Date: Thu, 26 Jan 2012 15:13:46 -0500 (EST) From: Michael Scheidell <scheidell@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/164529: [PATCH] security/swatch doesn't always find running process Message-ID: <20120126201346.0933E1D3E7@scanner.secnap.net> Resent-Message-ID: <201201262020.q0QKK9S9038455@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 164529
>Category: ports
>Synopsis: [PATCH] security/swatch doesn't always find running process
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 26 20:20:09 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Michael Scheidell
>Release: FreeBSD 7.4-RELEASE-p3 i386
>Organization:
SECNAP Network Security Corp
>Environment:
amd7.4, amd7.3, i386 7.3
>Description:
1) service swatch status won't always show status, which means it won't always stop, restart, etc.
if swatch_x_flags is greater than 222 bytes, then you need procname=/usr/local/bin/perl
if < 222, you don't. This is due to the $0 limit in perl: "
http://perldoc.perl.org/perlvar.html
"Note that there are platform-specific limitations on the maximum length of $0 . In the most extreme case it may be limited
to the space occupied by the original $0 ."
2) swatch would LIKE to have p5-File-Tail as a dependency: (if you don't use the default tail command)
"Checking if your kit is complete...
Looks good
Warning: prerequisite File::Tail 0 not found.
Writing Makefile for swatch:
>How-To-Repeat:
1) have a very long log file name (so that swatch_1_flags is > 222 bytes), have multiple files, same
2) pkg_delete p5-File-Tail\* and reinstall swatch. look for error.
>Fix:
1) this patch takes the $command $swatch_x_flags and the 'suffex' (perl), two byte padding and compares it to 255
if swatch worked for you before (service swatch (status|stop|restart) then this should work.
if it didn't work before, and you had lots of little swatches running, this should fix it.
I asked in ports@ and perl@ and didn't really get any good answers to this ugly hack.
(note: two options, instead of setting procname, you could 'err 1 swatch_${i}_flags too long' in rc. or you could patch
swatch to fail if cmdarg > (too long)
2) this patch will bring in File-Tail, and allow for both smaller swatch_x_flags lens and larger ones.
- patch swatch.rc to check for buffer overflow in cmdarg with long _flags lines
- add p5-File-Tail dependency
--- swatch.patch begins here ---
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/security/swatch/Makefile,v
retrieving revision 1.31
diff -u -r1.31 Makefile
--- Makefile 21 Jan 2012 17:40:12 -0000 1.31
+++ Makefile 26 Jan 2012 19:55:30 -0000
@@ -7,7 +7,7 @@
PORTNAME= swatch
PORTVERSION= 3.2.3
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security sysutils
MASTER_SITES= SF
@@ -17,7 +17,8 @@
BUILD_DEPENDS= \
${SITE_PERL}/Date/Format.pm:${PORTSDIR}/devel/p5-TimeDate \
${SITE_PERL}/Date/Manip.pm:${PORTSDIR}/devel/p5-Date-Manip \
- ${SITE_PERL}/Date/Calc.pm:${PORTSDIR}/devel/p5-Date-Calc
+ ${SITE_PERL}/Date/Calc.pm:${PORTSDIR}/devel/p5-Date-Calc \
+ ${SITE_PERL}/File/Tail.pm:${PORTSDIR}/devel/p5-File-Tail
RUN_DEPENDS:= ${BUILD_DEPENDS}
PERL_CONFIGURE= yes
Index: files/swatch.in
===================================================================
RCS file: /home/pcvs/ports/security/swatch/files/swatch.in,v
retrieving revision 1.7
diff -u -r1.7 swatch.in
--- files/swatch.in 14 Jan 2012 08:56:53 -0000 1.7
+++ files/swatch.in 26 Jan 2012 19:55:30 -0000
@@ -21,15 +21,20 @@
name=swatch
rcvar=swatch_enable
+# set some defaults
+: ${swatch_enable="NO"}
command=%%PREFIX%%/bin/swatch
-procname=%%LOCALBASE%%/bin/perl
load_rc_config ${name}
if [ -n "${swatch_rules}" ]; then
for i in ${swatch_rules}; do
eval swatch_flags=\$swatch_${i}_flags
+ len=`echo "0${command} ${swatch_flags} (perl)0" | wc -c`
+ if [ $len -ge 255 ];then
+ procname=%%LOCALBASE%%/bin/perl
+ fi
eval swatch_user=\$swatch_${i}_user
eval swatch_chdir=\$swatch_${i}_chdir
eval pidfile=\$swatch_${i}_pidfile
--- swatch.patch ends here ---
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120126201346.0933E1D3E7>