ports/71188: cgiwrap port update/cleanup

Tue Aug 31 11:10:19 UTC 2004

>Number:         71188
>Category:       ports
>Synopsis:       cgiwrap port update/cleanup
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 31 11:10:15 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Jeremy Chadwick
>Release:        FreeBSD 4.10-PRERELEASE i386
>Organization:
Parodius Networking
>Environment:
System: FreeBSD pentarou.parodius.com 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #0: Wed May 5 03:33:17 PDT 2004 root at pentarou.parodius.com:/usr/obj/usr/src/sys/PENTAROU i386
>Description:
	The present cgiwrap port is fairly "messy", and after many
	recommendations from Sergey Matveychuk <sem at FreeBSD.org>, I re-did
	most of the applicable portions to clean things up.

	* Renamed knobs (again); all are now WITH_*
	* Added `show-options' support for knobs, and added some descriptions
	* Deployed use of PORTDOCS macro
	* Make pkg-message work properly for package-based installs
	* Minor formatting changes in pkg-message (easier to read)
	* Minor typographic changes in pkg-descr and pkg-message

	Tested on 4.10-PRERELEASE and 5.3-BETA2.
>How-To-Repeat:
	n/a
>Fix:
	Apply below patch.


diff -ruN cgiwrap.orig/Makefile cgiwrap/Makefile

--- cgiwrap.orig/Makefile	Tue Aug 17 22:13:50 2004
+++ cgiwrap/Makefile	Tue Aug 31 04:03:49 2004
@@ -7,7 +7,7 @@
 
 PORTNAME=	cgiwrap
 PORTVERSION=	3.9
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www security
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -18,99 +18,118 @@
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--with-httpd-user=${WWWOWN} \
 		--with-install-group=${WWWGRP} \
-		--with-install-dir=${MAINCGIDIR} \
-		--with-cgi-dir=${CGIWRAP_CGIDIR} \
-		--with-local-contact=${CGIWRAP_CONTACT} \
-		--with-allow-file=${CGIWRAP_ALLOWFILE} \
-		--with-deny-file=${CGIWRAP_DENYFILE}
+		--with-install-dir=${WITH_MAIN_CGIDIR} \
+		--with-cgi-dir=${WITH_USER_CGIDIR} \
+		--with-local-contact=${WITH_EMAIL} \
+		--with-allow-file=${WITH_ALLOWFILE} \
+		--with-deny-file=${WITH_DENYFILE}
+
+WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
+PKGMESSAGE=	${WRKDIR}/pkg-message
+
+## Available knobs:
+##
+##   WITH_MAIN_CGIDIR:     location of the cgiwrap binaries
+#
+# This is the directory where the cgiwrap binaries (i.e. the setuid
+# root binaries) get installed to.
+#
+WITH_MAIN_CGIDIR?=	${PREFIX}/www/cgi-bin
 
+##   WITH_USER_CGIDIR:     location of the CGI directory per user
+##                         account (i.e. public_html/cgi-bin)
 #
 # Set this to the directory (relative to each user's home) where CGI
 # scripts will be found.  Common alternate values are "www/cgi-bin"
 # (a.k.a. ~user/www/cgi-bin) and "cgi-bin" (a.k.a. ~user/cgi-bin)
 #
-CGIWRAP_CGIDIR?=	public_html/cgi-bin
+WITH_USER_CGIDIR?=	public_html/cgi-bin
 
+##   WITH_ALLOWFILE:       location/name of the cgiwrap.allow ACL file
+##   WITH_DENYFILE:        location/name of the cgiwrap.deny ACL file
 #
-# MAINCGIDIR is the directory the cgiwrap binaries get installed to.
-#
-MAINCGIDIR?=	${PREFIX}/www/cgi-bin
+WITH_ALLOWFILE?=	${PREFIX}/etc/${PORTNAME}.allow
+WITH_DENYFILE?=		${PREFIX}/etc/${PORTNAME}.deny
 
+##   WITH_EMAIL:           cgiwrap administrator's Email address
 #
-# The allow and deny files control access to cgiwrap.
-#
-CGIWRAP_ALLOWFILE?=	${PREFIX}/etc/${PORTNAME}.allow
-CGIWRAP_DENYFILE?=	${PREFIX}/etc/${PORTNAME}.deny
-
-#
-# Set the contact Email address.
-#
-CGIWRAP_CONTACT?=	webmaster at dummy-host.example.com
+WITH_EMAIL?=		webmaster at dummy-host.example.com
 
+##   WITH_LOGGING:         enables cgiwrap logging; specifies the
+##                         path and filename of the logfile
 #
-# Define CGIWRAP_LOGGING and specify where you want the logfile.
-#
-.if defined(CGIWRAP_LOGGING)
-CONFIGURE_ARGS+=	--with-logging-file=${CGIWRAP_LOGGING}
+.if defined(WITH_LOGGING)
+CONFIGURE_ARGS+=	--with-logging-file=${WITH_LOGGING}
 .endif
 
+##   WITH_DEBUG:           enables cgiwrap debugging support, via
+##                         the 'cgiwrapd' binary
 #
-# Some users enjoy being able to debug their own CGI scripts, since
-# the standard "Internal server error" response doesn't help much.
-# Administrators may find this useful as well.  See the cgiwrap
-# documentation for details on how to use this.
-#
-.if defined(CGIWRAP_DEBUG)
+.if defined(WITH_DEBUG)
 PLIST_SUB+=	CGIWRAPDFLAG=
 .else
 PLIST_SUB+=	CGIWRAPDFLAG="@comment "
 .endif
 
+##   WITHOUT_CHECK_OWNER:  disable CGI file ownership checks
+##   WITHOUT_CHECK_GROUP:  disable CGI file group checks
+##   WITHOUT_CHECK_SETUID: disable CGI file setuid permissions check
+##   WITHOUT_CHECK_SETGID: disable CGI file setgid permissions check
+##   WITHOUT_CHECK_GROUP_WRITABLE:
+##          disable CGI file group-writable permissions check
+##   WITHOUT_CHECK_WORLD_WRITABLE:
+##          disable CGI file world-writable permissions check
 #
-# A slew of --without-* configure flags exist for cgiwrap.  You
-# should refer to the cgiwrap documentation for details regarding
-# what these do, and when (if) they're necessary.
-#
-###
-.if defined(CGIWRAP_WITHOUT_CHECK_OWNER)
+.if defined(WITHOUT_CHECK_OWNER)
 CONFIGURE_ARGS+=	--without-check-owner
 .endif
-.if defined(CGIWRAP_WITHOUT_CHECK_GROUP)
+.if defined(WITHOUT_CHECK_GROUP)
 CONFIGURE_ARGS+=	--without-check-group
 .endif
-.if defined(CGIWRAP_WITHOUT_CHECK_SETUID)
+.if defined(WITHOUT_CHECK_SETUID)
 CONFIGURE_ARGS+=	--without-check-setuid
 .endif
-.if defined(CGIWRAP_WITHOUT_CHECK_SETGID)
+.if defined(WITHOUT_CHECK_SETGID)
 CONFIGURE_ARGS+=	--without-check-setgid
 .endif
-.if defined(CGIWRAP_WITHOUT_CHECK_GROUP_WRITABLE)
+.if defined(WITHOUT_CHECK_GROUP_WRITABLE)
 CONFIGURE_ARGS+=	--without-check-group-writable
 .endif
-.if defined(CGIWRAP_WITHOUT_CHECK_WORLD_WRITABLE)
+.if defined(WITHOUT_CHECK_WORLD_WRITABLE)
 CONFIGURE_ARGS+=	--without-check-world-writable
 .endif
 
+.if !defined(NOPORTDOCS)
+PORTDOCS=	accesscontrol.html afs.html changes.html \
+		chroot.html comments.html download.html faq.html \
+		index.html install.html intro.html maillist.html \
+		notes.html pubs.html quickref.html setup.html \
+		thanks.html todo.html tricks.html y2k.html
+.endif
+
+show-options:
+	@${SED} -ne 's/^##//p' ${.CURDIR}/Makefile
+
 pre-install:
-	@${MKDIR} ${MAINCGIDIR}
+	@${MKDIR} ${WITH_MAIN_CGIDIR}
 
 post-install:
-	@${STRIP_CMD} ${MAINCGIDIR}/cgiwrap
-	@${CHMOD} 4550 ${MAINCGIDIR}/cgiwrap
-.if !defined(CGIWRAP_WITH_DEBUG)
-	@${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
+	@${STRIP_CMD} ${WITH_MAIN_CGIDIR}/cgiwrap
+	@${CHMOD} 4550 ${WITH_MAIN_CGIDIR}/cgiwrap
+.if !defined(WITH_DEBUG)
+	@${RM} ${WITH_MAIN_CGIDIR}/cgiwrapd
+	@${RM} ${WITH_MAIN_CGIDIR}/nph-cgiwrapd
 .endif
 .if !defined(NOPORTDOCS)
 	@${MKDIR} ${DOCSDIR}
-.for file in accesscontrol.html afs.html changes.html chroot.html	\
-		comments.html download.html faq.html index.html		\
-		install.html intro.html maillist.html notes.html	\
-		pubs.html quickref.html setup.html thanks.html		\
-		todo.html tricks.html y2k.html
-	@${INSTALL_DATA} ${WRKSRC}/htdocs/${file} ${DOCSDIR}
+.for f in ${PORTDOCS}
+	@${INSTALL_DATA} ${WRKSRC}/htdocs/${f} ${DOCSDIR}
 .endfor
-	@${ECHO} "Documentation installed in ${DOCSDIR}"
 .endif
-	@${CAT} ${PKGMESSAGE} | ${SED} -e's#%%PREFIX%%#${PREFIX}#g'
+	@${SED}	-e's,%%MAIN_CGIDIR%%,${WITH_MAIN_CGIDIR},g' \
+		-e's,%%ALLOWFILE%%,${WITH_ALLOWFILE},g' \
+		-e's,%%DENYFILE%%,${WITH_DENYFILE},g' \
+		${MASTERDIR}/pkg-message > ${PKGMESSAGE}
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>
diff -ruN cgiwrap.orig/pkg-descr cgiwrap/pkg-descr
--- cgiwrap.orig/pkg-descr	Tue Aug 17 22:13:50 2004
+++ cgiwrap/pkg-descr	Tue Aug 31 03:52:17 2004
@@ -1,11 +1,11 @@
 This is CGIWrap - a gateway that allows more secure user access to
-CGI programs on an HTTPd server than is provided by the http server
+CGI programs on an HTTPd server than is provided by the Web server
 itself. The primary function of CGIWrap is to make certain that
 any CGI script runs with the permissions of the user who installed
-it, and not those of the server.
+it, and not those of the Web server.
 
 CGIWrap works with NCSA httpd, Apache, CERN httpd, NetSite Commerce
-and Communications servers, and probably any other Unix based web
+and Communications servers, and probably any other Unix-based Web
 server software that supports CGI.
 
 WWW: http://cgiwrap.sourceforge.net/
diff -ruN cgiwrap.orig/pkg-message cgiwrap/pkg-message
--- cgiwrap.orig/pkg-message	Tue Aug 17 22:13:50 2004
+++ cgiwrap/pkg-message	Tue Aug 31 04:04:41 2004
@@ -1,15 +1,19 @@
 -----------------------------------------------------------------
 You have installed cgiwrap, a wrapper to securely execute user
-CGI programs.  cgiwrap is reported to work with most web servers
+CGI programs.  cgiwrap is reported to work with most Web servers
 that support CGI, so no one specific server has been included as
-a depend.  If you are unsure of which webserver to use, it is
-recommended to try the Apache web server package.
+a dependancy.  If you are unsure of which Web server to use, it
+is recommended that you try the Apache HTTP server.
 
-The cgiwrap scripts have been installed in:
-    %%PREFIX%%/www/cgi-bin
-...the default location for Apache's cgi-bin directory.
+The cgiwrap binaries have been installed in the following
+directory:
 
-If cgiwrap's allow/deny control is enabled, you must create either
-%%PREFIX%%/etc/cgiwrap.allow and/or %%PREFIX%%/etc/cgiwrap.deny
-before cgiwrap will function.
+  %%MAIN_CGIDIR%%
+
+You should create/manage the following two files, otherwise
+cgiwrap will not function as expected.  These ACL files define
+which users can and cannot run CGI binaries via cgiwrap:
+
+  %%ALLOWFILE%%
+  %%DENYFILE%%
 -----------------------------------------------------------------
diff -ruN cgiwrap.orig/pkg-plist cgiwrap/pkg-plist
--- cgiwrap.orig/pkg-plist	Tue Aug 17 22:13:50 2004
+++ cgiwrap/pkg-plist	Tue Aug 31 03:48:30 2004
@@ -1,25 +1,5 @@
-%%PORTDOCS%%%%DOCSDIR%%/accesscontrol.html
-%%PORTDOCS%%%%DOCSDIR%%/afs.html
-%%PORTDOCS%%%%DOCSDIR%%/changes.html
-%%PORTDOCS%%%%DOCSDIR%%/chroot.html
-%%PORTDOCS%%%%DOCSDIR%%/comments.html
-%%PORTDOCS%%%%DOCSDIR%%/download.html
-%%PORTDOCS%%%%DOCSDIR%%/faq.html
-%%PORTDOCS%%%%DOCSDIR%%/index.html
-%%PORTDOCS%%%%DOCSDIR%%/install.html
-%%PORTDOCS%%%%DOCSDIR%%/intro.html
-%%PORTDOCS%%%%DOCSDIR%%/maillist.html
-%%PORTDOCS%%%%DOCSDIR%%/notes.html
-%%PORTDOCS%%%%DOCSDIR%%/pubs.html
-%%PORTDOCS%%%%DOCSDIR%%/quickref.html
-%%PORTDOCS%%%%DOCSDIR%%/setup.html
-%%PORTDOCS%%%%DOCSDIR%%/thanks.html
-%%PORTDOCS%%%%DOCSDIR%%/todo.html
-%%PORTDOCS%%%%DOCSDIR%%/tricks.html
-%%PORTDOCS%%%%DOCSDIR%%/y2k.html
 www/cgi-bin/cgiwrap
 %%CGIWRAPDFLAG%%www/cgi-bin/cgiwrapd
 www/cgi-bin/nph-cgiwrap
 %%CGIWRAPDFLAG%%www/cgi-bin/nph-cgiwrapd
 @unexec rmdir %D/www/cgi-bin 2>/dev/null || true
-%%PORTDOCS%%@dirrm %%DOCSDIR%%
>Release-Note:
>Audit-Trail:
>Unformatted:

