From owner-freebsd-ports-bugs@FreeBSD.ORG Mon May 12 16:30:01 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C9DA1065670 for ; Mon, 12 May 2008 16:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1CC708FC25 for ; Mon, 12 May 2008 16:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4CGU1jq068560 for ; Mon, 12 May 2008 16:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4CGU1hk068559; Mon, 12 May 2008 16:30:01 GMT (envelope-from gnats) Resent-Date: Mon, 12 May 2008 16:30:01 GMT Resent-Message-Id: <200805121630.m4CGU1hk068559@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Paul Schmehl Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21A1C1065671 for ; Mon, 12 May 2008 16:26:01 +0000 (UTC) (envelope-from root@utd65257.utdallas.edu) Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) by mx1.freebsd.org (Postfix) with ESMTP id D93258FC14 for ; Mon, 12 May 2008 16:26:00 +0000 (UTC) (envelope-from root@utd65257.utdallas.edu) Received: by utd65257.utdallas.edu (Postfix, from userid 0) id BD78E34781C; Mon, 12 May 2008 11:26:00 -0500 (CDT) Message-Id: <20080512162600.BD78E34781C@utd65257.utdallas.edu> Date: Mon, 12 May 2008 11:26:00 -0500 (CDT) From: Paul Schmehl To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/123613: security/sguil-server, files missing from recent upgrade X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 16:30:01 -0000 >Number: 123613 >Category: ports >Synopsis: security/sguil-server, files missing from recent upgrade >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon May 12 16:30:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Paul Schmehl >Release: FreeBSD 7.0-STABLE i386 >Organization: The University of Texas at Dallas >Environment: System: FreeBSD hostname.utdallas.edu 7.0-STABLE FreeBSD 7.0-STABLE #6: Wed Apr 16 17:14:28 CDT 2008 root@hostname.utdallas.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: security/sguil-server, the recent port upgrade is missing files Both the pkg-install and pkg-deinstall files were not included in the master patch I submitted. This PR adds those files and bumps the PORTREVISION >How-To-Repeat: >Fix: --- patch-sguil-server begins here --- diff -Naur /usr/ports/security/sguil-server/Makefile sguil-server/Makefile --- /usr/ports/security/sguil-server/Makefile 2008-05-03 08:22:15.000000000 -0500 +++ sguil-server/Makefile 2008-05-12 11:20:57.000000000 -0500 @@ -7,6 +7,7 @@ PORTNAME= sguil-server PORTVERSION= 0.7.0 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF MASTER_SITE_SUBDIR= sguil diff -Naur /usr/ports/security/sguil-server/files/pkg-deinstall.in sguil-server/files/pkg-deinstall.in --- /usr/ports/security/sguil-server/files/pkg-deinstall.in 1969-12-31 18:00:00.000000000 -0600 +++ sguil-server/files/pkg-deinstall.in 2008-04-10 12:13:52.000000000 -0500 @@ -0,0 +1,63 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +USER="sguil" + +# Make sure we're in the right stage of the process +if [ "$2" = "DEINSTALL" ]; then + echo "Stopping sguild......" + %%PREFIX%%/etc/rc.d/sguild stop + %%PREFIX%%/etc/rc.d/sguild poll + echo "Would you like to remove the sguild certs?" ; read ans + case "$ans" in + y*|Y*) + if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key ]; then + rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.key + fi + if [ -f %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem ]; then + rm %%PREFIX%%/etc/%%SGUILDIR%%/certs/sguild.pem + fi + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + cd %%PREFIX%%/etc/%%SGUILDIR%% || exit 1 +# Remove the conf files *if* they have not been altered + for f in autocat.conf sguild.access sguild.conf sguild.email \ + sguild.queries sguild.reports sguild.users; do + cmp -s -z ${f} ${f}-sample && rm ${f} + done +# Remove the user and group if the installer chooses to + echo "Would you like to remove the sguil user and group?" ; read ans + case "$ans" in + y*|Y*) + if pw usershow "${USER}" 2>/dev/null 1>&2; then + pw userdel -n sguil + fi + if pw groupshow "${USER}" 2>/dev/null 1>&2; then + pw groupdel -n sguil + fi + ;; + n*|N*) + ;; + *) + ;; + esac +fi +if [ "$2" = "POST-DEINSTALL" ]; then + # If the user exists, then display a message + if pw usershow "${USER}" 2>/dev/null 1>&2; then + echo "To delete the '${USER}' user permanently, use 'pw userdel ${USER}'" + fi + # If the group exists, then display a message + if pw groupshow "${USER}" 2>/dev/null 1>&2; then + echo "To delete the '${USER}' group permanently, use 'pw groupdel ${USER}'" + fi +fi + +exit 0 diff -Naur /usr/ports/security/sguil-server/files/pkg-install.in sguil-server/files/pkg-install.in --- /usr/ports/security/sguil-server/files/pkg-install.in 1969-12-31 18:00:00.000000000 -0600 +++ sguil-server/files/pkg-install.in 2008-04-11 09:37:31.000000000 -0500 @@ -0,0 +1,388 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +echo "This sguild install script creates a \"turnkey\" install " +echo "of sguild, including configuing the database and conf files" +echo "and user accounts so that sguild can be started immediately." +echo "" +echo "You may have already done all this (especially if this is an upgrade)" +echo "and may not be interested in iterating through cert creation and" +echo "everything else that the script does." +echo "" +echo "Would you like to opt out of the entire install script " +echo "and configure sguild manually yourself?" ; read ans +case "$ans" in + y*|Y*) + exit 0 + ;; + n*|N*) + ;; + *) + exit 64 + ;; +esac +# This script and its implementation borrows heavily from the www/squid port, and I owe a debt to the +# maintainer for saving me a lot of time. The bold font trick that I use extensively was picked up +# at http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/lsst/ch08.html#q16 +# I also owe a debt to all those who have posted shell scripting tutorials to the web and to the FreeBSD +# developers from whose OS I stole a few tricks as well. + +# Set up some paths and variables for later use +PATH=/bin:/usr/bin:/usr/sbin:%%PREFIX%%/bin +pkgname=$1 +rootpwd='' +confdir="${PKG_PREFIX:-%%PREFIX%%}/etc" +portdir="${CURDIR:-%%CURDIR%%}" +scriptdir="${WRKSRC:-%%WRKSRC%%}/server/sql_scripts" +if [ -x /usr/sbin/nologin ]; then + nologin=/usr/sbin/nologin +else + nologin=/sbin/nologin +fi +# Source rc.conf for later +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi +sguil_user="sguil" +sguil_group="sguil" +case $2 in +PRE-INSTALL) + echo "==> Pre-installation configuration of ${pkgname}" + if ! pw groupshow ${sguil_group} -q >/dev/null ; then + if ! pw groupadd ${sguil_group} -q; then + echo "Failed to create group \"${sguil_group}\"!" >&2 + echo "Please create it manually." >&2 + exit 1 + else + echo "Group '%{sguil-group}' created successfully." + pw groupshow ${sguil_group} + fi + fi + if ! pw usershow ${sguil_user} -q >/dev/null ; then + if ! pw useradd -q -n ${sguil_user} \ + -g ${sguil_group} -s "${nologin}" \ + -h - ; then + echo "Failed to create user '%{sguil_user}'!" >&2 + echo "Please create it manually." >&2 + exit 1 + else + echo "User '${sguil_user}' create successfully." + pw usershow ${sguil_user} + fi + fi + for dir in %%SGUILDIR%% %%SGUILDIR%%/certs ; do + if [ ! -d ${confdir}/${dir} ]; then + echo "Creating ${confdir}/${dir} ...." + install -d -o ${sguil_user} -g ${sguil_group} \ + -m 0750 ${confdir}/${dir} + fi + done + for dir in %%PREFIX%%/lib/%%SGUILDIR%% /var/run/%%SGUILDIR%% ; do + if [ ! -d ${dir} ]; then + echo "Creating ${dir} ...." + install -d -o ${sguil_user} -g ${sguil_group} \ + -m 0750 ${dir} + fi + done + ;; +POST-INSTALL) + echo -e "\033[1mThere are a few things that need to be done to complete the install." + echo -e "\033[0mFirst, you need to create certs so that the ssl connections between server and " + echo "sensors will work, you need to create the database, the account to access it and " + echo "the tables for the database and you need to create the directories where all the " + echo "data will be stored. (You will also need to edit the conf files for your setup.)" + echo "" + echo "If you haven't already done this, I can do it for you now." + echo "Would you like to create certs now? (y for yes, n for no)"; read ans + case "$ans" in + y*|Y*) + echo -e "\033[1mFirst we need to create a password-protected CA cert." + echo "" + echo -e "\033[0m(The Common Name should be the FQHN of your squil server.)" + openssl req -out CA.pem -new -x509 + echo "Now we need to create a server certificate/key pair." + openssl genrsa -out sguild.key 1024 + echo -e "\033[1mNow we need to create a certificate request to be signed by the CA." + echo "DO NOT password protect your server key. If you do, you will be required" + echo "to enter the password every time you start the server." + echo -e "\033[0m" + openssl req -key sguild.key -new -out sguild.req + echo "Now we need to create the actual certificate for your server." + echo 44 > file.sr1 + openssl x509 -req -in sguild.req -CA CA.pem -CAkey privkey.pem -CAserial file.sr1 -out sguild.pem + echo "Finally, we need to move the certs to the '${confdir}/%%SGUILDIR%%/certs}' directory " + echo "and clean up the port directory as well." + for files in sguild.key sguild.pem; do + mv ${portdir}/$files ${confdir}/%%SGUILDIR%%/certs/ + done + for files in CA.pem privkey.pem sguild.req file.sr1; do + rm ${portdir}/$files + done + ;; + n*|N*) + echo -e "\033[1mSSL is now required for all connections between server, sensors and clients." + echo "If you haven't already created certs, you will need to do that before sguil will work." + echo -e "\033[0m" + echo "" + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mIs the installation of mysql brand new and unaltered?" + echo -e "\033[0mBy default, when mysql is installed, it creates five accounts." + echo "None of those accounts are protected by passwords. That needs to be corrected." + echo "The five accounts are:" + echo " root@localhost" + echo " root@127.0.0.1" + echo " root@`hostname`" + echo " @localhost" + echo " @`hostname`" + echo "I can remove all of the accounts except root@localhost (highly recommended) " + echo "and I can set the password for the root@localhost account. (If you get an error " + echo "don't worry about it. The account may not have been created to begin with." + echo "Would you like me to do that now?" ; read ans + case "$ans" in + y*|Y*) + echo "Enabling mysql in /etc/rc.conf and starting the server....." + case ${mysql_enable} in + [Yy][Ee][Ss]) + echo -e "\033[1mIt appears that mysql is already enabled!" + echo -e "\033[0m" + ;; + *) + echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf + echo "mysql_enable=\"YES\"" >> /etc/rc.conf + ;; + esac + mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` + echo "The mysql pid is ${mysql_pid}...." + if [ -z ${mysql_pid} ]; then + %%PREFIX%%/etc/rc.d/mysql-server start + fi + sleep 1 + mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` + if [ -s ${mysql_pid} ]; then + echo "The mysql server did not start. Please fix the problem " + echo "and run this script again." + exit 64 + fi + echo "Deleting users from mysql......" + mysql -u root -e "USE mysql; DROP USER 'root'@'127.0.0.1';" + mysql -u root -e "USE mysql; DROP USER 'root'@'`hostname`';" + mysql -u root -e "USE mysql; DROP USER ''@'localhost';" + mysql -u root -e "USE mysql; DROP USER ''@'`hostname`';" + echo "All done deleting......." + echo "What would you like root@localhost's password to be?" ; read rootpwd + mysql -u root -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$rootpwd');" + mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES;" + ;; + n*|N*) + echo "Before you use the database, you should at least set passwords" + echo "for all the accounts. Otherwise anyone can login to your database." + echo "To remove an account, use \"drop user 'user'@'host'\"." + echo "To set a password for an account, use \"SET PASSWORD FOR 'user'@'host' = PASSWORD('passwd')\"." + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to bind mysql to localhost so it only listens on that address?" + echo -e "\033[0m" ; read ans + case "$ans" in + y*|Y*) + if [ ! -f /etc/my.cnf ]; then + echo "[mysqld]" >> /etc/my.cnf + echo "bind-address=127.0.0.1" >> /etc/my.cnf + echo "socket=/tmp/mysql.sock" >> /etc/my.cnf + echo "ft_min_word_len=3" >> /etc/my.cnf + mysql_pid=`%%PREFIX%%/etc/rc.d/mysql-server status | awk '{print $6}'` + echo "The mysql pid is ${mysql_pid}...." + if [ -z ${mysql_pid} ]; then + %%PREFIX%%/etc/rc.d/mysql-server start + else + %%PREFIX%%/etc/rc.d/mysql-server restart + fi + else + echo "/etc/my.cnf already exists!" + echo "add \"bind-address=127.0.0.1\" in the [mysqld] section " + echo "to force mysql to listen only on localhost." + echo "Then restart the server to accept the new settings." + fi + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to create the database to store all nsm data?" + echo -e "\033[0m" ; read ans + echo "NOTE: If you're upgrading, you do NOT want to do this! You want to upgrade." + case "$ans" in + y*|Y*) + if [ -z ${rootpwd} ]; then + echo "What is the password for the mysql root user?"; read rootpwd + fi + mysql -u root -p${rootpwd} -e "create database sguildb" + mysql -u root -p${rootpwd} -D sguildb < ${scriptdir}/create_sguildb.sql + ;; + n*|N*) + echo -e "\033[1mPlease note: if you are upgrading from a previous version " + echo "of sguil, you need to run the upgrade_0.7.tcl script located in " + echo "'${scriptdir}'." + echo -e "\033[0mIf you've already cleaned the port directory, run " + echo "make extract to recover the files and access the script." + echo "" + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to create a user \"sguild@localhost\" for database access?" + echo -e "\033[0m" ; read ans + case "$ans" in + y*|Y*) + if [ -z ${rootpwd} ]; then + echo "Please enter the password for the mysql root account." ; read rootpwd + fi + echo -e "\033[1mPlease enter the password that you want to use for the sguild account." + echo -e "\033[0m"; read sguildpwd + echo "Creating account for sguild with access to sguildb....." + mysql -u root -p${rootpwd} -e "GRANT ALTER,CREATE,DELETE,DROP,INDEX,INSERT,SELECT,UPDATE on sguildb.* \ + to 'sguild'@'localhost' IDENTIFIED BY '${sguildpwd}'" + mysql -u root -p${rootpwd} -e "GRANT FILE on *.* to 'sguild'@'localhost'" + mysql -u root -p${rootpwd} -e "FLUSH PRIVILEGES" + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to create the data directory and all its subdirectories?" + echo -e "\033[0m"; read ans + case "$ans" in + y*|Y*) + echo "What do you want the name of the main directory to be?" + echo "(Be sure to include the full path to the directory - e.g. /var/nsm)" ; read maindir + echo "The main directory will be named '${maindir}'." + for dir in ${maindir} ${maindir}/archives ${maindir}/rules ${maindir}/load ; do + if [ ! -d ${dir} ]; then + echo "Creating ${dir} ...." + install -d -o ${sguil_user} -g ${sguil_group} \ + -m 0750 ${dir} + else + echo -e "\033[1mThe directory '${dir}' already exists!" + echo -e "\033[0m" + fi + done + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mWould you like to enable sguild in /etc/rc.conf?" + echo -e "\033[0m"; read ans + case "$ans" in + y*|Y*) + case ${sguild_enable} in + [Yy][Ee][Ss]) + echo -e "\033[1mIt appears that sguild is already enabled!" + echo -e "\033[0m" + ;; + *) + echo -e i"\033[1mWriting to /etc/rc.conf...." + echo -e "\033[0m" + echo "# -- Squild installed deltas -- # `date`" >> /etc/rc.conf + echo "sguild_enable=\"YES\"" >> /etc/rc.conf + ;; + esac + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + echo -e "\033[1mIf the sguild.conf file does not exist, I will create and edit it now." + echo -e "\033[0m" + if [ -f ${confdir}/%%SGUILDIR%%/sguild.conf ]; then + echo "The sguild.conf file already exists!" + echo "Do you want me to edit it anyway?" ; read ans + case "$ans" in + y*|Y*) + echo -e "\033[1mPreparing to edit the sguild.conf file......" + if [ -z ${maindir} ]; then + echo "There's a couple of things I need to verify before continuing." + echo "What is the name of the main nsm directory that you are using?" + echo -e "\033[0m" ; read ans + maindir="$ans" + fi + if [ -z ${sguildpwd} ]; then + echo -e "\033[1mWhat is the password for the sguild database user?" + echo -e "\033[0m" ; read ans + sguildpwd="$ans" + fi + sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ + -e 's|sguild_data|'"${maindir}"'|' \ + < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf + ;; + n*|N*) + ;; + *) + exit 64 + ;; + esac + else + echo -e "\033[1mPreparing to edit the sguild.conf file......" + if [ -z ${maindir} ]; then + echo "There's a couple of things I need to verify before continuing." + echo "What is the name of the main nsm directory that you are using?" + echo -e "\033[0m" ; read ans + maindir="$ans" + fi + if [ -z ${sguildpwd} ]; then + echo -e "\033[1mWhat is the password for the sguild database user?" + echo -e "\033[0m" ; read ans + sguildpwd="$ans" + fi + sed -e 's|DBPASS ""|DBPASS '"${sguildpwd}"'|' -e 's|DBUSER root|DBUSER sguild|' \ + -e 's|sguild_data|'"${maindir}"'|' \ + < ${confdir}/%%SGUILDIR%%/sguild.conf-sample > ${confdir}/%%SGUILDIR%%/sguild.conf + fi + if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.users ]; then + cp ${confdir}/%%SGUILDIR%%/sguild.users-sample ${confdir}/%%SGUILDIR%%/sguild.users + fi + if [ ! -f ${confdir}/%%SGUILDIR%%/sguild.access ]; then + cp ${confdir}/%%SGUILDIR%%/sguild.access-sample ${confdir}/%%SGUILDIR%%/sguild.access + fi + echo -e "\033[1mYou still need to review all the conf files and configure sguil " + echo "per your desired setup before starting sguild. Refer to the port docs in " + echo "%%DOCSDIR%% before proceeding." + echo -e "\033[0m" + echo "Right now, all the conf files except sguild.conf are set to the defaults." + for files in archive_sguildb.tcl sguild incident_report.tcl ; do + if [ -f %%PREFIX%%/bin/${files} ]; then + chown ${sguil_user}:${sguil_group} %%PREFIX%%/bin/${files} + fi + done + if [ ! -f %%PREFIX%%/bin/sguild ]; then + echo "Sguild is missing! Please correct the problem before continuing!" + exit 1 + fi + ;; +*) + exit 64 + ;; +esac +exit 0 --- patch-sguil-server ends here --- >Release-Note: >Audit-Trail: >Unformatted: