From 0cbb74e839daf422743f0fbf71f9e8de5e22ad3d Mon Sep 17 00:00:00 2001 From: wxs Date: Fri, 3 Jun 2011 00:49:45 +0000 Subject: - Run under an unprivileged user (freeradius) - Utilise bsd.port.options.mk - Remove Makefile hack for python - Change the ownership of files & directories to new user PR: ports/157400 Submitted by: Sevan Janiyan Approved by: Ryan Steinmetz (maintainer) --- UPDATING | 11 +++ net/freeradius/Makefile | 102 +++++++++++++---------- net/freeradius/files/patch-raddb_radiusd.conf.in | 13 +++ net/freeradius/files/radiusd.in | 34 ++++++++ net/freeradius/files/radiusd.sh.in | 34 -------- 5 files changed, 115 insertions(+), 79 deletions(-) create mode 100644 net/freeradius/files/patch-raddb_radiusd.conf.in create mode 100644 net/freeradius/files/radiusd.in delete mode 100644 net/freeradius/files/radiusd.sh.in diff --git a/UPDATING b/UPDATING index da37d2d6b68b..3a1a923ac228 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,17 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20110602: + AFFECTS: users of net/freeradius + AUTHOR: Sevan Janiyan + + Freeradius no longer runs as nobody. It now runs as the freeradius + user. Please ensure that the following paths are owned by freeradius: + + /var/run/radiusd + /var/log/radacct + /var/log/radius.log + 20110529: AFFECTS: users of textproc/*kmfl* AUTHOR: nikola.lecic@anthesphoria.net diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile index f30750374488..741217653e6b 100644 --- a/net/freeradius/Makefile +++ b/net/freeradius/Makefile @@ -15,38 +15,67 @@ MASTER_SITES= ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \ http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/%SUBDIR%/ \ http://freeradius.portal-to-web.de/%SUBDIR%/ MASTER_SITE_SUBDIR= . old +# If FREERADIUS_SLAVE_MYSQL is defined, we want to build the +# freeradius-mysql slave port +.ifdef(FREERADIUS_SLAVE_MYSQL) +PKGNAMESUFFIX= -mysql +.endif MAINTAINER?= rpsfa@rit.edu COMMENT?= A free RADIUS server implementation -USE_BZIP2= yes -WANT_PERL= yes - LIB_DEPENDS= gdbm.3:${PORTSDIR}/databases/gdbm -LOGDIR?= /var/log - +CONFLICTS= gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].* # If FREERADIUS_SLAVE_MYSQL is defined, we want to build the # freeradius-mysql slave port - -CONFLICTS= gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].* .ifdef(FREERADIUS_SLAVE_MYSQL) CONFLICTS+= freeradius-[0-9].* freeradius-mysql-[02-9].* -PKGNAMESUFFIX= -mysql .else CONFLICTS+= freeradius-mysql-[0-9].* freeradius-[02-9].* .endif + +MAN1= radclient.1 radeapclient.1 radlast.1 radtest.1 radwho.1 \ + radzap.1 +MAN5= acct_users.5 clients.5 clients.conf.5 dictionary.5 naslist.5 \ + radiusd.conf.5 rlm_acct_unique.5 rlm_always.5 \ + rlm_attr_filter.5 rlm_attr_rewrite.5 rlm_chap.5 rlm_counter.5 \ + rlm_detail.5 rlm_expr.5 rlm_files.5 rlm_mschap.5 rlm_pap.5 \ + rlm_passwd.5 rlm_realm.5 rlm_sql.5 rlm_sql_log.5 rlm_unix.5 \ + users.5 +MAN8= radiusd.8 radrelay.8 radsqlrelay.8 radwatch.8 rlm_ippool_tool.8 + +USE_BZIP2= yes +WANT_PERL= yes + +LOGDIR?= /var/log + NO_LATEST_LINK= yes -USE_RC_SUBR= radiusd.sh +USE_RC_SUBR= radiusd USE_AUTOTOOLS= libltdl libtool autoconf USE_GMAKE= yes USE_OPENSSL= yes +USE_LDCONFIG= yes +CONFIGURE_ARGS= --quiet \ + --prefix=${PREFIX} \ + --localstatedir=/var \ + --with-system-libtool \ + --with-logdir=${LOGDIR} \ + --with-large-files \ + --with-openssl-includes=${OPENSSLINC} \ + --without-rlm_sql_db2 \ + --without-rlm_sql_freetds \ + --without-rlm_sql_iodbc \ + --without-rlm_sql_oracle \ + --without-rlm_sql_sybase MAKE_ARGS+= LDFLAGS="-L${LOCALBASE}/lib ${PTHREAD_LIBS}" CFLAGS+= -I${LOCALBASE}/include -L${LOCALBASE}/lib MAKE_JOBS_UNSAFE= yes PLIST_SUB= PORTVERSION=${PORTVERSION} +USERS= freeradius +GROUPS= freeradius OPTIONS= KERBEROS "With Kerberos support" off \ HEIMDAL "With Heimdal Kerberos support" off \ @@ -62,19 +91,15 @@ OPTIONS+= PGSQL "With PostgreSQL database support" off \ NOPERL "Do not require perl (use only if necessary)" off \ EXPERIMENTAL "Build experimental modules" off -.include - # Default requirements for rc script _REQUIRE= NETWORKING SERVERS +.include + .ifdef(FREERADIUS_SLAVE_MYSQL) WITH_MYSQL= yes .endif -CONFIGURE_ARGS= --quiet \ - --prefix=${PREFIX} \ - --localstatedir=/var \ - --with-system-libtool .ifdef(NOPORTDOCS) CONFIGURE_ARGS+=--without-docdir PLIST_SUB+= PORTDOCS="@comment " @@ -82,23 +107,6 @@ PLIST_SUB+= PORTDOCS="@comment " CONFIGURE_ARGS+=--with-docdir=${DOCSDIR} PLIST_SUB+= PORTDOCS="" .endif -CONFIGURE_ARGS+=--with-logdir=${LOGDIR} \ - --with-large-files \ - --with-openssl-includes=${OPENSSLINC} -# This conditionality avoids -L/usr/lib in the radiusd build step when -# building with base system OpenSSL -.if ${OPENSSLLIB} != "/usr/lib" -CONFIGURE_ARGS+=--with-openssl-libraries=${OPENSSLLIB} -.endif -CONFIGURE_ARGS+=--without-rlm_sql_db2 \ - --without-rlm_sql_freetds \ - --without-rlm_sql_iodbc \ - --without-rlm_sql_oracle \ - --without-rlm_sql_sybase - -.if ${ARCH} == amd64 -CONFIGURE_ARGS+= --with-pic -.endif .if defined(WITH_HEIMDAL) && !defined(WITH_KERBEROS) WITH_KERBEROS= yes @@ -187,8 +195,6 @@ CONFIGURE_ARGS+=--without-snmp .ifdef(WITH_EXPERIMENTAL) USE_PYTHON= yes -# hack to get the dependency -.include "${PORTSDIR}/Mk/bsd.python.mk" CONFIGURE_ARGS+=--with-experimental-modules PLIST_SUB+= EXPM="" .else @@ -208,19 +214,19 @@ CONFIGURE_ARGS+=--with-rlm_perl PLIST_SUB+= RLMPERL="" .endif -USE_LDCONFIG= yes +SUB_LIST+= REQUIRE="${_REQUIRE}" -MAN1= radclient.1 radeapclient.1 radlast.1 radtest.1 radwho.1 \ - radzap.1 -MAN5= acct_users.5 clients.5 clients.conf.5 dictionary.5 naslist.5 \ - radiusd.conf.5 rlm_acct_unique.5 rlm_always.5 \ - rlm_attr_filter.5 rlm_attr_rewrite.5 rlm_chap.5 rlm_counter.5 \ - rlm_detail.5 rlm_expr.5 rlm_files.5 rlm_mschap.5 rlm_pap.5 \ - rlm_passwd.5 rlm_realm.5 rlm_sql.5 rlm_sql_log.5 rlm_unix.5 \ - users.5 -MAN8= radiusd.8 radrelay.8 radsqlrelay.8 radwatch.8 rlm_ippool_tool.8 +.include -SUB_LIST+= REQUIRE="${_REQUIRE}" +# This conditionality avoids -L/usr/lib in the radiusd build step when +# building with base system OpenSSL +.if ${OPENSSLLIB} != "/usr/lib" +CONFIGURE_ARGS+=--with-openssl-libraries=${OPENSSLLIB} +.endif + +.if ${ARCH} == amd64 +CONFIGURE_ARGS+= --with-pic +.endif post-patch: # Patch Makefile / Makefile.in throughout the source tree to install raddb @@ -263,5 +269,11 @@ post-install: # Set ${PREFIX}/etc/raddb and all the files and folders in it to g-w,o-rwx # (FreeRADIUS will probably complain if this is not done) @${CHMOD} -R g-w,o-rwx ${PREFIX}/etc/raddb + @${CHOWN} -R ${USERS}:${GROUPS} ${PREFIX}/etc/raddb + + @${TOUCH} ${LOGDIR}/radius.log + @${CHOWN} ${USERS}:${GROUPS} ${LOGDIR}/radius.log + @${CHOWN} ${USERS}:${GROUPS} ${LOGDIR}/radacct + @${CHOWN} ${USERS}:${GROUPS} /var/run/radiusd .include diff --git a/net/freeradius/files/patch-raddb_radiusd.conf.in b/net/freeradius/files/patch-raddb_radiusd.conf.in new file mode 100644 index 000000000000..2f374bab936b --- /dev/null +++ b/net/freeradius/files/patch-raddb_radiusd.conf.in @@ -0,0 +1,13 @@ +--- raddb/radiusd.conf.in.orig 2011-05-29 19:22:10.091905921 +0000 ++++ raddb/radiusd.conf.in 2011-05-29 19:22:36.633918942 +0000 +@@ -106,8 +106,8 @@ pidfile = ${run_dir}/radiusd.pid + # that the debugging mode server is running as a user that can read the + # shadow info, and the user listed below can not. + # +-#user = nobody +-#group = nobody ++user = freeradius ++group = freeradius + + # max_request_time: The maximum time (in seconds) to handle a request. + # diff --git a/net/freeradius/files/radiusd.in b/net/freeradius/files/radiusd.in new file mode 100644 index 000000000000..86724eb68800 --- /dev/null +++ b/net/freeradius/files/radiusd.in @@ -0,0 +1,34 @@ +#!/bin/sh + +# PROVIDE: radiusd +# REQUIRE: %%REQUIRE%% +# KEYWORD: shutdown + +# +# Add the following lines to /etc/rc.conf to enable radiusd: +# +# radiusd_enable="YES" +# + +. /etc/rc.subr + +name=radiusd +rcvar=`set_rcvar` +load_rc_config $name + +command=%%PREFIX%%/sbin/radiusd +pidfile=/var/run/radiusd/radiusd.pid + +# The radiusd_config parameter is now obsolete. Instead, derive the +# configuration directory name from radiusd_flags if possible, otherwise +# default to %%PREFIX%%/etc/raddb +required_dirs=`echo ${radiusd_flags} | sed -Ene 's:.*\-[^[:space:]d]*d[[:space:]]*([^[:space:]]+).*:\1:p'` +required_dirs=${required_dirs:-"%%PREFIX%%/etc/raddb"} + +required_files="${required_dirs}/radiusd.conf" + +radiusd_enable=${radiusd_enable-"NO"} + +command_args="&" + +run_rc_command "$1" diff --git a/net/freeradius/files/radiusd.sh.in b/net/freeradius/files/radiusd.sh.in deleted file mode 100644 index 86724eb68800..000000000000 --- a/net/freeradius/files/radiusd.sh.in +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -# PROVIDE: radiusd -# REQUIRE: %%REQUIRE%% -# KEYWORD: shutdown - -# -# Add the following lines to /etc/rc.conf to enable radiusd: -# -# radiusd_enable="YES" -# - -. /etc/rc.subr - -name=radiusd -rcvar=`set_rcvar` -load_rc_config $name - -command=%%PREFIX%%/sbin/radiusd -pidfile=/var/run/radiusd/radiusd.pid - -# The radiusd_config parameter is now obsolete. Instead, derive the -# configuration directory name from radiusd_flags if possible, otherwise -# default to %%PREFIX%%/etc/raddb -required_dirs=`echo ${radiusd_flags} | sed -Ene 's:.*\-[^[:space:]d]*d[[:space:]]*([^[:space:]]+).*:\1:p'` -required_dirs=${required_dirs:-"%%PREFIX%%/etc/raddb"} - -required_files="${required_dirs}/radiusd.conf" - -radiusd_enable=${radiusd_enable-"NO"} - -command_args="&" - -run_rc_command "$1" -- cgit