From 5e9fbaf4b4842cb0266521cc52a6a7107563bc0c Mon Sep 17 00:00:00 2001 From: glarkin Date: Thu, 11 Sep 2008 00:30:09 +0000 Subject: - Fixed logcheck script silent failure in previous commit - Added handling for crontab installation problems - Incorported security fixes from PR opened after previous commit - Added UPDATING entry since configuration options have changed fairly significantly PR: ports/122842 Submitted by: Cezary Morga PR: ports/127255 Submitted by: Yasuhiro KIMURA Reviewed by: glarkin Approved by: beech (mentor, implicit) Approved by: portmgr (marcus) Security: Incorrect addition of logcheck user to wheel group --- security/logcheck/Makefile | 46 ++++++++++++++++++----------- security/logcheck/files/patch-src__logcheck | 20 +++++++++---- security/logcheck/files/pkg-deinstall.in | 4 +-- security/logcheck/files/pkg-install.in | 25 +++++++++++----- security/logcheck/files/pkg-message.in | 4 +-- security/logcheck/pkg-plist | 6 ++-- 6 files changed, 66 insertions(+), 39 deletions(-) (limited to 'security') diff --git a/security/logcheck/Makefile b/security/logcheck/Makefile index 56d16ea35824..e63fafa95738 100644 --- a/security/logcheck/Makefile +++ b/security/logcheck/Makefile @@ -7,10 +7,9 @@ PORTNAME= logcheck PORTVERSION= 1.2.54 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security -MASTER_SITES= ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \ - http://ftp.de.debian.org/debian/pool/main/l/logcheck/ +MASTER_SITES= ${MASTER_SITE_DEBIAN_POOL} DISTNAME= ${PORTNAME}_${PORTVERSION} MAINTAINER= glarkin@FreeBSD.org @@ -18,12 +17,23 @@ COMMENT= Auditing tool for system logs on Unix boxes BUILD_DEPENDS= docbook-to-man:${PORTSDIR}/textproc/docbook-to-man RUN_DEPENDS= lockfile:${PORTSDIR}/mail/procmail \ - bash:${PORTSDIR}/shells/bash \ - perl:${PORTSDIR}/lang/perl5 + bash:${PORTSDIR}/shells/bash + +LOGCHECK_USER= logcheck +LOGCHECK_UID= 915 +LOGCHECK_GROUP= ${LOGCHECK_USER} +LOGCHECK_GID= ${LOGCHECK_UID} + +# Enable Perl dependency for logtail script +USE_PERL5= 5.8.0+ WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} BINMODE= 755 SHAREMODE= 640 +SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \ + LOGCHECK_UID=${LOGCHECK_UID} \ + LOGCHECK_GROUP=${LOGCHECK_GROUP} \ + LOGCHECK_GID=${LOGCHECK_GID} SUB_FILES= pkg-install pkg-deinstall pkg-message CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \ ignore.d.workstation violations.d violations.ignore.d @@ -31,39 +41,39 @@ DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README* PORTDOCS= ${DOCS:T} MAN8= logcheck.8 logtail.8 -LOGCHECK_USER= logcheck -LOGCHECK_GROUP= ${LOGCHECK_USER} - do-build: ${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ - ${WRKSRC}/etc/logcheck.logfiles - ${REINPLACE_CMD} -e 's!/etc/logcheck!/usr/local/etc/logcheck!' \ - -e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \ - ${WRKSRC}/docs/logcheck.sgml + ${WRKSRC}/etc/logcheck.logfiles + ${REINPLACE_CMD} -e 's!/etc/logcheck!${ETCDIR}!' \ + -e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \ + ${WRKSRC}/docs/logcheck.sgml docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8 do-install: ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin @PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL - @${INSTALL} -d /var/lib/logcheck + @${INSTALL} -d /var/db/logcheck @${INSTALL} -d /var/run/logcheck - ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck + ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck @${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \ - /var/lib/logcheck' >> ${TMPPLIST} + /var/db/logcheck' >> ${TMPPLIST} ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck @${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \ /var/run/logcheck' >> ${TMPPLIST} @${INSTALL} -d ${ETCDIR} - @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf ${ETCDIR}/logcheck.conf.sample - @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles ${ETCDIR}/logcheck.logfiles.sample + @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf \ + ${ETCDIR}/logcheck.conf.sample + @${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles \ + ${ETCDIR}/logcheck.logfiles.sample .for i in ${CONFIG_DIRS} @${INSTALL} -d ${ETCDIR}/${i} @${INSTALL_DATA} ${WRKSRC}/rulefiles/linux/${i}/* ${ETCDIR}/${i} .endfor .if !defined(NOPORTEXAMPLES) @${INSTALL} -d ${EXAMPLESDIR} - @${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d ${EXAMPLESDIR}/crontab.in + @${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d \ + ${EXAMPLESDIR}/crontab.in .endif ${CHOWN} -R root:${LOGCHECK_GROUP} ${ETCDIR} @${ECHO_CMD} '@exec ${CHOWN} -R root:${LOGCHECK_GROUP} \ diff --git a/security/logcheck/files/patch-src__logcheck b/security/logcheck/files/patch-src__logcheck index faf0954ce518..8e06c99a8a6f 100644 --- a/security/logcheck/files/patch-src__logcheck +++ b/security/logcheck/files/patch-src__logcheck @@ -1,5 +1,5 @@ --- ./src/logcheck.orig 2007-01-16 01:13:27.000000000 -0500 -+++ ./src/logcheck 2008-09-06 19:11:28.000000000 -0400 ++++ ./src/logcheck 2008-09-09 18:10:02.000000000 -0400 @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/local/bin/bash @@ -11,7 +11,7 @@ if [ $UID == 0 ]; then echo "logcheck should not be run as root. Use su to invoke logcheck:" - echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck" -+ echo "su logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\"" ++ echo "su -m logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\"" echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}." # you may want to uncomment that hack to let logcheck invoke itself. - # su -s /bin/bash -c "$0 $*" logcheck @@ -32,19 +32,20 @@ # Set the default paths -RULEDIR="/etc/logcheck" -CONFFILE="/etc/logcheck/logcheck.conf" -+RULEDIR="/usr/local/etc/logcheck" -+CONFFILE="/usr/local/etc/logcheck/logcheck.conf" - STATEDIR="/var/lib/logcheck" +-STATEDIR="/var/lib/logcheck" -LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" -LOGFILE_FALLBACK="/var/log/syslog" -LOGTAIL="/usr/sbin/logtail" ++RULEDIR="/usr/local/etc/logcheck" ++CONFFILE="/usr/local/etc/logcheck/logcheck.conf" ++STATEDIR="/var/db/logcheck" +LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles" +LOGFILE_FALLBACK="/var/log/messages" +LOGTAIL="/usr/local/sbin/logtail" CAT="/bin/cat" SYSLOG_SUMMARY="/usr/bin/syslog-summary" -@@ -87,20 +80,15 @@ +@@ -87,26 +80,21 @@ SORTUNIQ=0 SUPPORT_CRACKING_IGNORE=0 SYSLOGSUMMARY=0 @@ -69,6 +70,13 @@ fi if [ -d $TMPDIR ]; then + # Remove the tmp directory + if [ $NOCLEANUP -eq 0 ];then +- cd /var/lib/logcheck ++ cd /var/db/logcheck + debug "cleanup: Removing - $TMPDIR" + rm -r $TMPDIR + else @@ -142,14 +130,9 @@ if [ "$2" = "noclean" ]; then debug "error: Not removing lockfile" diff --git a/security/logcheck/files/pkg-deinstall.in b/security/logcheck/files/pkg-deinstall.in index da113018941a..998bb95121eb 100644 --- a/security/logcheck/files/pkg-deinstall.in +++ b/security/logcheck/files/pkg-deinstall.in @@ -1,7 +1,7 @@ #!/bin/sh -user="logcheck" -group="logcheck" +user="%%LOGCHECK_USER%%" +group="%%LOGCHECK_GROUP%%" configfiles="logcheck.conf logcheck.logfiles" case $2 in diff --git a/security/logcheck/files/pkg-install.in b/security/logcheck/files/pkg-install.in index 4186b190eb42..b5e5d2005e32 100644 --- a/security/logcheck/files/pkg-install.in +++ b/security/logcheck/files/pkg-install.in @@ -1,10 +1,12 @@ #!/bin/sh -user="logcheck" -group="logcheck" +user="%%LOGCHECK_USER%%" +uid="%%LOGCHECK_UID%%" +group="%%LOGCHECK_GROUP%%" +gid="%%LOGCHECK_GID%%" descr="Logcheck system account" -homedir="/var/lib/logcheck" -shell="/usr/bin/false" +homedir="/var/db/logcheck" +shell="/usr/local/bin/bash" configfiles="logcheck.conf logcheck.logfiles" case $2 in @@ -12,13 +14,13 @@ PRE-INSTALL) if pw group show ${group} > /dev/null 2>&1; then echo "---> You already have a group \"${group}\", so I will use it." else - pw group add "${group}" + pw group add "${group}" -g "${gid}" echo "---> Created group \"${group}\"." fi if pw user show ${user} > /dev/null 2>&1; then echo "---> You already have a user \"${user}\", so I will use it." else - pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel + pw user add -n ${user} -c "${descr}" -d "${homedir}" -s "${shell}" -g ${group} -u "${uid}" echo "---> Created user \"${user}\"." fi ;; @@ -34,8 +36,15 @@ POST-INSTALL) echo "---> Installed crontab(5) file for user \"${user}\"" fi else - /usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1 - echo "---> Created crontab(5) file for user \"${user}\"" + if grep -q "are not allowed to use this program" /tmp/logchecktab$$ ; then + echo "---> The logcheck user is not allowed to run crontab." + echo "---> Please check the contents of /var/cron/allow and /var/cron/deny" + echo "---> and grant access, if necessary." + exit 1 + else + /usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1 + echo "---> Created crontab(5) file for user \"${user}\"" + fi fi rm -f /tmp/logchecktab$$ fi diff --git a/security/logcheck/files/pkg-message.in b/security/logcheck/files/pkg-message.in index 2879b0aa129e..91b969820534 100644 --- a/security/logcheck/files/pkg-message.in +++ b/security/logcheck/files/pkg-message.in @@ -3,8 +3,8 @@ Please make sure that all files listed in %%PREFIX%%/etc/logcheck/logcheck.logfiles -are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove -them from the aforementioned logcheck configuration file. +are readable to the '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf), +or remove them from the aforementioned logcheck configuration file. For information on how to write local rulesets see diff --git a/security/logcheck/pkg-plist b/security/logcheck/pkg-plist index fe15aa1ec1a6..1cc35e3c53a7 100644 --- a/security/logcheck/pkg-plist +++ b/security/logcheck/pkg-plist @@ -182,7 +182,7 @@ sbin/logtail @dirrm %%ETCDIR%%/ignore.d.paranoid @dirrm %%ETCDIR%%/cracking.d @dirrm %%ETCDIR%% -@exec mkdir -p /var/lib/logcheck -@unexec rm -rf /var/lib/logcheck 2> /dev/null || true +@exec mkdir -p /var/db/logcheck +@dirrmtry /var/db/logcheck @exec mkdir -p /var/run/logcheck -@unexec rm -rf /var/run/logcheck 2> /dev/null || true +@dirrmtry /var/run/logcheck -- cgit