Date: Sun, 14 Nov 2010 03:28:06 GMT From: Sevan Janiyan <venture37@geeklan.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Cc: pauls@utdallas.edu Subject: ports/152226: [PATCH] security/sancp: Fix a bug in RC script + other changes Message-ID: <201011140328.oAE3S6BG018383@tinderbox.home.thingamajig-systems.co.uk.thingamajig-systems.co.uk> Resent-Message-ID: <201011140400.oAE40Gn0057910@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152226 >Category: ports >Synopsis: [PATCH] security/sancp: Fix a bug in RC script + other changes >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Nov 14 04:00:16 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Sevan Janiyan >Release: FreeBSD 8.1-RELEASE-p1 i386 >Organization: >Environment: System: FreeBSD tinderbox.home.thingamajig-systems.co.uk 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #5: Mon Nov 1 18:06:15 GMT >Description: Dont declare ${sancp_flags} in command_args This fixes http://taosecurity.blogspot.com/2010/11/calling-freebsd-startup-script-experts.html, fix by Colin Percival Drop .sh extension from RC script Drop MD5 checksum from distinfo Switch from adding & removing users by hand to using $USERS & $GROUPS , patch for UIDs & GIDs in ports/152225 Dont remove data gathered by app on uninstall, notify user to do it manually should they wish to Added file(s): - files/sancp.in Removed file(s): - files/sancp.sh.in Port maintainer (pauls@utdallas.edu) is cc'd. Generated with FreeBSD Port Tools 0.99 >How-To-Repeat: >Fix: --- sancp-1.6.1_4.patch begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/sancp/Makefile,v retrieving revision 1.6 diff -u -u -r1.6 Makefile --- Makefile 22 Aug 2009 00:35:04 -0000 1.6 +++ Makefile 14 Nov 2010 03:26:29 -0000 @@ -8,7 +8,7 @@ PORTNAME= sancp PORTVERSION= 1.6.1 DISTVERSIONSUFFIX= -stable -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}-stable @@ -16,9 +16,12 @@ COMMENT= A network connection profiler ALL_TARGET= bsd -USE_RC_SUBR= sancp.sh +USE_RC_SUBR= sancp SUB_FILES= pkg-message +USERS= sancp +GROUPS= sancp + PORTDOCS= CHANGES INSTALL ISSUES README \ SETUP fields.LIST LICENSE @@ -26,7 +29,6 @@ @cd ${WRKSRC} && ${MV} LICENSE docs/ do-install: - @${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL @${INSTALL_PROGRAM} ${WRKSRC}/sancp ${PREFIX}/bin @${INSTALL_DATA} ${WRKSRC}/etc/sancp/sancp.conf ${PREFIX}/etc/sancp.conf-dist @${CP} -n ${PREFIX}/etc/sancp.conf-dist ${PREFIX}/etc/sancp.conf Index: distinfo =================================================================== RCS file: /home/ncvs/ports/security/sancp/distinfo,v retrieving revision 1.4 diff -u -u -r1.4 distinfo --- distinfo 14 Jul 2007 22:21:13 -0000 1.4 +++ distinfo 14 Nov 2010 03:26:29 -0000 @@ -1,3 +1,2 @@ -MD5 (sancp-1.6.1-stable.tar.gz) = ffa64f2fdb49afd7ef16fbefda21e251 SHA256 (sancp-1.6.1-stable.tar.gz) = 9836262aaf02bde116a9e79d342ea3af8b4991c7ba27b816fb54ed6c0863ff48 SIZE (sancp-1.6.1-stable.tar.gz) = 71748 Index: pkg-deinstall =================================================================== RCS file: /home/ncvs/ports/security/sancp/pkg-deinstall,v retrieving revision 1.3 diff -u -u -r1.3 pkg-deinstall --- pkg-deinstall 14 Jul 2007 22:21:13 -0000 1.3 +++ pkg-deinstall 14 Nov 2010 03:26:29 -0000 @@ -4,28 +4,6 @@ exit 0 fi -PATH=/bin:/usr/sbin -USER=sancp -GROUP=${USER} -LOG_DIR=/var/log/sancp +PATH=/bin:/usr/bin -# Remove the log directory -if [ -d ${LOG_DIR} ]; -then - rmdir ${LOG_DIR} >/dev/null 2>&1; -fi - -if pw user show "${USER}" >/dev/null 2>&1; then - if ! pw userdel ${USER} ; - then - echo "Unable to remove user: ${USER}, remove it manually" - fi -fi - - -if pw group show "${GROUP}" >/dev/null 2>&1; then - if ! pw groupdel ${GROUP} ; - then - echo "Unable to remove group: ${GROUP}, remove it manually" - fi -fi +echo "* If you nolonger plan to run sancp delete /var/log/sancp, the user & group created during install *" Index: pkg-install =================================================================== RCS file: /home/ncvs/ports/security/sancp/pkg-install,v retrieving revision 1.2 diff -u -u -r1.2 pkg-install --- pkg-install 14 Jul 2007 22:21:13 -0000 1.2 +++ pkg-install 14 Nov 2010 03:26:29 -0000 @@ -5,42 +5,6 @@ fi PATH=/bin:/usr/sbin -USER=sancp -GROUP=${USER} LOG_DIR=/var/log/sancp -if [ ! -d ${LOG_DIR} ]; then mkdir ${LOG_DIR}; fi - -if pw group show "${GROUP}" 2>/dev/null; then - echo "You already have a group \"${GROUP}\", so I will use it." -else - if pw groupadd ${GROUP}; then - echo "Added group \"${GROUP}\"." - else - echo "Adding group \"${GROUP}\" failed..." - exit 1 - fi -fi - -if pw user show "${USER}" 2>/dev/null; then - echo "You already have a user \"${USER}\", so I will use it." - if pw usermod ${USER} -d ${LOG_DIR} - then - echo "Changed home directory of \"${USER}\" to \"${LOG_DIR}\"" - else - echo "Changing home directory of \"${USER}\" to \"${LOG_DIR}\" failed..." - exit 1 - fi -else - if pw useradd ${USER} -g ${GROUP} -h - \ - -d ${LOG_DIR} -s /sbin/nologin -c "SANCP Daemon" - then - echo "Added user \"${USER}\"." - else - echo "Adding user \"${USER}\" failed..." - exit 1 - fi -fi - -chown -R ${USER}:${GROUP} ${LOG_DIR} chmod 750 ${LOG_DIR} Index: files/sancp.in =================================================================== RCS file: files/sancp.in diff -N files/sancp.in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/sancp.in 14 Nov 2010 03:26:29 -0000 @@ -0,0 +1,80 @@ +#!/bin/sh +# + +# PROVIDE: sancp +# REQUIRE: DAEMON +# BEFORE: LOGIN +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable sancp: +# sancp_enable (bool): Set to YES to enable sancp +# Default: NO +# sancp_flags (str): Extra flags passed to sancp +# Default: -D +# sancp_conf (str): Sancp configuration file +# Default: %%PREFIX%%/etc/sancp.conf +# sancp_interface (str): Default: none - MUST BE SET +# +# Command Line Options: (cmdline) +# --------------------- +# +# -? or -h this help screen +# -c <filename> specify the configuration/rules filename +# -d <directory> specify the directory for output files +# -i <device> set the network device to listen on (default: 'any') +# -g <gid> set a group identity +# -u <uid> set a user identity +# -r <pcapfile> pcap file to read (overrides -i) +# -B "<bpf expression>" set a bpf expression (alternative to -F <filename>) +# -D (daemon) forks, prints msgs to syslog only and overrides -C option +# -K (console) enable additional printing of 'realtimes' to stdout (suppressed by option -D) +# -F <bpf filename> file containing a bpf filter expression, overrides (alternative to -B) +# -H --human-readable write IP addresses in dotted notation and TCPflag fields in hex +# -R Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override +# -S Set default for stats to 'pass' (default is 'log') disables stats, but rules can override +# -P Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override +# -I or --enable_icmp_mixed record 'code' and 'type' fields for ICMP +# to the fields 's_port' and 'd_port'. +# note: affects how related icmp packets are correlated +# -V display version +# --shift (debug) force interpretation of packet starting at byte[2] +# normally performed when reading from the 'any' interface +# --strip-80211 strip 802.1Q headers from 802.1Q packets; used to +# decode 802.1Q encapsulated packets - affects -A option, +# --log-facility <facility> where facility can be 'LOCAL1' - 'LOCAL7' +# The default log facility used by SANCP is LOG_DAEMON +# +# Debug mode for pcap data logging +# -A records ALL traffic frames to a pcap file named 'debug_pcap_raw' +# (despite rules). Packets are logged here prior to decoding or handling. +# Use -F or -B option to restrict what is collectedi. +# Pcap data logged using this option is affected by the --strip-80211 cmdline option +# The configuration file equivalent to this is 'default debug_pcap_raw enable' + +. /etc/rc.subr + +name="sancp" +rcvar=`set_rcvar` + +command="%%PREFIX%%/bin/sancp" + +start_precmd=start_precmd + +start_precmd() +{ + if [ -z "${sancp_interface}" ]; then + err 1 "sancp_interface must set." + fi +} + +# set some defaults +load_rc_config $name + +: ${sancp_enable="NO"} +: ${sancp_flags="-D"} +: ${sancp_conf="%%PREFIX%%/etc/sancp.conf"} +: ${sancp_interface=""} + +command_args="-c ${sancp_conf} -i ${sancp_interface}" + +run_rc_command "$1" Index: files/sancp.sh.in =================================================================== RCS file: files/sancp.sh.in diff -N files/sancp.sh.in --- files/sancp.sh.in 27 Mar 2010 00:14:47 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,80 +0,0 @@ -#!/bin/sh -# - -# PROVIDE: sancp -# REQUIRE: DAEMON -# BEFORE: LOGIN -# KEYWORD: shutdown - -# Add the following lines to /etc/rc.conf to enable sancp: -# sancp_enable (bool): Set to YES to enable sancp -# Default: NO -# sancp_flags (str): Extra flags passed to sancp -# Default: -D -# sancp_conf (str): Sancp configuration file -# Default: %%PREFIX%%/etc/sancp.conf -# sancp_interface (str): Default: none - MUST BE SET -# -# Command Line Options: (cmdline) -# --------------------- -# -# -? or -h this help screen -# -c <filename> specify the configuration/rules filename -# -d <directory> specify the directory for output files -# -i <device> set the network device to listen on (default: 'any') -# -g <gid> set a group identity -# -u <uid> set a user identity -# -r <pcapfile> pcap file to read (overrides -i) -# -B "<bpf expression>" set a bpf expression (alternative to -F <filename>) -# -D (daemon) forks, prints msgs to syslog only and overrides -C option -# -K (console) enable additional printing of 'realtimes' to stdout (suppressed by option -D) -# -F <bpf filename> file containing a bpf filter expression, overrides (alternative to -B) -# -H --human-readable write IP addresses in dotted notation and TCPflag fields in hex -# -R Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override -# -S Set default for stats to 'pass' (default is 'log') disables stats, but rules can override -# -P Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override -# -I or --enable_icmp_mixed record 'code' and 'type' fields for ICMP -# to the fields 's_port' and 'd_port'. -# note: affects how related icmp packets are correlated -# -V display version -# --shift (debug) force interpretation of packet starting at byte[2] -# normally performed when reading from the 'any' interface -# --strip-80211 strip 802.1Q headers from 802.1Q packets; used to -# decode 802.1Q encapsulated packets - affects -A option, -# --log-facility <facility> where facility can be 'LOCAL1' - 'LOCAL7' -# The default log facility used by SANCP is LOG_DAEMON -# -# Debug mode for pcap data logging -# -A records ALL traffic frames to a pcap file named 'debug_pcap_raw' -# (despite rules). Packets are logged here prior to decoding or handling. -# Use -F or -B option to restrict what is collectedi. -# Pcap data logged using this option is affected by the --strip-80211 cmdline option -# The configuration file equivalent to this is 'default debug_pcap_raw enable' - -. /etc/rc.subr - -name="sancp" -rcvar=`set_rcvar` - -command="%%PREFIX%%/bin/sancp" - -start_precmd=start_precmd - -start_precmd() -{ - if [ -z "${sancp_interface}" ]; then - err 1 "sancp_interface must set." - fi -} - -# set some defaults -load_rc_config $name - -: ${sancp_enable="NO"} -: ${sancp_flags="-D"} -: ${sancp_conf="%%PREFIX%%/etc/sancp.conf"} -: ${sancp_interface=""} - -command_args="${sancp_flags} -c ${sancp_conf} -i ${sancp_interface}" - -run_rc_command "$1" --- sancp-1.6.1_4.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011140328.oAE3S6BG018383>