From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Jul 15 13:10:02 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0E8F33A1 for ; Mon, 15 Jul 2013 13:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E2F409D2 for ; Mon, 15 Jul 2013 13:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6FDA0Yc014823 for ; Mon, 15 Jul 2013 13:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6FDA0Uo014811; Mon, 15 Jul 2013 13:10:00 GMT (envelope-from gnats) Resent-Date: Mon, 15 Jul 2013 13:10:00 GMT Resent-Message-Id: <201307151310.r6FDA0Uo014811@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jason Harris Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 13A9BFFE for ; Mon, 15 Jul 2013 13:00:07 +0000 (UTC) (envelope-from jason@wilma.widomaker.com) Received: from wilma.widomaker.com (wilma.widomaker.com [204.17.220.5]) by mx1.freebsd.org (Postfix) with ESMTP id E06F8943 for ; Mon, 15 Jul 2013 13:00:06 +0000 (UTC) Received: from wilma.widomaker.com ([204.17.220.5]) by wilma.widomaker.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from ) id 1UyiNh-000KBb-9H; Mon, 15 Jul 2013 08:59:58 -0400 Received: (from jason@localhost) by wilma.widomaker.com (8.14.5/8.14.5/Submit) id r6FCxtMs003852; Mon, 15 Jul 2013 08:59:55 -0400 (AST) (envelope-from jason) Message-Id: <201307151259.r6FCxtMs003852@wilma.widomaker.com> Date: Mon, 15 Jul 2013 08:59:55 -0400 (AST) From: Jason Harris To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: ports/180573: MAINTAINER-UPDATE shells/rssh -> support latest rsync Cc: Jason Harris , John Marshall X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Jason Harris List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jul 2013 13:10:02 -0000 >Number: 180573 >Category: ports >Synopsis: MAINTAINER-UPDATE shells/rssh -> support latest rsync >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Jul 15 13:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Jason Harris >Release: FreeBSD 9.1-RELEASE amd64 >Organization: bitrote.org >Environment: FreeBSD laptop 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Note: This supersedes PR ports/175176 1) Add support for the latest rsync (command line invocations) using the Debian patch provided by John Marshall in PR ports/175176. 2) Freshen pkg-descr and COMMENT. >How-To-Repeat: 1) apply patch below 2) %mkdir files 3) %mv optional-patch-util.c files/ 3) %svn add files/optional-patch-util.c ... n-1) please close PR ports/175176, which this PR supersedes n++) please commit PR ports/180491: MAINTAINER-UPDATE math/units -> 2.02 n++) please commit PR ports/180221: new port: ftp/p5-curl >Fix: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message diff -r b6ef9fe7aaec Makefile --- a/Makefile Mon Jul 15 08:33:12 2013 -0400 +++ b/Makefile Mon Jul 15 08:36:25 2013 -0400 @@ -3,19 +3,24 @@ PORTNAME= rssh PORTVERSION= 2.3.4 +PORTREVISION= 1 CATEGORIES= shells security MASTER_SITES= SF MAINTAINER= jharris@widomaker.com -COMMENT= Restricted Secure SHell only for sftp or/and scp +COMMENT= Restricted Secure SHell only for sftp/scp/rdist/rsync/CVS + +LICENSE= BSD +LICENSE_FILE= ${WRKSRC}/LICENSE GNU_CONFIGURE= yes MAN1= rssh.1 MAN5= rssh.conf.5 -OPTIONS_DEFINE= RDIST +OPTIONS_DEFINE= RDIST RSYNC3 RDIST_DESC= rdist support +RSYNC3_DESC= Add support for rsync 3 (Debian patch) .include @@ -24,6 +29,10 @@ CONFIGURE_ARGS+=--with-rdist=${LOCALBASE}/bin/rdist6 .endif +.if ${PORT_OPTIONS:MRSYNC3} +EXTRA_PATCHES= ${FILESDIR}/optional-patch-util.c +.endif + post-patch: @${REINPLACE_CMD} -E -e 's,(\$$\(DESTDIR\)\$$\(sysconfdir\)/\$$\$$f),\1.dist,g' \ ${WRKSRC}/Makefile.in diff -r b6ef9fe7aaec files/optional-patch-util.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/files/optional-patch-util.c Mon Jul 15 08:36:25 2013 -0400 @@ -0,0 +1,103 @@ +--- util.c.orig 2012-11-27 12:14:49.000000000 +1100 ++++ util.c 2013-01-09 17:52:54.000000000 +1100 +@@ -56,6 +56,7 @@ + #ifdef HAVE_LIBGEN_H + #include + #endif /* HAVE_LIBGEN_H */ ++#include + + /* LOCAL INCLUDES */ + #include "pathnames.h" +@@ -198,6 +199,73 @@ + + + /* ++ * rsync_e_okay() - take the command line passed to rssh and look for an -e ++ * option. If one is found, make sure --server is provided ++ * and the option contains only the protocol information. ++ * Also check for and reject any --rsh option. Returns FALSE ++ * if the command line should not be allowed, TRUE if it is ++ * okay. ++ */ ++static int rsync_e_okay( char **vec ) ++{ ++ regex_t re; ++ int server = FALSE; ++ int e_found = FALSE; ++ ++ /* ++ * rsync will send -e, followed by either just "." (meaning no special ++ * protocol) or "N.N" (meaning a pre-release protocol version), ++ * followed by some number of alphabetic flags indicating various ++ * supported options. There may be other options between - and the e, ++ * but -e will always be the last option in the string. A typical ++ * option passed by the client is "-ltpre.iL". ++ * ++ * Note that if --server is given, this should never be parsed as a ++ * shell, but we'll tightly verify it anyway, just in case. ++ * ++ * This regex matches the acceptable flags containing -e, so if it ++ * does not match, the command line should be rejected. ++ */ ++ static const char pattern[] ++ = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$"; ++ ++ /* ++ * Only recognize --server if it's the first option. rsync itself ++ * always passes it that way, and if it's not the first argument, it ++ * could be hidden from the server as an argument to some other ++ * option. ++ */ ++ if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){ ++ server = TRUE; ++ } ++ ++ /* Check the remaining options for -e or --rsh. */ ++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ ++ return FALSE; ++ } ++ while (vec && *vec){ ++ if ( strcmp(*vec, "--") == 0 ) break; ++ if ( strcmp(*vec, "--rsh") == 0 ++ || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){ ++ regfree(&re); ++ return FALSE; ++ } ++ if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){ ++ e_found = TRUE; ++ if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){ ++ regfree(&re); ++ return FALSE; ++ } ++ } ++ vec++; ++ } ++ regfree(&re); ++ if ( e_found && !server ) return FALSE; ++ return TRUE; ++} ++ ++ ++/* + * check_command_line() - take the command line passed to rssh, and verify + * that the specified command is one the user is + * allowed to run and validate the arguments. Return the +@@ -230,14 +298,10 @@ + + if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ + /* filter -e option */ +- if ( opt_filter(cl, 'e') ) return NULL; +- while (cl && *cl){ +- if ( strstr(*cl, "--rsh" ) ){ +- fprintf(stderr, "\ninsecure --rsh= not allowed."); +- log_msg("insecure --rsh option in rsync command line!"); +- return NULL; +- } +- cl++; ++ if ( !rsync_e_okay(cl) ){ ++ fprintf(stderr, "\ninsecure -e or --rsh option not allowed."); ++ log_msg("insecure -e or --rsh option in rsync command line!"); ++ return NULL; + } + return PATH_RSYNC; + } diff -r b6ef9fe7aaec pkg-descr --- a/pkg-descr Mon Jul 15 08:33:12 2013 -0400 +++ b/pkg-descr Mon Jul 15 08:36:25 2013 -0400 @@ -1,6 +1,6 @@ -rssh is a Restricted Secure SHell that allow only the use of sftp -or scp. It could be use when you need an account (and a valid -shell) in order to execute sftp or scp but when you don't want to -give the possibility to log in to this user. +rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. +It now also includes support for rdist, rsync, and CVS. For example, if you +have a server which you only want to allow users to copy files off of via scp, +without providing shell access, you can use rssh to do that. WWW: http://www.pizzashack.org/rssh/index.shtml -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iJ0EARECAF0FAlHj7M1WGGh0dHA6Ly9rZXlzZXJ2ZXIua2pzbC5jb206MTEzNzEv cGtzL2xvb2t1cD9vcD1nZXQmc2VhcmNoPTB4RDM5REEwRTMmd2VoYXZleW91bm93 PXRydWUACgkQSypIl9OdoONfuACZAe99zTNywbCtjd416/7cxL9chMUAoJ3W2d/u PGfSt1QGdtJe+pjxHKf/ =ZJjs -----END PGP SIGNATURE----- >Release-Note: >Audit-Trail: >Unformatted: