From owner-freebsd-ports@FreeBSD.ORG Mon Jun 28 09:57:05 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 897F61065689 for ; Mon, 28 Jun 2010 09:57:05 +0000 (UTC) (envelope-from vmagerya@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1228F8FC1B for ; Mon, 28 Jun 2010 09:57:04 +0000 (UTC) Received: by fxm13 with SMTP id 13so942033fxm.13 for ; Mon, 28 Jun 2010 02:56:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=GjNkdwbEjLqqj0CmWjOp9PkyJ37eS7zZ0Sl4qZs9k08=; b=MStzFBIB2NCsAM5cVV9bbBfqA5DgSoVn16SRg7oKJoycsbsqWw0GtolB4RbnKhNQqk 8kxixEckMBQoloCUGdLnTyWlNeH9ebTSgCJT8/CvZ7/GJNpa6CdvT2qNN5GPgS4Ma3pd +lRaju6QJm5CaH45znh9t2WgPYneZq0/bqAI8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=XrBQYYD88SwKxvIhQOnsol+X2SvxLIsaVHtUhLAkmAQE6bbbvZwNHSVxAtbnBNnzpE W8rll149nqNsc0e0sZj19/u08P9UShMh6E9Od7YMd3v+7fDYkY3zhnRYAYybzFk8KZwd rs1spLbbnhzGZ1coaGLZPN43YGS0y5eouO3Xc= Received: by 10.223.100.141 with SMTP id y13mr3586485fan.15.1277719017410; Mon, 28 Jun 2010 02:56:57 -0700 (PDT) Received: from [172.29.1.142] (altimet-gw.cs2.dp.wnet.ua [217.20.178.249]) by mx.google.com with ESMTPS id d2sm44941053fak.44.2010.06.28.02.56.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 28 Jun 2010 02:56:56 -0700 (PDT) Message-ID: <4C28733E.9050003@gmail.com> Date: Mon, 28 Jun 2010 13:02:38 +0300 From: Vitaly Magerya User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Olivier_Cochard-Labb=E9?= References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ports-mailinglist Subject: Re: Call for testers: www/shellinabox (Shell in a Box) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 09:57:05 -0000 Olivier Cochard-Labbé wrote: > I've just finished my port of Shell in a Box: It's a secure web server > that provide ajax terminal emulator. > More information on the official website: http://code.google.com/p/shellinabox/ After looking at the port for a while, I have some suggestions. The port creates ${PREFIX}/etc/shellinabox directory, chowns it to nobody and chmods it to 777. The reason for this is that shellinabox creates certificates during the runtime and stores them into that directory, but it only does that after dropping to "nobody" user. As the author of shellinabox notes [1], this is a bad idea, because any user can read and modify your keys this way. I also have a vague feeling that storing variable files in ${PREFIX}/etc/shellinabox is a bad idea as well (to compare, Debian port uses /var/lib/shellinabox). So what I propose is this: 1. Create "shellinabox" user and group (via USERS and GROUPS). 2. Update rc script to start shellinaboxd with that user and group. 3. Make the certificate directory 700, owned by shellinabox:shellinabox. 4. Move the certificate directory to /var/shellinabox or similar (what's our conventional location for this kind of files?). I'm not sure on the 4 though. Any thoughts? [1] http://code.google.com/p/shellinabox/issues/detail?id=22#c2