From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Nov 9 01:40:02 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13A711065670 for ; Mon, 9 Nov 2009 01:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C818A8FC17 for ; Mon, 9 Nov 2009 01:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nA91e1xj053855 for ; Mon, 9 Nov 2009 01:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nA91e1Gf053854; Mon, 9 Nov 2009 01:40:01 GMT (envelope-from gnats) Resent-Date: Mon, 9 Nov 2009 01:40:01 GMT Resent-Message-Id: <200911090140.nA91e1Gf053854@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Bob Hockney Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C8FE1065693 for ; Mon, 9 Nov 2009 01:34:12 +0000 (UTC) (envelope-from bob@ford-prefect.net) Received: from ford-prefect.net (adsl-99-132-102-194.dsl.irvnca.sbcglobal.net [99.132.102.194]) by mx1.freebsd.org (Postfix) with ESMTP id 9188F8FC0A for ; Mon, 9 Nov 2009 01:34:11 +0000 (UTC) Received: from smtp.ford-prefect.net (notebook.ford-prefect.net [192.168.0.4]) by notebook (8.14.3/8.14.3) with ESMTP id nA8LVpla096649 for ; Sun, 8 Nov 2009 13:31:51 -0800 (PST) (envelope-from bob@ford-prefect.net) Received: (from bob@ford-prefect.net) by smtp.ford-prefect.net (8.14.3/8.14.3/Submit) id nA8LVoHU096648; Sun, 8 Nov 2009 13:31:50 -0800 (PST) (envelope-from bob) Message-Id: <200911082131.nA8LVoHU096648@smtp.ford-prefect.net> Date: Sun, 8 Nov 2009 13:31:50 -0800 (PST) From: Bob Hockney To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/140399: Update port: security/webfwlog Add needed patch and other changes X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bob Hockney List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Nov 2009 01:40:02 -0000 >Number: 140399 >Category: ports >Synopsis: Update port: security/webfwlog Add needed patch and other changes >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Nov 09 01:40:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Bob Hockney >Release: FreeBSD 6.4-STABLE i386 >Organization: >Environment: System: FreeBSD notebook 6.4-STABLE FreeBSD 6.4-STABLE #0: Fri Nov 6 21:00:06 PST 2009 root@notebook:/usr/obj/usr/src/sys/GENERIC i386 This is a patch for security/webfwlog which does several things: - Adds a needed patch - Include bsd.port.options.mk to give option knobs effect (was inadvertantly deleted last commit) - Set BINMODE to 4550 and BINGRP to WWWGRP. This installs the executable suid root, which generates an install-time message about elevated permissions. This was the case prior to do-install being added at revision 1.4. This is a log analyzer and needs to be able to read the logs, and since it is running under the web server it won't usually be able to do so unless installed suid root. I understand the security concerns here and wanted to explain why I did this. - Reset permissions on directory after COPYTREE_SHARE to 555. I'm not sure what's happening here, buy my cpio sets permissions on the current directory to 700 during this operation, so the webserver doesn't have access to the files. The package downloaded from ftp.FreeBSD.org does not appear to have this issue. I'm running 6-stable rebuilt from recently synced sources and also have a recent ports tree. - Ask for required php extensions - Other minor stuff -Bob diff -ru security/webfwlog-orig/Makefile security/webfwlog/Makefile --- security/webfwlog-orig/Makefile 2009-10-17 18:13:19.000000000 -0700 +++ security/webfwlog/Makefile 2009-11-08 12:16:40.000000000 -0800 @@ -7,45 +7,55 @@ PORTNAME= webfwlog PORTVERSION= 0.94 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION} +PATCHFILES= webfwlog-0.94-tcpflags.patch +PATCH_SITES= http://devel.webfwlog.net/download/patches/ + MAINTAINER= zeus@ix.netcom.com COMMENT= A web-based firewall log analyzer OPTIONS= MYSQL "Include MySQL Support" on \ - POSTGRESQL "Include PostgreSQL Support" off + PGSQL "Include PostgreSQL Support" off GNU_CONFIGURE= yes -CONFIGURE_ARGS+=--with-html-doc-root=${PREFIX}/${HTML_DOC_ROOT} -CONFIGURE_ARGS+=--enable-syslog +CONFIGURE_ARGS+= --with-html-doc-root=${PREFIX} +CONFIGURE_ARGS+= --enable-syslog -USE_PHP= yes +USE_PHP= session pcre WANT_PHP_WEB= yes -# Set HTML_DOC_ROOT to your webserver's Document Root where you -# want to install webfwlog, relative to ${PREFIX}. - SUB_FILES= pkg-message +SUB_LIST+= VERSION=${PORTVERSION} PORTDOCS= AUTHORS COPYING CREDITS ChangeLog INSTALL \ README ReleaseNotes PORTEXAMPLES= * +.include + .if defined(WITH_MYSQL) +USE_PHP+= mysql USE_MYSQL= yes -CONFIGURE_ARGS+=--with-mysql +CONFIGURE_ARGS+= --with-mysql .endif -.if defined(WITH_POSTGRESQL) -USE_PGSQL= -CONFIGURE_ARGS+=--with-pgsql +.if defined(WITH_PGSQL) +USE_PHP+= pgsql +USE_PGSQL= yes +CONFIGURE_ARGS+= --with-pgsql .endif +BINMODE= 4550 +BINGRP= ${WWWGRP} + do-install: @${MKDIR} ${WWWDIR} @${MKDIR} ${WWWDIR}/include/ - @(cd ${WRKSRC}/webfwlog/include/ && ${COPYTREE_SHARE} \* ${WWWDIR}/include/) + @(cd ${WRKSRC}/webfwlog/include/ && ${COPYTREE_SHARE} \*.php ${WWWDIR}/include/) + ${CHMOD} 555 ${WWWDIR}/include ${INSTALL_PROGRAM} ${WRKSRC}/syslog/wfwl_syslog ${PREFIX}/bin/ ${INSTALL_DATA} ${WRKSRC}/webfwlog/style.css ${WWWDIR} ${INSTALL_DATA} ${WRKSRC}/webfwlog/index.php ${WWWDIR} Only in security/webfwlog: diffs diff -ru security/webfwlog-orig/distinfo security/webfwlog/distinfo --- security/webfwlog-orig/distinfo 2009-10-17 18:13:19.000000000 -0700 +++ security/webfwlog/distinfo 2009-11-07 19:05:18.000000000 -0800 @@ -1,3 +1,6 @@ MD5 (webfwlog-0.94.tar.gz) = 5af2fbbd36b039c004592e9dbf10ccc1 SHA256 (webfwlog-0.94.tar.gz) = c1b84dd4036aa9f81fc4fbd527eda202e51c3767659b8f1eef12bfb3381c5b36 SIZE (webfwlog-0.94.tar.gz) = 288138 +MD5 (webfwlog-0.94-tcpflags.patch) = 4d8a8e5f926832e504b196582b0fc85d +SHA256 (webfwlog-0.94-tcpflags.patch) = b29df0df2b62ec99f121e50033b852e1a5177f0db1b31ecf12a8c535a16812dd +SIZE (webfwlog-0.94-tcpflags.patch) = 455 diff -ru security/webfwlog-orig/files/pkg-message.in security/webfwlog/files/pkg-message.in --- security/webfwlog-orig/files/pkg-message.in 2005-10-12 19:16:48.000000000 -0700 +++ security/webfwlog/files/pkg-message.in 2009-11-08 07:37:53.000000000 -0800 @@ -1,4 +1,4 @@ -Webfwlog-0.91 has been installed. You should read the README in the mysql or +Webfwlog-%%VERSION%% has been installed. You should read the README in the mysql or pgsql directoy in %%DOCSDIR%% for information on setting up your MySQL or PostgreSQL server for use with webfwlog, and also copy the webfwlog.conf.sample file in %%PREFIX%%/etc to webfwlog.conf and diff -ru security/webfwlog-orig/pkg-plist security/webfwlog/pkg-plist --- security/webfwlog-orig/pkg-plist 2009-10-17 18:13:19.000000000 -0700 +++ security/webfwlog/pkg-plist 2009-11-08 07:18:25.000000000 -0800 @@ -45,7 +45,6 @@ %%WWWDIR%%/include/static.php %%WWWDIR%%/include/syslog.php %%WWWDIR%%/include/update_cache.php -%%WWWDIR%%/include/config.php.in %%WWWDIR%%/style.css %%WWWDIR%%/index.php %%PORTDOCS%%@dirrm %%DOCSDIR%%/pgsql/scripts >Description: >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: