ports/71188: cgiwrap port update/cleanup
Jeremy Chadwick
freebsd at jdc.parodius.com
Tue Aug 31 11:10:19 UTC 2004
>Number: 71188
>Category: ports
>Synopsis: cgiwrap port update/cleanup
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 31 11:10:15 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Jeremy Chadwick
>Release: FreeBSD 4.10-PRERELEASE i386
>Organization:
Parodius Networking
>Environment:
System: FreeBSD pentarou.parodius.com 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #0: Wed May 5 03:33:17 PDT 2004 root at pentarou.parodius.com:/usr/obj/usr/src/sys/PENTAROU i386
>Description:
The present cgiwrap port is fairly "messy", and after many
recommendations from Sergey Matveychuk <sem at FreeBSD.org>, I re-did
most of the applicable portions to clean things up.
* Renamed knobs (again); all are now WITH_*
* Added `show-options' support for knobs, and added some descriptions
* Deployed use of PORTDOCS macro
* Make pkg-message work properly for package-based installs
* Minor formatting changes in pkg-message (easier to read)
* Minor typographic changes in pkg-descr and pkg-message
Tested on 4.10-PRERELEASE and 5.3-BETA2.
>How-To-Repeat:
n/a
>Fix:
Apply below patch.
diff -ruN cgiwrap.orig/Makefile cgiwrap/Makefile
--- cgiwrap.orig/Makefile Tue Aug 17 22:13:50 2004
+++ cgiwrap/Makefile Tue Aug 31 04:03:49 2004
@@ -7,7 +7,7 @@
PORTNAME= cgiwrap
PORTVERSION= 3.9
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www security
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -18,99 +18,118 @@
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --with-httpd-user=${WWWOWN} \
--with-install-group=${WWWGRP} \
- --with-install-dir=${MAINCGIDIR} \
- --with-cgi-dir=${CGIWRAP_CGIDIR} \
- --with-local-contact=${CGIWRAP_CONTACT} \
- --with-allow-file=${CGIWRAP_ALLOWFILE} \
- --with-deny-file=${CGIWRAP_DENYFILE}
+ --with-install-dir=${WITH_MAIN_CGIDIR} \
+ --with-cgi-dir=${WITH_USER_CGIDIR} \
+ --with-local-contact=${WITH_EMAIL} \
+ --with-allow-file=${WITH_ALLOWFILE} \
+ --with-deny-file=${WITH_DENYFILE}
+
+WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
+PKGMESSAGE= ${WRKDIR}/pkg-message
+
+## Available knobs:
+##
+## WITH_MAIN_CGIDIR: location of the cgiwrap binaries
+#
+# This is the directory where the cgiwrap binaries (i.e. the setuid
+# root binaries) get installed to.
+#
+WITH_MAIN_CGIDIR?= ${PREFIX}/www/cgi-bin
+## WITH_USER_CGIDIR: location of the CGI directory per user
+## account (i.e. public_html/cgi-bin)
#
# Set this to the directory (relative to each user's home) where CGI
# scripts will be found. Common alternate values are "www/cgi-bin"
# (a.k.a. ~user/www/cgi-bin) and "cgi-bin" (a.k.a. ~user/cgi-bin)
#
-CGIWRAP_CGIDIR?= public_html/cgi-bin
+WITH_USER_CGIDIR?= public_html/cgi-bin
+## WITH_ALLOWFILE: location/name of the cgiwrap.allow ACL file
+## WITH_DENYFILE: location/name of the cgiwrap.deny ACL file
#
-# MAINCGIDIR is the directory the cgiwrap binaries get installed to.
-#
-MAINCGIDIR?= ${PREFIX}/www/cgi-bin
+WITH_ALLOWFILE?= ${PREFIX}/etc/${PORTNAME}.allow
+WITH_DENYFILE?= ${PREFIX}/etc/${PORTNAME}.deny
+## WITH_EMAIL: cgiwrap administrator's Email address
#
-# The allow and deny files control access to cgiwrap.
-#
-CGIWRAP_ALLOWFILE?= ${PREFIX}/etc/${PORTNAME}.allow
-CGIWRAP_DENYFILE?= ${PREFIX}/etc/${PORTNAME}.deny
-
-#
-# Set the contact Email address.
-#
-CGIWRAP_CONTACT?= webmaster at dummy-host.example.com
+WITH_EMAIL?= webmaster at dummy-host.example.com
+## WITH_LOGGING: enables cgiwrap logging; specifies the
+## path and filename of the logfile
#
-# Define CGIWRAP_LOGGING and specify where you want the logfile.
-#
-.if defined(CGIWRAP_LOGGING)
-CONFIGURE_ARGS+= --with-logging-file=${CGIWRAP_LOGGING}
+.if defined(WITH_LOGGING)
+CONFIGURE_ARGS+= --with-logging-file=${WITH_LOGGING}
.endif
+## WITH_DEBUG: enables cgiwrap debugging support, via
+## the 'cgiwrapd' binary
#
-# Some users enjoy being able to debug their own CGI scripts, since
-# the standard "Internal server error" response doesn't help much.
-# Administrators may find this useful as well. See the cgiwrap
-# documentation for details on how to use this.
-#
-.if defined(CGIWRAP_DEBUG)
+.if defined(WITH_DEBUG)
PLIST_SUB+= CGIWRAPDFLAG=
.else
PLIST_SUB+= CGIWRAPDFLAG="@comment "
.endif
+## WITHOUT_CHECK_OWNER: disable CGI file ownership checks
+## WITHOUT_CHECK_GROUP: disable CGI file group checks
+## WITHOUT_CHECK_SETUID: disable CGI file setuid permissions check
+## WITHOUT_CHECK_SETGID: disable CGI file setgid permissions check
+## WITHOUT_CHECK_GROUP_WRITABLE:
+## disable CGI file group-writable permissions check
+## WITHOUT_CHECK_WORLD_WRITABLE:
+## disable CGI file world-writable permissions check
#
-# A slew of --without-* configure flags exist for cgiwrap. You
-# should refer to the cgiwrap documentation for details regarding
-# what these do, and when (if) they're necessary.
-#
-###
-.if defined(CGIWRAP_WITHOUT_CHECK_OWNER)
+.if defined(WITHOUT_CHECK_OWNER)
CONFIGURE_ARGS+= --without-check-owner
.endif
-.if defined(CGIWRAP_WITHOUT_CHECK_GROUP)
+.if defined(WITHOUT_CHECK_GROUP)
CONFIGURE_ARGS+= --without-check-group
.endif
-.if defined(CGIWRAP_WITHOUT_CHECK_SETUID)
+.if defined(WITHOUT_CHECK_SETUID)
CONFIGURE_ARGS+= --without-check-setuid
.endif
-.if defined(CGIWRAP_WITHOUT_CHECK_SETGID)
+.if defined(WITHOUT_CHECK_SETGID)
CONFIGURE_ARGS+= --without-check-setgid
.endif
-.if defined(CGIWRAP_WITHOUT_CHECK_GROUP_WRITABLE)
+.if defined(WITHOUT_CHECK_GROUP_WRITABLE)
CONFIGURE_ARGS+= --without-check-group-writable
.endif
-.if defined(CGIWRAP_WITHOUT_CHECK_WORLD_WRITABLE)
+.if defined(WITHOUT_CHECK_WORLD_WRITABLE)
CONFIGURE_ARGS+= --without-check-world-writable
.endif
+.if !defined(NOPORTDOCS)
+PORTDOCS= accesscontrol.html afs.html changes.html \
+ chroot.html comments.html download.html faq.html \
+ index.html install.html intro.html maillist.html \
+ notes.html pubs.html quickref.html setup.html \
+ thanks.html todo.html tricks.html y2k.html
+.endif
+
+show-options:
+ @${SED} -ne 's/^##//p' ${.CURDIR}/Makefile
+
pre-install:
- @${MKDIR} ${MAINCGIDIR}
+ @${MKDIR} ${WITH_MAIN_CGIDIR}
post-install:
- @${STRIP_CMD} ${MAINCGIDIR}/cgiwrap
- @${CHMOD} 4550 ${MAINCGIDIR}/cgiwrap
-.if !defined(CGIWRAP_WITH_DEBUG)
- @${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
+ @${STRIP_CMD} ${WITH_MAIN_CGIDIR}/cgiwrap
+ @${CHMOD} 4550 ${WITH_MAIN_CGIDIR}/cgiwrap
+.if !defined(WITH_DEBUG)
+ @${RM} ${WITH_MAIN_CGIDIR}/cgiwrapd
+ @${RM} ${WITH_MAIN_CGIDIR}/nph-cgiwrapd
.endif
.if !defined(NOPORTDOCS)
@${MKDIR} ${DOCSDIR}
-.for file in accesscontrol.html afs.html changes.html chroot.html \
- comments.html download.html faq.html index.html \
- install.html intro.html maillist.html notes.html \
- pubs.html quickref.html setup.html thanks.html \
- todo.html tricks.html y2k.html
- @${INSTALL_DATA} ${WRKSRC}/htdocs/${file} ${DOCSDIR}
+.for f in ${PORTDOCS}
+ @${INSTALL_DATA} ${WRKSRC}/htdocs/${f} ${DOCSDIR}
.endfor
- @${ECHO} "Documentation installed in ${DOCSDIR}"
.endif
- @${CAT} ${PKGMESSAGE} | ${SED} -e's#%%PREFIX%%#${PREFIX}#g'
+ @${SED} -e's,%%MAIN_CGIDIR%%,${WITH_MAIN_CGIDIR},g' \
+ -e's,%%ALLOWFILE%%,${WITH_ALLOWFILE},g' \
+ -e's,%%DENYFILE%%,${WITH_DENYFILE},g' \
+ ${MASTERDIR}/pkg-message > ${PKGMESSAGE}
+ @${CAT} ${PKGMESSAGE}
.include <bsd.port.mk>
diff -ruN cgiwrap.orig/pkg-descr cgiwrap/pkg-descr
--- cgiwrap.orig/pkg-descr Tue Aug 17 22:13:50 2004
+++ cgiwrap/pkg-descr Tue Aug 31 03:52:17 2004
@@ -1,11 +1,11 @@
This is CGIWrap - a gateway that allows more secure user access to
-CGI programs on an HTTPd server than is provided by the http server
+CGI programs on an HTTPd server than is provided by the Web server
itself. The primary function of CGIWrap is to make certain that
any CGI script runs with the permissions of the user who installed
-it, and not those of the server.
+it, and not those of the Web server.
CGIWrap works with NCSA httpd, Apache, CERN httpd, NetSite Commerce
-and Communications servers, and probably any other Unix based web
+and Communications servers, and probably any other Unix-based Web
server software that supports CGI.
WWW: http://cgiwrap.sourceforge.net/
diff -ruN cgiwrap.orig/pkg-message cgiwrap/pkg-message
--- cgiwrap.orig/pkg-message Tue Aug 17 22:13:50 2004
+++ cgiwrap/pkg-message Tue Aug 31 04:04:41 2004
@@ -1,15 +1,19 @@
-----------------------------------------------------------------
You have installed cgiwrap, a wrapper to securely execute user
-CGI programs. cgiwrap is reported to work with most web servers
+CGI programs. cgiwrap is reported to work with most Web servers
that support CGI, so no one specific server has been included as
-a depend. If you are unsure of which webserver to use, it is
-recommended to try the Apache web server package.
+a dependancy. If you are unsure of which Web server to use, it
+is recommended that you try the Apache HTTP server.
-The cgiwrap scripts have been installed in:
- %%PREFIX%%/www/cgi-bin
-...the default location for Apache's cgi-bin directory.
+The cgiwrap binaries have been installed in the following
+directory:
-If cgiwrap's allow/deny control is enabled, you must create either
-%%PREFIX%%/etc/cgiwrap.allow and/or %%PREFIX%%/etc/cgiwrap.deny
-before cgiwrap will function.
+ %%MAIN_CGIDIR%%
+
+You should create/manage the following two files, otherwise
+cgiwrap will not function as expected. These ACL files define
+which users can and cannot run CGI binaries via cgiwrap:
+
+ %%ALLOWFILE%%
+ %%DENYFILE%%
-----------------------------------------------------------------
diff -ruN cgiwrap.orig/pkg-plist cgiwrap/pkg-plist
--- cgiwrap.orig/pkg-plist Tue Aug 17 22:13:50 2004
+++ cgiwrap/pkg-plist Tue Aug 31 03:48:30 2004
@@ -1,25 +1,5 @@
-%%PORTDOCS%%%%DOCSDIR%%/accesscontrol.html
-%%PORTDOCS%%%%DOCSDIR%%/afs.html
-%%PORTDOCS%%%%DOCSDIR%%/changes.html
-%%PORTDOCS%%%%DOCSDIR%%/chroot.html
-%%PORTDOCS%%%%DOCSDIR%%/comments.html
-%%PORTDOCS%%%%DOCSDIR%%/download.html
-%%PORTDOCS%%%%DOCSDIR%%/faq.html
-%%PORTDOCS%%%%DOCSDIR%%/index.html
-%%PORTDOCS%%%%DOCSDIR%%/install.html
-%%PORTDOCS%%%%DOCSDIR%%/intro.html
-%%PORTDOCS%%%%DOCSDIR%%/maillist.html
-%%PORTDOCS%%%%DOCSDIR%%/notes.html
-%%PORTDOCS%%%%DOCSDIR%%/pubs.html
-%%PORTDOCS%%%%DOCSDIR%%/quickref.html
-%%PORTDOCS%%%%DOCSDIR%%/setup.html
-%%PORTDOCS%%%%DOCSDIR%%/thanks.html
-%%PORTDOCS%%%%DOCSDIR%%/todo.html
-%%PORTDOCS%%%%DOCSDIR%%/tricks.html
-%%PORTDOCS%%%%DOCSDIR%%/y2k.html
www/cgi-bin/cgiwrap
%%CGIWRAPDFLAG%%www/cgi-bin/cgiwrapd
www/cgi-bin/nph-cgiwrap
%%CGIWRAPDFLAG%%www/cgi-bin/nph-cgiwrapd
@unexec rmdir %D/www/cgi-bin 2>/dev/null || true
-%%PORTDOCS%%@dirrm %%DOCSDIR%%
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list