ports/108502: [maintainer] textproc/sphinxsearch -- run as unprivileged user
Matthew Seaman
m.seaman at infracaninophile.co.uk
Mon Jan 29 00:10:20 UTC 2007
>Number: 108502
>Category: ports
>Synopsis: [maintainer] textproc/sphinxsearch -- run as unprivileged user
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 29 00:10:19 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Matthew Seaman
>Release: FreeBSD 6.2-STABLE i386
>Organization:
Infracaninophile
>Environment:
System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 6.2-STABLE FreeBSD 6.2-STABLE #7: Sat Jan 27 15:13:42 GMT 2007 root at happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386
>Description:
In the interests of generally improving security, switch to running
searchd as an unprivileged user 'sphinx'
Note to Users:
The default locations of a number of files and directories have changed:
/var/run/searchd.pid --> /var/run/sphinxsearch/searchd.pid
/var/log/searchd.log --> /var/log/sphinxsearch/searchd.log
/var/log/sphinx-query.log --> /var/log/sphinxsearch/sphinx-query.log
See ${PREFIX}/etc/rc.d/sphinxsearch for details of a number of new
rc.conf settings you can use to control these locations and also the
user and group the daemon is run as.
You will need to merge these changes into ${PREFIX}/etc/sphinx.conf
Note to committer:
Added new files:
sphinxsearch/files/pkg-install.in
sphinxsearch/files/pkg-deinstall.in
>How-To-Repeat:
>Fix:
--- sphinxsearch.diff begins here ---
diff -Nur /usr/ports/textproc/sphinxsearch/Makefile sphinxsearch/Makefile
--- /usr/ports/textproc/sphinxsearch/Makefile Sat Dec 16 17:37:51 2006
+++ sphinxsearch/Makefile Sun Jan 28 22:44:44 2007
@@ -5,10 +5,11 @@
# $FreeBSD: ports/textproc/sphinxsearch/Makefile,v 1.2 2006/12/16 12:06:14 miwi Exp $
#
# Note: the Sphinx Storage Engine MySQL plugin is not supported by
-# this port at the moment. Maybe later.
+# this port. You need a patched version of mysql server for that.
PORTNAME= sphinxsearch
PORTVERSION= 0.9.7.r2
+PORTREVISION= 1
CATEGORIES= textproc databases
MASTER_SITES= http://www.sphinxsearch.com/downloads/
DISTNAME= sphinx-${PORTVERSION:C@\.r([0-9]+)$@-rc\1@}
@@ -20,6 +21,12 @@
PGSQL "PostgreSQL support" off \
OPTIMIZED_CFLAGS "Use compiler optimization (-O3)" off
+SPHINX_USR?= sphinx
+SPHINX_GRP?= sphinx
+SPHINX_DIR?= /var/db/${PORTNAME}
+SPHINX_RUN?= /var/run/${PORTNAME}
+SPHINX_LOG?= /var/log/${PORTNAME}
+
# Yes, the conflation of CPPFLAGS and CXXFLAGS is deliberate. No,
# don't ask.
@@ -28,8 +35,15 @@
CONFIGURE_ENV+= CC=${CC} CPPFLAGS="${CXXFLAGS}"
CFGFILE= ${PREFIX}/etc/sphinx.conf
USE_RC_SUBR= sphinxsearch.sh
-SUB_LIST+= PORTNAME=${PORTNAME} \
- CFGFILE=${CFGFILE}
+SUB_LIST+= PORTNAME=${PORTNAME} \
+ CFGFILE=${CFGFILE} \
+ SPHINX_USR=${SPHINX_USR} \
+ SPHINX_GRP=${SPHINX_GRP} \
+ SPHINX_DIR=${SPHINX_DIR} \
+ SPHINX_RUN=${SPHINX_RUN} \
+ SPHINX_LOG=${SPHINX_LOG}
+SUB_FILES+= pkg-install pkg-deinstall
+
.if !defined(NOPORTDOCS)
EXAMPLES= example.sql api/sphinxapi.php api/test.php api/test2.php
DOCS= doc/sphinx.css doc/sphinx.html doc/sphinx.txt doc/sphinx.xml
@@ -62,12 +76,15 @@
post-patch:
${REINPLACE_CMD} \
- -e 's!@CONFDIR@/log/searchd.pid!/var/run/searchd.pid!' \
- -e 's!@CONFDIR@/log/query.log!/var/log/sphinx-query.log!' \
- -e 's!@CONFDIR@/log/searchd.log!/var/log/searchd.log!' \
- -e 's!@CONFDIR@!/var/db/sphinxsearch!' \
+ -e "s!@CONFDIR@/log/searchd.pid!${SPHINX_RUN}/searchd.pid!" \
+ -e "s!@CONFDIR@/log/query.log!${SPHINX_LOG}/sphinx-query.log!" \
+ -e "s!@CONFDIR@/log/searchd.log!${SPHINX_LOG}/searchd.log!" \
+ -e "s!@CONFDIR@!${SPHINX_DIR}!" \
${WRKSRC}/sphinx.conf.in
+pre-install:
+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+
do-install: install-bin install-docs install-examples
install-bin:
@@ -92,7 +109,10 @@
.endfor
.endif
-post-install:
+post-install: post-install-cfg
+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+
+post-install-cfg:
@if [ ! -f ${CFGFILE} ]; then \
${CP} -p ${CFGFILE}.sample ${CFGFILE} ; \
fi
diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in sphinxsearch/files/pkg-deinstall.in
--- /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in Thu Jan 1 01:00:00 1970
+++ sphinxsearch/files/pkg-deinstall.in Sun Jan 28 23:21:02 2007
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+sphinx_usr=%%SPHINX_USR%%
+sphinx_grp=%%SPHINX_GRP%%
+sphinx_dir=%%SPHINX_DIR%%
+sphinx_name=%%PORTNAME%%
+
+case $2 in
+ POST-DEINSTALL)
+
+ cat <<EOMSG
+
+The $sphinx_name port has been deleted. If you are not
+upgrading and don't intend to use $sphinx_name any more
+then you may wish to delete the $sphinx_usr account,
+and the $sphinx_grp group together with the working
+directory $sphinx_dir; which can be done with the
+following commands:
+
+ # pw userdel -n $sphinx_usr
+ # rm -rf $sphinx_dir
+EOMSG
+ echo
+ ;;
+esac
+
+#
+# That's All Folks!
+#
diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-install.in sphinxsearch/files/pkg-install.in
--- /usr/ports/textproc/sphinxsearch/files/pkg-install.in Thu Jan 1 01:00:00 1970
+++ sphinxsearch/files/pkg-install.in Sun Jan 28 23:22:23 2007
@@ -0,0 +1,116 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+PATH=/usr/sbin:/usr/bin:/bin ; export PATH
+
+sphinx_dir=%%SPHINX_DIR%%
+sphinx_usr=%%SPHINX_USR%%
+sphinx_grp=%%SPHINX_GRP%%
+sphinx_run=%%SPHINX_RUN%%
+sphinx_log=%%SPHINX_LOG%%
+sphinx_name=%%PORTNAME%%
+
+sphinx_gcos="Sphinxsearch Owner"
+sphinx_home=/nonexistent
+sphinx_shell=/sbin/nologin
+
+create_group() {
+ local user group gcos home shell
+
+ user=$1
+ group=$2
+ gcos=$3
+ home=$4
+ shell=$5
+
+ if pw groupadd -n $group ; then
+ echo "===> Group $group created"
+ else
+ cat <<-EOERRORMSG
+ *** Failed to create the $group group.
+
+ Please add the $user user and $group group
+ manually with the commands:
+
+ pw groupadd -n $group
+ pw useradd -n $user -g $group -c "$gcos" \\
+ -d $home -s $shell -h -
+
+ and retry installing this package.
+ EOERRORMSG
+ exit 1
+ fi
+}
+
+
+create_user() {
+ local user group gcos home shell
+
+ user=$1
+ group=$2
+ gcos=$3
+ home=$4
+ shell=$5
+
+ if pw useradd -n $user -g $group -c "$gcos" -d $home -s $shell -h - ; then
+ echo "===> Created $user user"
+ else
+ cat <<-EOERRORMSG
+ *** Failed to create the $user user.
+
+ Please add the $user user manually with the command:
+
+ pw useradd -n $user -g $group -c "$gcos" \\
+ -d $home -s $shell -h -
+
+ and retry installing this package.
+ EOERRORMSG
+ exit 1
+ fi
+}
+
+
+case $2 in
+ PRE-INSTALL)
+
+ # Create the sphinx user and group if they do not already exist
+
+ if pw user show -n $sphinx_usr >/dev/null 2>&1 ; then
+ echo "===> Using pre-existing user $sphinx_usr"
+ else
+ if ! pw group show -n $sphinx_grp >/dev/null 2>&1 ; then
+ create_group $sphinx_usr $sphinx_grp "$sphinx_gcos" \
+ $sphinx_home $sphinx_shell
+ fi
+ create_user $sphinx_usr $sphinx_grp "$sphinx_gcos" \
+ $sphinx_home $sphinx_shell
+ fi
+ ;;
+ POST-INSTALL)
+
+ # Create and set ownership of the Sphinx working directory
+ if [ -d $sphinx_dir ]; then
+ echo "==> Using pre-existing directory $sphinx_dir"
+ else
+ echo "==> Creating the Sphinx working directory: $sphinx_dir"
+ mkdir -m 755 $sphinx_dir || exit 1
+ fi
+
+ # Create and set ownership of the Sphinx data directory
+ if [ -d $sphinx_dir/data ]; then
+ echo "==> Using pre-existing directory $sphinx_dir/data"
+ else
+ echo "==> Creating the Sphinx data directory: $sphinx_dir/data"
+ mkdir -m 755 $sphinx_dir/data || exit 1
+ fi
+
+ echo "===> Adjusting file ownership in $sphinx_dir"
+ chown -R $sphinx_usr:$sphinx_grp $sphinx_dir || exit 1
+ ;;
+esac
+
+#
+# That's All Folks!
+#
diff -Nur /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in sphinxsearch/files/sphinxsearch.sh.in
--- /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in Sat Nov 18 22:54:07 2006
+++ sphinxsearch/files/sphinxsearch.sh.in Sun Jan 28 23:45:56 2007
@@ -15,11 +15,16 @@
#
# %%PORTNAME%%_conffile="%%CFGFILE%%"
# -- path to config file
-# %%PORTNAME%%_pidfile="/var/run/searchd.pid"
+# %%PORTNAME%%_pidfile="%%SPHINX_RUN%%/searchd.pid"
# -- location of pidfile: must match setting
# in ${%%PORTNAME%%_conffile}
+# %%PORTNAME%%_user="%%SPHINX_USR%%"
+# -- user to run searchd as
+# %%PORTNAME%%_group="%%SPHINX_GRP%%"
+# -- group to run searchd as
+# %%PORTNAME%%_logdir="%%SPHINX_LOG%%"
+# -- directory searchd writes logs to
#
-
. /etc/rc.subr
name=%%PORTNAME%%
@@ -27,12 +32,31 @@
%%PORTNAME%%_enable=${%%PORTNAME%%_enable-"NO"}
%%PORTNAME%%_conffile=${%%PORTNAME%%_conffile-"%%CFGFILE%%"}
-%%PORTNAME%%_pidfile=${%%PORTNAME%%_pidfile-"/var/run/searchd.pid"}
+%%PORTNAME%%_pidfile=${%%PORTNAME%%_pidfile-"%%SPHINX_RUN%%/searchd.pid"}
+%%PORTNAME%%_user=${%%PORTNAME%%_user-"%%SPHINX_USR%%"}
+%%PORTNAME%%_group=${%%PORTNAME%%_group-"%%SPHINX_GRP%%"}
+%%PORTNAME%%_logdir=${%%PORTNAME%%_logdir-"%%SPHINX_LOG%%"}
+
+start_precmd="create_dirs"
command=%%PREFIX%%/sbin/searchd
pidfile=${%%PORTNAME%%_pidfile}
required_files=${%%PORTNAME%%_conffile}
%%PORTNAME%%_flags="--config ${%%PORTNAME%%_conffile}"
+
+create_dirs ()
+{
+ piddir=$(dirname ${%%PORTNAME%%_pidfile})
+ if [ ! -d ${piddir} ]; then
+ mkdir -m 755 -p ${piddir}
+ chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} ${piddir}
+ fi
+ if [ ! -d ${%%PORTNAME%%_logdir} ]; then
+ mkdir -m 755 -p ${%%PORTNAME%%_logdir}
+ chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} \
+ ${%%PORTNAME%%_logdir}
+ fi
+}
load_rc_config ${name}
run_rc_command "$1"
--- sphinxsearch.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list