Date: Fri, 6 Nov 2020 18:38:46 +0000 (UTC) From: Craig Leres <leres@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r554309 - in head/security/zeek: . files Message-ID: <202011061838.0A6IckYN069359@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: leres Date: Fri Nov 6 18:38:46 2020 New Revision: 554309 URL: https://svnweb.freebsd.org/changeset/ports/554309 Log: security/zeek: Fix build on armv7 and allow running as non-root user Apply Renato Botelho's fix for the ARCH used in PLIST_SUB (with some changes). Essentially use uname -m instead of trying to fix up the ARCH defined by bsd.port.mk (uname -p). While we're here: - Convert networks.cfg, node.cfg, and zeekctl.cfg to use @sample - Use @sample to avoid clobbering site.zeek (oops). - Remove unnecessary subshell for the post-build-NETMAP-on target. - Silence the annoying "use ZeekControl.plugin instead of BroControl.plugin" nag. - Reformat the rc.d script. - Update the rc.d script to honor the zeek_user rc.d variable and update pkg-message.in with hints on how to run as user zeek. - Explain how to configure zeek to ignore checksum errors when NIC checksum offloading is in use. - Make share/zeekctl/scripts owned by user zeek to allow "zeekctl install" when running as user zeek. PR: 250886 Reported by: garga Modified: head/security/zeek/Makefile head/security/zeek/files/pkg-message.in head/security/zeek/files/zeek.in head/security/zeek/pkg-plist Modified: head/security/zeek/Makefile ============================================================================== --- head/security/zeek/Makefile Fri Nov 6 18:22:47 2020 (r554308) +++ head/security/zeek/Makefile Fri Nov 6 18:38:46 2020 (r554309) @@ -3,6 +3,7 @@ PORTNAME= zeek PORTVERSION= 3.0.11 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= https://old.zeek.org/downloads/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} @@ -45,7 +46,7 @@ CMAKE_ARGS+= -GNinja \ ZEEKUSER?= zeek ZEEKGROUP?= zeek -PLIST_SUB+= ARCH=${ARCH:S/aarch64/arm64/} \ +PLIST_SUB+= ARCH=${UNAME_M} \ ZEEKUSER=${ZEEKUSER} \ ZEEKGROUP=${ZEEKGROUP} \ LCASE_OPSYS=${OPSYS:tl} @@ -98,13 +99,18 @@ ZEEKCTL_RUN_DEPENDS= ${LOCALBASE}/bin/bash:shells/bash USE_RC_SUBR= zeek .endif +post-patch: + # Silence the "use ZeekControl.plugin instead of BroControl.plugin" nag + @${REINPLACE_CMD} -e 's/^print/#&/' \ + ${WRKSRC}/aux/zeekctl/BroControl/__init__.py + post-install-ZEEKCTL-on: ${MKDIR} ${STAGEDIR}${PREFIX}/logs ${MKDIR} ${STAGEDIR}${PREFIX}/spool/tmp ${MKDIR} ${STAGEDIR}${PREFIX}/spool/installed-scripts-do-not-touch/auto ${MKDIR} ${STAGEDIR}${PREFIX}/spool/installed-scripts-do-not-touch/site .for F in zeekctl.cfg networks.cfg node.cfg - ${MV} ${STAGEDIR}${PREFIX}/etc/${F} ${STAGEDIR}${PREFIX}/etc/${F}.example + ${MV} ${STAGEDIR}${PREFIX}/etc/${F} ${STAGEDIR}${PREFIX}/etc/${F}.sample .endfor ${RM} ${STAGEDIR}${PREFIX}/share/zeekctl/scripts/zeekctl-config.sh ${LN} -s ../../../spool/zeekctl-config.sh \ @@ -112,14 +118,20 @@ post-install-ZEEKCTL-on: post-install: ${RM} -r ${STAGEDIR}${PREFIX}/share/zeek/cmake + ${MV} ${STAGEDIR}${DATADIR}/site/local.zeek \ + ${STAGEDIR}${DATADIR}/site/local.zeek.sample pre-install-ZEEKCTL-on: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/rc.d post-build-NETMAP-on: ${LN} -s ../.build ${WRKSRC}/build - (cd ${WRKSRC_bro_netmap} && ./configure --bro-dist=${WRKSRC} \ + cd ${WRKSRC_bro_netmap} && ./configure --bro-dist=${WRKSRC} \ --install-root=${STAGEDIR}${PREFIX}/lib/zeek/plugins && \ - make && make install) + make && make install -.include <bsd.port.mk> +.include <bsd.port.pre.mk> + +UNAME_M!= ${UNAME} -m + +.include <bsd.port.post.mk> Modified: head/security/zeek/files/pkg-message.in ============================================================================== --- head/security/zeek/files/pkg-message.in Fri Nov 6 18:22:47 2020 (r554308) +++ head/security/zeek/files/pkg-message.in Fri Nov 6 18:38:46 2020 (r554309) @@ -1,12 +1,39 @@ [ { type: install message: <<EOM -During deinstall of this package, the cfg files for broctl -are not deleted if you have edited them. Instead -the software will create a .sample file instead and the -edited files will remain in place when you upgrade. If you -want to delete them, you have to delete them and the directory, -%%PREFIX%%/etc manually. +During deinstall of this package, the cfg files for broctl are not +deleted if you have edited them. Instead the software will create +a .sample file instead and the edited files will remain in place +when you upgrade. If you want to delete them, you have to remove +the %%PREFIX%%/etc directory manually. + +The rc.d script now honors the zeek_user rc.d variable. To run as +a user other than root (the default) you need to make a few changes. +For example to run as the user zeek, add this to /etc/rc.conf: + + zeek_enable="YES" + zeek_user="zeek" + +Add this to /etc/devfs.conf: + + own bpf root:bpf + perm bpf 0660 + +And add zeek to the bpf group: + + bpf:*:81:zeek + +and restart the devfs service: + + service devfs restart + +or reboot. + +If the interface defined in node.cfg is configured for NIC checksum +offloading (the default when this feature is supported by the +hardware) you will want to set ignore_checksums in site/local.zeek: + + redef ignore_checksums = T; EOM } ] Modified: head/security/zeek/files/zeek.in ============================================================================== --- head/security/zeek/files/zeek.in Fri Nov 6 18:22:47 2020 (r554308) +++ head/security/zeek/files/zeek.in Fri Nov 6 18:38:46 2020 (r554309) @@ -17,65 +17,83 @@ node=$2 start_cmd="zeek_start" stop_cmd="zeek_stop" restart_cmd="zeek_restart" +check_cmd="zeek_check" deploy_cmd="zeek_deploy" install_cmd="zeek_install" cleanup_cmd="zeek_cleanup" restart_cmd="zeek_restart" status_cmd="zeek_status" -extra_commands="deploy install cleanup status restart" +extra_commands="check cleanup deploy install restart status" : ${zeekctl_program:=%%PREFIX%%/bin/zeekctl} +: ${zeek_user:=root} zeek_enable=${zeek_enable-"NO"} -zeek_start() { - if [ ! "${node}" ]; - then - $zeekctl_program start - else - $zeekctl_program start $node - fi +run() +{ + if [ "${zeek_user}" = "root" ]; then + $* + else + su -m ${zeek_user} -c "$*" + fi } -zeek_stop() { - if [ ! "${node}" ]; - then - $zeekctl_program stop - else - $zeekctl_program stop $node - fi +zeek_start() +{ + if [ ! "${node}" ]; then + run ${zeekctl_program} start + else + run ${zeekctl_program} start ${node} + fi } +zeek_stop() +{ + if [ ! "${node}" ]; then + run ${zeekctl_program} stop + else + run ${zeekctl_program} stop ${node} + fi +} + zeek_restart() { - if [ ! "${node}" ]; - then - $zeekctl_program restart - else - $zeekctl_program restart $node - fi + if [ ! "${node}" ]; then + run ${zeekctl_program} restart + else + run ${zeekctl_program} restart ${node} + fi } -zeek_deploy() { - $zeekctl_program deploy +zeek_check() +{ + run ${zeekctl_program} check } -zeek_install() { - $zeekctl_program install +zeek_deploy() +{ + run ${zeekctl_program} deploy } -zeek_cleanup() { - if [ ! "${node}" ]; - then - $zeekctl_program cleanup - else - $zeekctl_program cleanup ${node} - fi +zeek_install() +{ + run ${zeekctl_program} install } -zeek_status() { - $zeekctl_program status +zeek_cleanup() +{ + if [ ! "${node}" ]; then + run ${zeekctl_program} cleanup + else + run ${zeekctl_program} cleanup ${node} + fi } -load_rc_config $name +zeek_status() +{ + run ${zeekctl_program} status +} + +load_rc_config ${name} run_rc_command "$1" Modified: head/security/zeek/pkg-plist ============================================================================== --- head/security/zeek/pkg-plist Fri Nov 6 18:22:47 2020 (r554308) +++ head/security/zeek/pkg-plist Fri Nov 6 18:38:46 2020 (r554309) @@ -1,4 +1,5 @@ @postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/logs +%%ZEEKCTL%%@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/share/zeekctl/scripts %%ZEEKCTL%%@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/spool %%ZEEKCTL%%@postexec chown %%ZEEKUSER%%:%%ZEEKGROUP%% %D/spool/tmp %%ZEEKCTL%%@postexec chown -R %%ZEEKUSER%%:%%ZEEKGROUP%% %D/spool/installed-scripts-do-not-touch @@ -16,15 +17,9 @@ bin/zeek-config bin/zeek-cut bin/zeek-wrapper %%ZEEKCTL%%bin/zeekctl -%%ZEEKCTL%%@preunexec if cmp -s %D/etc/networks.cfg.example %D/etc/networks.cfg ; then rm -f %D/etc/networks.cfg; fi -%%ZEEKCTL%%etc/networks.cfg.example -%%ZEEKCTL%%@postexec if [ ! -f %D/etc/networks.cfg ] ; then cp -p %D/etc/networks.cfg.example %D/etc/networks.cfg; fi -%%ZEEKCTL%%@preunexec if cmp -s %D/etc/node.cfg.example %D/etc/node.cfg ; then rm -f %D/etc/node.cfg; fi -%%ZEEKCTL%%etc/node.cfg.example -%%ZEEKCTL%%@postexec if [ ! -f %D/etc/node.cfg ] ; then cp -p %D/etc/node.cfg.example %D/etc/node.cfg; fi -%%ZEEKCTL%%@preunexec if cmp -s %D/etc/zeekctl.cfg.example %D/etc/zeekctl.cfg ; then rm -f %D/etc/zeekctl.cfg; fi -%%ZEEKCTL%%etc/zeekctl.cfg.example -%%ZEEKCTL%%@postexec if [ ! -f %D/etc/zeekctl.cfg ] ; then cp -p %D/etc/zeekctl.cfg.example %D/etc/zeekctl.cfg; fi +@sample etc/networks.cfg.sample +@sample etc/node.cfg.sample +@sample etc/zeekctl.cfg.sample include/binpac/binpac.h include/binpac/binpac_analyzer.h include/binpac/binpac_buffer.h @@ -1722,7 +1717,7 @@ man/man8/zeek.8.gz %%DATADIR%%/policy/tuning/defaults/warnings.zeek %%DATADIR%%/policy/tuning/json-logs.zeek %%DATADIR%%/policy/tuning/track-all-assets.zeek -%%DATADIR%%/site/local.zeek +@sample %%DATADIR%%/site/local.zeek.sample %%ZEEKCTL%%%%DATADIR%%/zeekctl/__load__.zeek %%ZEEKCTL%%%%DATADIR%%/zeekctl/auto.zeek %%ZEEKCTL%%%%DATADIR%%/zeekctl/check.zeek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011061838.0A6IckYN069359>