig { +*************** +*** 1611,1616 **** +--- 1619,1629 ---- + unsigned int internal:1; + unsigned int body_sent:1; + unsigned int reset_tcp:1; ++ #if FOLLOW_X_FORWARDED_FOR ++ /* XXX this flag could be eliminated; ++ * see comments in clientAccessCheck */ ++ unsigned int done_follow_x_forwarded_for; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + }; + + struct _link_list { +*************** +*** 1657,1662 **** +--- 1670,1678 ---- + int max_forwards; + /* these in_addr's could probably be sockaddr_in's */ + struct in_addr client_addr; ++ #if FOLLOW_X_FORWARDED_FOR ++ struct in_addr indirect_client_addr; /* after following X-Forwarded-For */ ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + struct in_addr my_addr; + unsigned short my_port; + HttpHeader header; +*************** +*** 1667,1672 **** +--- 1683,1693 ---- + char *peer_login; /* Configured peer login:password */ + time_t lastmod; /* Used on refreshes */ + const char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */ ++ #if FOLLOW_X_FORWARDED_FOR ++ /* XXX a list of IP addresses would be a better data structure ++ * than this String */ ++ String x_forwarded_for_iterator; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + }; + + struct _cachemgr_passwd { diff --git a/www/squid27/files/follow_xff-configure.patch b/www/squid27/files/follow_xff-configure.patch new file mode 100644 index 000000000000..a0920813868d --- /dev/null +++ b/www/squid27/files/follow_xff-configure.patch @@ -0,0 +1,52 @@ +!Patch configure directly to enable testing for the +!--enable-follow-x-forwarding-for configuration option +!instead of running configure.in through autoconf as in the +!original follow-XFF patchset from devel.squid-cache.org. +!Beware that all line number informations in configure.log greater +!than 2972 are offset by -29 (correcting all line numbers would have +!bloated the patch by 92kB!) +--- configure.orig Tue Mar 2 10:18:14 2004 ++++ configure Tue Mar 2 10:18:56 2004 +@@ -222,6 +222,12 @@ + variance within an accelerator setup. + Typically used together with other code + that adds custom HTTP headers to the requests." ++ac_help="$ac_help ++ --enable-follow-x-forwarded-for ++ Enable support for following the X-Forwarded-For ++ HTTP header to try to find the IP address of the ++ original or indirect client when a request has ++ been forwarded through other proxies." + + # Initialize some variables set by options. + # The variables have the same names as the options, with +@@ -2966,6 +2972,29 @@ + fi + + ++follow_xff=1 ++# Check whether --enable-follow-x-forwarded-for or --disable-follow-x-forwarded-for was given. ++if test "${enable_follow_x_forwarded_for+set}" = set; then ++ enableval="$enable_follow_x_forwarded_for" ++ if test "$enableval" = "yes" ; then ++ echo "follow X-Forwarded-For enabled" ++ follow_xff=1 ++ fi ++ ++fi ++ ++if test $follow_xff = 1; then ++ cat >> confdefs.h <<\EOF ++#define FOLLOW_X_FORWARDED_FOR 1 ++EOF ++ ++else ++ cat >> confdefs.h <<\EOF ++#define FOLLOW_X_FORWARDED_FOR 0 ++EOF ++ ++fi ++ + # Force some compilers to use ANSI features + # + case "$host" in diff --git a/www/squid27/files/patch-configure b/www/squid27/files/patch-configure new file mode 100644 index 000000000000..2d6d233edac4 --- /dev/null +++ b/www/squid27/files/patch-configure @@ -0,0 +1,11 @@ +--- configure.orig Tue Mar 2 11:29:57 2004 ++++ configure Tue Mar 2 11:30:34 2004 +@@ -2236,6 +2236,8 @@ + ;; + *-solaris-*) + ;; ++ *-freebsd*) ++ ;; + *) + echo "WARNING: ARP ACL support probably won't work on $host." + sleep 10 diff --git a/www/squid27/files/patch-helpers-basic_auth-SMB-smb_auth.sh b/www/squid27/files/patch-helpers-basic_auth-SMB-smb_auth.sh new file mode 100644 index 000000000000..8115ac0b7938 --- /dev/null +++ b/www/squid27/files/patch-helpers-basic_auth-SMB-smb_auth.sh @@ -0,0 +1,13 @@ +*** helpers/basic_auth/SMB/smb_auth.sh.orig Thu Feb 26 20:58:22 2004 +--- helpers/basic_auth/SMB/smb_auth.sh Thu Feb 26 20:59:45 2004 +*************** +*** 17,22 **** +--- 17,24 ---- + # along with this program; if not, write to the Free Software + # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + ++ SAMBAPREFIX=${SAMBAPREFIX:-/usr/local/bin} ++ + read DOMAINNAME + read PASSTHROUGH + read NMBADDR diff --git a/www/squid27/files/squid.sh b/www/squid27/files/squid.sh index ec92a10bc3fc..5fbf1f3d24ba 100644 --- a/www/squid27/files/squid.sh +++ b/www/squid27/files/squid.sh @@ -8,15 +8,13 @@ # KEYWORD: FreeBSD # # Note: -# If you are running an rcNG-System (i.e. FreeBSD 5 and later or after -# having installed the rc_subr-port on an earlier system) you must set +# If you are running an rcNG-System (i.e. FreeBSD 5 and later) you need to set # "squid_enable=YES" in either /etc/rc.conf, /etc/rc.conf.local or # /etc/rc.conf.d/squid to make this script actually do something. There # you can also set squid_chdir, squid_user, and squid_flags. # # Please see squid(8), rc.conf(5) and rc(8) for further details. -unset rcNG name="squid" command=%%PREFIX%%/sbin/squid extra_commands=reload @@ -28,26 +26,22 @@ stop_cmd="${command} -k shutdown" default_config=%%PREFIX%%/etc/squid/squid.conf if [ -f /etc/rc.subr ]; then - . /etc/rc.subr && rcNG=yes -else - if [ -f %%PREFIX%%/etc/rc.subr ]; then - . %%PREFIX%%/etc/rc.subr && rcNG=yes - fi -fi - -if [ "${rcNG}" ]; then + # make use of rcNG features: + . /etc/rc.subr rcvar=`set_rcvar` load_rc_config ${name} - # check that squid's default configuration is present when - # squid_flags is not set. We assume that you specify at - # least the path to your non-default configuration with - # '-f /path/to/config.file' in squid_flags if you delete this file. + # squid(8) will not start if ${default_config} is not present so try + # to catch that beforehand via ${required_files} rather than make + # squid(8) crash. + # If you remove the default configuration file make sure to add + # '-f /path/to/your/squid.conf' to squid_flags if [ -z "${squid_flags}" ]; then required_files=${default_config} fi required_dirs=${squid_chdir} run_rc_command "$1" else + # implement the startup using the "old style" for non-rcNG-systems: case $1 in start) if [ -x "${command}" -a \ |