pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/net/freeradius Default to running radiusd as a non-roo...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/107a92ecac7f
branches:  trunk
changeset: 517388:107a92ecac7f
user:      adrianp <adrianp%pkgsrc.org@localhost>
date:      Thu Aug 10 10:55:51 2006 +0000

description:
Default to running radiusd as a non-root user
bump to nb2

diffstat:

 net/freeradius/MESSAGE          |  17 +++++++++++
 net/freeradius/Makefile         |  61 +++++++++++++++++++++++++++-------------
 net/freeradius/distinfo         |   3 +-
 net/freeradius/files/radiusd.sh |   4 +-
 net/freeradius/patches/patch-ak |  15 ++++++++++
 5 files changed, 77 insertions(+), 23 deletions(-)

diffs (192 lines):

diff -r 88f0dffdd8c7 -r 107a92ecac7f net/freeradius/MESSAGE
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/freeradius/MESSAGE    Thu Aug 10 10:55:51 2006 +0000
@@ -0,0 +1,17 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1 2006/08/10 10:55:52 adrianp Exp $
+
+Note to users who have been running radiusd as root before:
+
+As radiusd now runs unprivileged by default (as ${RADIUS_USER}:${RADIUS_GROUP}),
+you'll have to adapt some permissions:
+
+  ${CHOWN} -R ${RADIUS_USER}:${RADIUS_GROUP} ${VARBASE}/run/radiusd
+  ${CHOWN} -R ${RADIUS_USER}:${RADIUS_GROUP} ${PKG_SYSCONFDIR}
+  ${FIND} ${PKG_SYSCONFDIR} -type d | ${XARGS} ${CHMOD} 0750
+  ${FIND} ${PKG_SYSCONFDIR} -type f | ${XARGS} ${CHMOD} 0640
+
+In addition to this the base logging directory has now been moved from
+${VARBASE}/log to ${VARBASE}/log/radiusd.
+
+===========================================================================
diff -r 88f0dffdd8c7 -r 107a92ecac7f net/freeradius/Makefile
--- a/net/freeradius/Makefile   Thu Aug 10 08:54:44 2006 +0000
+++ b/net/freeradius/Makefile   Thu Aug 10 10:55:51 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.52 2006/08/09 16:42:09 adrianp Exp $
+# $NetBSD: Makefile,v 1.53 2006/08/10 10:55:52 adrianp Exp $
 
 DISTNAME=      freeradius-${RADVER}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    net
 MASTER_SITES=  ftp://ftp.freeradius.org/pub/radius/ \
                ftp://ftp.Awfulhak.org/pub/radius/
@@ -15,18 +15,37 @@
 CONFLICTS+=            radiusd-cistron-[0-9]*
 USE_TOOLS+=            gmake perl:run
 GNU_CONFIGURE=         YES
+USE_LIBTOOL=           YES
+USE_OLD_DES_API=       YES
+
+BUILD_DEFS=            VARBASE RADIUS_USER RADIUS_GROUP
 PLIST_SRC=             ${WRKDIR}/.PLIST_SRC
-FILES_SUBST+=          ROOT_USER=${ROOT_USER:Q}
-FILES_SUBST+=          ROOT_GROUP=${ROOT_GROUP:Q}
+FILES_SUBST+=          RADIUS_USER=${RADIUS_USER:Q}
+FILES_SUBST+=          RADIUS_GROUP=${RADIUS_GROUP:Q}
 PLIST_SUBST+=          RADVER=${RADVER}
-USE_OLD_DES_API=       YES
+MESSAGE_SUBST+=                CHOWN=${CHOWN:Q} CHMOD=${CHMOD:Q} VARBASE=${VARBASE}
+MESSAGE_SUBST+=                RADIUS_USER=${RADIUS_USER:Q} XARGS=${XARGS:Q}
+MESSAGE_SUBST+=                RADIUS_GROUP=${RADIUS_GROUP:Q} FIND=${FIND:Q}
+
+PKG_SYSCONFSUBDIR=     raddb
+RCD_SCRIPTS=           radiusd
+RADIUS_USER?=          radius
+RADIUS_GROUP?=         radius
+PKG_GROUPS=            ${RADIUS_USER}
+PKG_USERS=             ${RADIUS_USER}:${RADIUS_GROUP}
+OWN_DIRS_PERMS+=       ${VARBASE}/run/radiusd \
+                       ${RADIUS_USER} ${RADIUS_GROUP} 0750
+OWN_DIRS_PERMS+=       ${VARBASE}/log/radiusd \
+                       ${RADIUS_USER} ${RADIUS_GROUP} 0750
+OWN_DIRS_PERMS+=       ${VARBASE}/log/radiusd/radacct \
+                       ${RADIUS_USER} ${RADIUS_GROUP} 0750
+
 RADVER=                        1.1.2
+EGDIR=                 ${PREFIX}/share/examples/freeradius
 
 BUILDLINK_API_DEPENDS.openssl+=        openssl>=0.9.7
 
-USE_LIBTOOL=           YES
-
-CONFIGURE_ARGS+=       --with-logdir=${VARBASE}/log
+CONFIGURE_ARGS+=       --with-logdir=${VARBASE}/log/radiusd
 CONFIGURE_ARGS+=       --localstatedir=${VARBASE:Q}
 CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFBASEDIR:Q}
 CONFIGURE_ARGS+=       --disable-ltdl-install
@@ -37,6 +56,7 @@
 CONFIGURE_ARGS+=       --without-rlm_sql_iodbc
 CONFIGURE_ARGS+=       --without-rlm_sql_oracle
 CONFIGURE_ARGS+=       --without-rlm_sql_unixodbc
+CONFIGURE_ARGS+=       --quiet
 #CONFIGURE_ARGS+=      --without-rlm_eap_peap
 #CONFIGURE_ARGS+=      --without-rlm_eap_sim
 #CONFIGURE_ARGS+=      --without-rlm_eap_tls
@@ -54,15 +74,14 @@
                                -L${PREFIX}/lib|g"
 SUBST_MESSAGE.make=    Fixing Makefiles.
 
-.include "options.mk"
-
-RCD_SCRIPTS=           radiusd
+SUBST_CLASSES+=                config
+SUBST_STAGE.config=    post-patch
+SUBST_FILES.config=    raddb/radiusd.conf.in
+SUBST_SED.config=      -e "s|@@RADIUS_USER@@|${RADIUS_USER}|g"
+SUBST_SED.config+=     -e "s|@@RADIUS_GROUP@@|${RADIUS_GROUP}|g"
+SUBST_MESSAGE.config=  Fixing configuration files.
 
-OWN_DIRS=              ${VARBASE}/run/radiusd
-
-PKG_SYSCONFSUBDIR=     raddb
-EGDIR=                 ${PREFIX}/share/examples/freeradius
-CONF_FILES_MODE=       0640
+.include "options.mk"
 
 EGFILES=       acct_users attrs certs/demoCA/index.txt.old \
                certs/demoCA/cacert.pem certs/demoCA/index.txt \
@@ -79,7 +98,8 @@
                otp.conf otppasswd.sample
 
 .for f in ${EGFILES}
-CONF_FILES+=   ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
+CONF_FILES_PERMS+=     ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} \
+                       ${RADIUS_USER} ${RADIUS_GROUP} 0640
 .endfor
 
 .include "../../security/openssl/buildlink3.mk"
@@ -101,9 +121,6 @@
                        ${PTHREAD_LDFLAGS:Q} ${PTHREAD_LIBS:Q}|g'
 .endif
 
-.if ${OPSYS} == "DragonFly"
-.endif
-
 .if ${MACHINE_ARCH} == "amd64"
 CFLAGS+= -fPIC
 .endif
@@ -121,5 +138,9 @@
        ${INSTALL_SCRIPT} ${WRKSRC}/src/modules/rlm_perl/example.pl ${EGDIR}
        ${MKDIR} ${PKG_SYSCONFDIR}/certs
        ${MKDIR} ${PKG_SYSCONFDIR}/certs/demoCA
+       ${CHOWN} ${RADIUS_USER}:${RADIUS_GROUP} ${PKG_SYSCONFDIR}/certs
+       ${CHOWN} ${RADIUS_USER}:${RADIUS_GROUP} ${PKG_SYSCONFDIR}/certs/demoCA
+       ${CHMOD} 0750 ${PKG_SYSCONFDIR}/certs
+       ${CHMOD} 0750 ${PKG_SYSCONFDIR}/certs/demoCA
 
 .include "../../mk/bsd.pkg.mk"
diff -r 88f0dffdd8c7 -r 107a92ecac7f net/freeradius/distinfo
--- a/net/freeradius/distinfo   Thu Aug 10 08:54:44 2006 +0000
+++ b/net/freeradius/distinfo   Thu Aug 10 10:55:51 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2006/07/14 22:10:01 adrianp Exp $
+$NetBSD: distinfo,v 1.22 2006/08/10 10:55:52 adrianp Exp $
 
 SHA1 (freeradius-1.1.2.tar.gz) = 0636c1afb14fc22e78ecb83aeaf63150d515d73d
 RMD160 (freeradius-1.1.2.tar.gz) = 3c0960bd30d29af9bab699ee7a38c22ec0472eb5
@@ -7,3 +7,4 @@
 SHA1 (patch-ae) = cf3497723b15b8a61c5458f312697a2d4a147439
 SHA1 (patch-ai) = 128c5984464241294b201384d43a287e9bcb147e
 SHA1 (patch-aj) = 422c9dfbde08c26acf41a040c57508ab9725004e
+SHA1 (patch-ak) = 7be986e3949a6f8368f7e01ba93521fac48eff7d
diff -r 88f0dffdd8c7 -r 107a92ecac7f net/freeradius/files/radiusd.sh
--- a/net/freeradius/files/radiusd.sh   Thu Aug 10 08:54:44 2006 +0000
+++ b/net/freeradius/files/radiusd.sh   Thu Aug 10 10:55:51 2006 +0000
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: radiusd.sh,v 1.5 2005/02/09 09:14:26 seb Exp $
+# $NetBSD: radiusd.sh,v 1.6 2006/08/10 10:55:51 adrianp Exp $
 #
 # PROVIDE: radiusd
 # REQUIRE: network
@@ -22,7 +22,7 @@
        if [ ! -d @VARBASE@/run/radiusd ]; then
                @MKDIR@ @VARBASE@/run/radiusd
                @CHMOD@ 0750 @VARBASE@/run/radiusd
-               @CHOWN@ @ROOT_USER@:@ROOT_GROUP@ @VARBASE@/run/radiusd
+               @CHOWN@ @RADIUS_USER@:@RADIUS_GROUP@ @VARBASE@/run/radiusd
        fi
 }
 
diff -r 88f0dffdd8c7 -r 107a92ecac7f net/freeradius/patches/patch-ak
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/freeradius/patches/patch-ak   Thu Aug 10 10:55:51 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ak,v 1.7 2006/08/10 10:55:52 adrianp Exp $
+
+--- raddb/radiusd.conf.in.orig 2006-04-20 19:40:29.000000000 +0100
++++ raddb/radiusd.conf.in
+@@ -106,8 +106,8 @@ pidfile = ${run_dir}/radiusd.pid
+ #  that the debugging mode server is running as a user that can read the
+ #  shadow info, and the user listed below can not.
+ #
+-#user = nobody
+-#group = nobody
++user = @@RADIUS_USER@@
++group = @@RADIUS_GROUP@@
+ 
+ #  max_request_time: The maximum time (in seconds) to handle a request.
+ #



Home | Main Index | Thread Index | Old Index