pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/prelude-pflogger Changed so that pflogger dae...
details: https://anonhg.NetBSD.org/pkgsrc/rev/3e3e2f02fbcd
branches: trunk
changeset: 544872:3e3e2f02fbcd
user: shannonjr <shannonjr%pkgsrc.org@localhost>
date: Mon Jul 21 12:22:15 2008 +0000
description:
Changed so that pflogger daemon can run as non-root with nologin shell.
diffstat:
security/prelude-pflogger/Makefile | 19 +-
security/prelude-pflogger/PLIST | 3 +-
security/prelude-pflogger/files/pflogger.sh | 12 +-
security/prelude-pflogger/files/run-prelude-pflogger.c | 166 +++++++++++++++++
4 files changed, 190 insertions(+), 10 deletions(-)
diffs (258 lines):
diff -r cfb7b67cc248 -r 3e3e2f02fbcd security/prelude-pflogger/Makefile
--- a/security/prelude-pflogger/Makefile Mon Jul 21 12:17:52 2008 +0000
+++ b/security/prelude-pflogger/Makefile Mon Jul 21 12:22:15 2008 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.5 2008/06/12 02:14:45 joerg Exp $
+# $NetBSD: Makefile,v 1.6 2008/07/21 12:22:15 shannonjr Exp $
#
DISTNAME= prelude-pflogger-0.9.0-rc2
PKGNAME= prelude-pflogger-0.9.0
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= security
MASTER_SITES= http://prelude-ids.org/download/releases/
@@ -44,6 +44,12 @@
MESSAGE_SUBST+= PRELUDE_USER=${PRELUDE_USER:Q}
MESSAGE_SUBST+= PRELUDE_GROUP=${PRELUDE_GROUP:Q}
+SUBST_CLASSES+= code
+SUBST_STAGE.code= post-patch
+SUBST_FILES.code= run-prelude-pflogger.c
+SUBST_SED.code= -e 's,@PREFIX@,${PREFIX},g'
+SUBST_SED.code+= -e 's,@PRELUDE_USER@,${PRELUDE_USER},g'
+
SUBST_CLASSES+= make
SUBST_STAGE.make= post-patch
SUBST_FILES.make= Makefile.am
@@ -53,9 +59,18 @@
INSTALLATION_DIRS= share/examples/prelude-pflogger
+pre-patch:
+ ${CP} ${FILESDIR}/run-prelude-pflogger.c ${WRKSRC}
+
pre-configure:
set -e; cd ${WRKSRC}; \
aclocal; autoheader; automake -a --foreign -i; autoconf
+post-build:
+ cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${CC} ${CFLAGS} -o run-prelude-pflogger run-prelude-pflogger.c
+
+post-install:
+ ${INSTALL_PROGRAM} ${WRKSRC}/run-prelude-pflogger ${PREFIX}/sbin/run-prelude-pflogger
+
.include "../../security/libprelude/buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
diff -r cfb7b67cc248 -r 3e3e2f02fbcd security/prelude-pflogger/PLIST
--- a/security/prelude-pflogger/PLIST Mon Jul 21 12:17:52 2008 +0000
+++ b/security/prelude-pflogger/PLIST Mon Jul 21 12:22:15 2008 +0000
@@ -1,4 +1,5 @@
-@comment $NetBSD: PLIST,v 1.1.1.1 2007/09/03 13:50:49 shannonjr Exp $
+@comment $NetBSD: PLIST,v 1.2 2008/07/21 12:22:15 shannonjr Exp $
bin/prelude-pflogger
+sbin/run-prelude-pflogger
share/examples/rc.d/pflogger
share/examples/prelude-pflogger/prelude-pflogger.conf
diff -r cfb7b67cc248 -r 3e3e2f02fbcd security/prelude-pflogger/files/pflogger.sh
--- a/security/prelude-pflogger/files/pflogger.sh Mon Jul 21 12:17:52 2008 +0000
+++ b/security/prelude-pflogger/files/pflogger.sh Mon Jul 21 12:22:15 2008 +0000
@@ -1,22 +1,20 @@
#!/bin/sh
#
-# $NetBSD: pflogger.sh,v 1.1.1.1 2007/09/03 13:50:49 shannonjr Exp $
+# $NetBSD: pflogger.sh,v 1.2 2008/07/21 12:22:15 shannonjr Exp $
#
-# PROVIDE: pflogger
-# REQUIRE: pf NETWORKING
+# PROVIDE: preludepflogger
+# REQUIRE: LOGIN
$_rc_subr_loaded . /etc/rc.subr
name="pflogger"
-pflogger_user=_prelude
-pflogger_=_prelude
procname="@PREFIX@/bin/prelude-pflogger"
rcvar=${name}
-required_files="@PKG_SYSCONFDIR@/prelude-pflogger.conf"
+required_files="@PKG_SYSCONFDIR@/prelude-pflogger/prelude-pflogger.conf"
start_precmd="pflogger_precommand"
+start_cmd="@PREFIX@/sbin/run-prelude-pflogger --pidfile @PRELUDE_PFLOGGER_PID_DIR@/prelude-pflogger.pid"
pidfile="@PRELUDE_PFLOGGER_PID_DIR@/prelude-pflogger.pid"
-start_cmd="${procname} --pidfile ${pidfile}"
pflogger_precommand()
{
diff -r cfb7b67cc248 -r 3e3e2f02fbcd security/prelude-pflogger/files/run-prelude-pflogger.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/prelude-pflogger/files/run-prelude-pflogger.c Mon Jul 21 12:22:15 2008 +0000
@@ -0,0 +1,166 @@
+#define PRELUDE_PFLOGGER_USER "@PRELUDE_USER@"
+#define PRELUDE_PFLOGGER_PATH "@PREFIX@/bin/prelude-pflogger"
+
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/wait.h>
+#include <pwd.h>
+#include <syslog.h>
+
+#define MAX_ARGS 40
+#ifndef TRUE
+#define TRUE 1
+#endif /* TRUE */
+
+#ifndef FALSE
+#define FALSE 0
+#endif /* FALSE */
+
+
+void error_sys(char *str)
+
+{
+ /* Output error message to syslog */
+ char msg[1024];
+ snprintf(msg, sizeof(msg), "run-prelude-pflogger : %s : %s", str, strerror(errno));
+ syslog(LOG_ALERT, msg);
+
+}
+
+
+int obtainUIDandGID(const char *name, uid_t *pw_uid, gid_t *pw_gid)
+{
+ /* Obtain UID and GID from passwd entry identified by name */
+ struct passwd *pw_entry;
+ char msg[100];
+
+ if ((pw_entry = getpwnam(name)) == NULL)
+ {
+ snprintf(msg, sizeof(msg), "failed to get password entry for %s", name);
+ error_sys(msg);
+ return FALSE;
+ }
+ else
+ {
+ *pw_uid = pw_entry->pw_uid;
+ *pw_gid = pw_entry->pw_gid;
+ return TRUE;
+
+ }
+}
+
+
+int main (int argc, char **argv )
+
+{
+
+ pid_t pid;
+ uid_t UID;
+ gid_t GID;
+ pid_t pidwait;
+ int waitstat;
+ int s;
+ int max_fd;
+
+ /* Sanity check */
+ if (argc > MAX_ARGS)
+ {
+ error_sys("arg buffer too small");
+ exit(-1);
+ }
+
+ if (geteuid() != 0)
+ {
+ error_sys("must be called by root");
+ exit(-1);
+ }
+
+ /* fork child that will become prelude-pflogger */
+ if ((pid = fork()) < 0)
+
+ error_sys("fork error");
+
+ else
+
+ {
+
+ if (pid == 0)
+
+ {
+
+ /* We're the child */
+ char *args[MAX_ARGS];
+ unsigned int i;
+
+ /* Become session leader */
+ setsid();
+
+ /* Change working directory to root directory.
+ The current working directory could be a mounted
+ filesystem; if the daemon stays on a mounted
+ filesystem it could prevent the filesystem from
+ being umounted. */
+ chdir("/");
+
+ /* Clear out file creation mask */
+ umask(0);
+
+ /* Close unneeded file descriptors */
+ max_fd = (int) sysconf(_SC_OPEN_MAX);
+ if (max_fd == -1)
+ max_fd = getdtablesize();
+ for (s = 3; s < max_fd; s++)
+ (void) close(s);
+
+ if (!obtainUIDandGID(PRELUDE_PFLOGGER_USER, &UID, &GID))
+ exit(-1);
+
+ /* Drop privileges immediately */
+ if (setgid(GID) < 0)
+ {
+ /* It is VERY important to check return
+ value and not continue if setgid fails
+ */
+ error_sys ("setgid failed");
+ exit (-1);
+ }
+
+ if (setuid(UID) < 0)
+ {
+ /* It is VERY important to check return
+ value and not continue if setuid fails
+ */
+ error_sys ("setuid failed");
+ exit (-1);
+ }
+
+ /* Build calling argv */
+ args[0] = PRELUDE_PFLOGGER_PATH;
+ for (i=1;i<argc;i++)
+ {
+ args[i] = argv[i];
+ }
+ args[i++] = NULL;
+
+ /* Finally transform self into prelude-pflogger */
+ if (execvp(PRELUDE_PFLOGGER_PATH, args) < 0)
+ error_sys("execve error");
+ else
+ ; /* avoid if-then ambiguity */
+ }
+
+ else
+
+ {
+ /* We're the parent
+ Terminate
+ */
+ exit(0);
+ }
+
+ }
+
+}
Home |
Main Index |
Thread Index |
Old Index