From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Jan 29 00:10:20 2007 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A3C3E16A407 for ; Mon, 29 Jan 2007 00:10:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 7E07113C49D for ; Mon, 29 Jan 2007 00:10:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0T0AKuF095902 for ; Mon, 29 Jan 2007 00:10:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0T0AKG7095901; Mon, 29 Jan 2007 00:10:20 GMT (envelope-from gnats) Resent-Date: Mon, 29 Jan 2007 00:10:20 GMT Resent-Message-Id: <200701290010.l0T0AKG7095901@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matthew Seaman Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 15E2916A401 for ; Mon, 29 Jan 2007 00:06:34 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 787B513C467 for ; Mon, 29 Jan 2007 00:06:32 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id l0T06Bhl096867 for ; Mon, 29 Jan 2007 00:06:11 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.13.8/8.13.8/Submit) id l0T06B34096866; Mon, 29 Jan 2007 00:06:11 GMT (envelope-from matthew) Message-Id: <200701290006.l0T06B34096866@happy-idiot-talk.infracaninophile.co.uk> Date: Mon, 29 Jan 2007 00:06:11 GMT From: Matthew Seaman To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/108502: [maintainer] textproc/sphinxsearch -- run as unprivileged user X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthew Seaman List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 00:10:20 -0000 >Number: 108502 >Category: ports >Synopsis: [maintainer] textproc/sphinxsearch -- run as unprivileged user >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Jan 29 00:10:19 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Matthew Seaman >Release: FreeBSD 6.2-STABLE i386 >Organization: Infracaninophile >Environment: System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 6.2-STABLE FreeBSD 6.2-STABLE #7: Sat Jan 27 15:13:42 GMT 2007 root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386 >Description: In the interests of generally improving security, switch to running searchd as an unprivileged user 'sphinx' Note to Users: The default locations of a number of files and directories have changed: /var/run/searchd.pid --> /var/run/sphinxsearch/searchd.pid /var/log/searchd.log --> /var/log/sphinxsearch/searchd.log /var/log/sphinx-query.log --> /var/log/sphinxsearch/sphinx-query.log See ${PREFIX}/etc/rc.d/sphinxsearch for details of a number of new rc.conf settings you can use to control these locations and also the user and group the daemon is run as. You will need to merge these changes into ${PREFIX}/etc/sphinx.conf Note to committer: Added new files: sphinxsearch/files/pkg-install.in sphinxsearch/files/pkg-deinstall.in >How-To-Repeat: >Fix: --- sphinxsearch.diff begins here --- diff -Nur /usr/ports/textproc/sphinxsearch/Makefile sphinxsearch/Makefile --- /usr/ports/textproc/sphinxsearch/Makefile Sat Dec 16 17:37:51 2006 +++ sphinxsearch/Makefile Sun Jan 28 22:44:44 2007 @@ -5,10 +5,11 @@ # $FreeBSD: ports/textproc/sphinxsearch/Makefile,v 1.2 2006/12/16 12:06:14 miwi Exp $ # # Note: the Sphinx Storage Engine MySQL plugin is not supported by -# this port at the moment. Maybe later. +# this port. You need a patched version of mysql server for that. PORTNAME= sphinxsearch PORTVERSION= 0.9.7.r2 +PORTREVISION= 1 CATEGORIES= textproc databases MASTER_SITES= http://www.sphinxsearch.com/downloads/ DISTNAME= sphinx-${PORTVERSION:C@\.r([0-9]+)$@-rc\1@} @@ -20,6 +21,12 @@ PGSQL "PostgreSQL support" off \ OPTIMIZED_CFLAGS "Use compiler optimization (-O3)" off +SPHINX_USR?= sphinx +SPHINX_GRP?= sphinx +SPHINX_DIR?= /var/db/${PORTNAME} +SPHINX_RUN?= /var/run/${PORTNAME} +SPHINX_LOG?= /var/log/${PORTNAME} + # Yes, the conflation of CPPFLAGS and CXXFLAGS is deliberate. No, # don't ask. @@ -28,8 +35,15 @@ CONFIGURE_ENV+= CC=${CC} CPPFLAGS="${CXXFLAGS}" CFGFILE= ${PREFIX}/etc/sphinx.conf USE_RC_SUBR= sphinxsearch.sh -SUB_LIST+= PORTNAME=${PORTNAME} \ - CFGFILE=${CFGFILE} +SUB_LIST+= PORTNAME=${PORTNAME} \ + CFGFILE=${CFGFILE} \ + SPHINX_USR=${SPHINX_USR} \ + SPHINX_GRP=${SPHINX_GRP} \ + SPHINX_DIR=${SPHINX_DIR} \ + SPHINX_RUN=${SPHINX_RUN} \ + SPHINX_LOG=${SPHINX_LOG} +SUB_FILES+= pkg-install pkg-deinstall + .if !defined(NOPORTDOCS) EXAMPLES= example.sql api/sphinxapi.php api/test.php api/test2.php DOCS= doc/sphinx.css doc/sphinx.html doc/sphinx.txt doc/sphinx.xml @@ -62,12 +76,15 @@ post-patch: ${REINPLACE_CMD} \ - -e 's!@CONFDIR@/log/searchd.pid!/var/run/searchd.pid!' \ - -e 's!@CONFDIR@/log/query.log!/var/log/sphinx-query.log!' \ - -e 's!@CONFDIR@/log/searchd.log!/var/log/searchd.log!' \ - -e 's!@CONFDIR@!/var/db/sphinxsearch!' \ + -e "s!@CONFDIR@/log/searchd.pid!${SPHINX_RUN}/searchd.pid!" \ + -e "s!@CONFDIR@/log/query.log!${SPHINX_LOG}/sphinx-query.log!" \ + -e "s!@CONFDIR@/log/searchd.log!${SPHINX_LOG}/searchd.log!" \ + -e "s!@CONFDIR@!${SPHINX_DIR}!" \ ${WRKSRC}/sphinx.conf.in +pre-install: + @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL + do-install: install-bin install-docs install-examples install-bin: @@ -92,7 +109,10 @@ .endfor .endif -post-install: +post-install: post-install-cfg + @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL + +post-install-cfg: @if [ ! -f ${CFGFILE} ]; then \ ${CP} -p ${CFGFILE}.sample ${CFGFILE} ; \ fi diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in sphinxsearch/files/pkg-deinstall.in --- /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in Thu Jan 1 01:00:00 1970 +++ sphinxsearch/files/pkg-deinstall.in Sun Jan 28 23:21:02 2007 @@ -0,0 +1,32 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +sphinx_usr=%%SPHINX_USR%% +sphinx_grp=%%SPHINX_GRP%% +sphinx_dir=%%SPHINX_DIR%% +sphinx_name=%%PORTNAME%% + +case $2 in + POST-DEINSTALL) + + cat < Group $group created" + else + cat <<-EOERRORMSG + *** Failed to create the $group group. + + Please add the $user user and $group group + manually with the commands: + + pw groupadd -n $group + pw useradd -n $user -g $group -c "$gcos" \\ + -d $home -s $shell -h - + + and retry installing this package. + EOERRORMSG + exit 1 + fi +} + + +create_user() { + local user group gcos home shell + + user=$1 + group=$2 + gcos=$3 + home=$4 + shell=$5 + + if pw useradd -n $user -g $group -c "$gcos" -d $home -s $shell -h - ; then + echo "===> Created $user user" + else + cat <<-EOERRORMSG + *** Failed to create the $user user. + + Please add the $user user manually with the command: + + pw useradd -n $user -g $group -c "$gcos" \\ + -d $home -s $shell -h - + + and retry installing this package. + EOERRORMSG + exit 1 + fi +} + + +case $2 in + PRE-INSTALL) + + # Create the sphinx user and group if they do not already exist + + if pw user show -n $sphinx_usr >/dev/null 2>&1 ; then + echo "===> Using pre-existing user $sphinx_usr" + else + if ! pw group show -n $sphinx_grp >/dev/null 2>&1 ; then + create_group $sphinx_usr $sphinx_grp "$sphinx_gcos" \ + $sphinx_home $sphinx_shell + fi + create_user $sphinx_usr $sphinx_grp "$sphinx_gcos" \ + $sphinx_home $sphinx_shell + fi + ;; + POST-INSTALL) + + # Create and set ownership of the Sphinx working directory + if [ -d $sphinx_dir ]; then + echo "==> Using pre-existing directory $sphinx_dir" + else + echo "==> Creating the Sphinx working directory: $sphinx_dir" + mkdir -m 755 $sphinx_dir || exit 1 + fi + + # Create and set ownership of the Sphinx data directory + if [ -d $sphinx_dir/data ]; then + echo "==> Using pre-existing directory $sphinx_dir/data" + else + echo "==> Creating the Sphinx data directory: $sphinx_dir/data" + mkdir -m 755 $sphinx_dir/data || exit 1 + fi + + echo "===> Adjusting file ownership in $sphinx_dir" + chown -R $sphinx_usr:$sphinx_grp $sphinx_dir || exit 1 + ;; +esac + +# +# That's All Folks! +# diff -Nur /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in sphinxsearch/files/sphinxsearch.sh.in --- /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in Sat Nov 18 22:54:07 2006 +++ sphinxsearch/files/sphinxsearch.sh.in Sun Jan 28 23:45:56 2007 @@ -15,11 +15,16 @@ # # %%PORTNAME%%_conffile="%%CFGFILE%%" # -- path to config file -# %%PORTNAME%%_pidfile="/var/run/searchd.pid" +# %%PORTNAME%%_pidfile="%%SPHINX_RUN%%/searchd.pid" # -- location of pidfile: must match setting # in ${%%PORTNAME%%_conffile} +# %%PORTNAME%%_user="%%SPHINX_USR%%" +# -- user to run searchd as +# %%PORTNAME%%_group="%%SPHINX_GRP%%" +# -- group to run searchd as +# %%PORTNAME%%_logdir="%%SPHINX_LOG%%" +# -- directory searchd writes logs to # - . /etc/rc.subr name=%%PORTNAME%% @@ -27,12 +32,31 @@ %%PORTNAME%%_enable=${%%PORTNAME%%_enable-"NO"} %%PORTNAME%%_conffile=${%%PORTNAME%%_conffile-"%%CFGFILE%%"} -%%PORTNAME%%_pidfile=${%%PORTNAME%%_pidfile-"/var/run/searchd.pid"} +%%PORTNAME%%_pidfile=${%%PORTNAME%%_pidfile-"%%SPHINX_RUN%%/searchd.pid"} +%%PORTNAME%%_user=${%%PORTNAME%%_user-"%%SPHINX_USR%%"} +%%PORTNAME%%_group=${%%PORTNAME%%_group-"%%SPHINX_GRP%%"} +%%PORTNAME%%_logdir=${%%PORTNAME%%_logdir-"%%SPHINX_LOG%%"} + +start_precmd="create_dirs" command=%%PREFIX%%/sbin/searchd pidfile=${%%PORTNAME%%_pidfile} required_files=${%%PORTNAME%%_conffile} %%PORTNAME%%_flags="--config ${%%PORTNAME%%_conffile}" + +create_dirs () +{ + piddir=$(dirname ${%%PORTNAME%%_pidfile}) + if [ ! -d ${piddir} ]; then + mkdir -m 755 -p ${piddir} + chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} ${piddir} + fi + if [ ! -d ${%%PORTNAME%%_logdir} ]; then + mkdir -m 755 -p ${%%PORTNAME%%_logdir} + chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} \ + ${%%PORTNAME%%_logdir} + fi +} load_rc_config ${name} run_rc_command "$1" --- sphinxsearch.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: