ports/108502: [maintainer] textproc/sphinxsearch -- run as unprivileged user
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Jan 30 22:44:52 UTC 2007
On Tue, Jan 30, 2007 at 08:47:48PM +0000, Pav Lucistnik wrote:
> Synopsis: [maintainer] textproc/sphinxsearch -- run as unprivileged user
>
> State-Changed-From-To: open->feedback
> State-Changed-By: pav
> State-Changed-When: Tue Jan 30 20:40:10 UTC 2007
> State-Changed-Why:
> Looks great, but, would you mind selecting a fixed UID and GID, modifying the
> pkg-install script to always use them, and prepare a patch to record them in
> /usr/ports/UIDs,GIDs files?
>
>
> Responsible-Changed-From-To: freebsd-ports-bugs->pav
> Responsible-Changed-By: pav
> Responsible-Changed-When: Tue Jan 30 20:40:10 UTC 2007
> Responsible-Changed-Why:
> Take
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=108502
No problem. I chose uid/gid 312 because searchd default to listening
on port 3312, and I changed the user/group name to _sphinx.
--- /usr/ports/UIDs Sun Jan 28 05:01:59 2007
+++ UIDs Tue Jan 30 22:26:49 2007
@@ -88,6 +88,7 @@
smx:*:264:264:Sendmail X other:/nonexistent:/sbin/nologin
hacluster:*:275:275:Heartbeat cluster user:/nonexistent:/sbin/nologin
mrtg:*:279:279:MRTG daemon:/nonexistent:/sbin/nologin
+_sphinx:*:312:312::0:0:Sphinxsearch Owner:/nonexistent:/sbin/nologin
dkfilter:*:325:325:DK Filter Owner:/nonexistent:/sbin/nologin
wildfire:*:340:340::0:0:Wildfire Daemon:/nonexistent:/sbin/nologin
ldap:*:389:389:OpenLDAP Server:/nonexistent:/sbin/nologin
--- /usr/ports/GIDs Sun Jan 28 05:01:59 2007
+++ GIDs Tue Jan 30 22:27:01 2007
@@ -77,6 +77,7 @@
smx:*:264:
haclient:*:275:
mrtg:*:279:
+_sphinx:*:312:
dkfilter:*:325:
wildfire:*:340:
ldap:*:389:
diff -Nur /usr/ports/textproc/sphinxsearch/Makefile sphinxsearch/Makefile
--- /usr/ports/textproc/sphinxsearch/Makefile Sat Dec 16 17:37:51 2006
+++ sphinxsearch/Makefile Tue Jan 30 22:16:10 2007
@@ -5,10 +5,11 @@
# $FreeBSD: ports/textproc/sphinxsearch/Makefile,v 1.2 2006/12/16 12:06:14 miwi Exp $
#
# Note: the Sphinx Storage Engine MySQL plugin is not supported by
-# this port at the moment. Maybe later.
+# this port. You need a patched version of mysql server for that.
PORTNAME= sphinxsearch
PORTVERSION= 0.9.7.r2
+PORTREVISION= 1
CATEGORIES= textproc databases
MASTER_SITES= http://www.sphinxsearch.com/downloads/
DISTNAME= sphinx-${PORTVERSION:C@\.r([0-9]+)$@-rc\1@}
@@ -20,6 +21,14 @@
PGSQL "PostgreSQL support" off \
OPTIMIZED_CFLAGS "Use compiler optimization (-O3)" off
+SPHINX_USR?= _sphinx
+SPHINX_UID?= 312
+SPHINX_GRP?= _sphinx
+SPHINX_GID?= 312
+SPHINX_DIR?= /var/db/${PORTNAME}
+SPHINX_RUN?= /var/run/${PORTNAME}
+SPHINX_LOG?= /var/log/${PORTNAME}
+
# Yes, the conflation of CPPFLAGS and CXXFLAGS is deliberate. No,
# don't ask.
@@ -28,8 +37,17 @@
CONFIGURE_ENV+= CC=${CC} CPPFLAGS="${CXXFLAGS}"
CFGFILE= ${PREFIX}/etc/sphinx.conf
USE_RC_SUBR= sphinxsearch.sh
-SUB_LIST+= PORTNAME=${PORTNAME} \
- CFGFILE=${CFGFILE}
+SUB_LIST+= PORTNAME=${PORTNAME} \
+ CFGFILE=${CFGFILE} \
+ SPHINX_USR=${SPHINX_USR} \
+ SPHINX_UID=${SPHINX_UID} \
+ SPHINX_GRP=${SPHINX_GRP} \
+ SPHINX_GID=${SPHINX_GID} \
+ SPHINX_DIR=${SPHINX_DIR} \
+ SPHINX_RUN=${SPHINX_RUN} \
+ SPHINX_LOG=${SPHINX_LOG}
+SUB_FILES+= pkg-install pkg-deinstall
+
.if !defined(NOPORTDOCS)
EXAMPLES= example.sql api/sphinxapi.php api/test.php api/test2.php
DOCS= doc/sphinx.css doc/sphinx.html doc/sphinx.txt doc/sphinx.xml
@@ -62,12 +80,15 @@
post-patch:
${REINPLACE_CMD} \
- -e 's!@CONFDIR@/log/searchd.pid!/var/run/searchd.pid!' \
- -e 's!@CONFDIR@/log/query.log!/var/log/sphinx-query.log!' \
- -e 's!@CONFDIR@/log/searchd.log!/var/log/searchd.log!' \
- -e 's!@CONFDIR@!/var/db/sphinxsearch!' \
+ -e "s!@CONFDIR@/log/searchd.pid!${SPHINX_RUN}/searchd.pid!" \
+ -e "s!@CONFDIR@/log/query.log!${SPHINX_LOG}/sphinx-query.log!" \
+ -e "s!@CONFDIR@/log/searchd.log!${SPHINX_LOG}/searchd.log!" \
+ -e "s!@CONFDIR@!${SPHINX_DIR}!" \
${WRKSRC}/sphinx.conf.in
+pre-install:
+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+
do-install: install-bin install-docs install-examples
install-bin:
@@ -92,7 +113,10 @@
.endfor
.endif
-post-install:
+post-install: post-install-cfg
+ @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+
+post-install-cfg:
@if [ ! -f ${CFGFILE} ]; then \
${CP} -p ${CFGFILE}.sample ${CFGFILE} ; \
fi
diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in sphinxsearch/files/pkg-deinstall.in
--- /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in Thu Jan 1 01:00:00 1970
+++ sphinxsearch/files/pkg-deinstall.in Sun Jan 28 23:21:02 2007
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+sphinx_usr=%%SPHINX_USR%%
+sphinx_grp=%%SPHINX_GRP%%
+sphinx_dir=%%SPHINX_DIR%%
+sphinx_name=%%PORTNAME%%
+
+case $2 in
+ POST-DEINSTALL)
+
+ cat <<EOMSG
+
+The $sphinx_name port has been deleted. If you are not
+upgrading and don't intend to use $sphinx_name any more
+then you may wish to delete the $sphinx_usr account,
+and the $sphinx_grp group together with the working
+directory $sphinx_dir; which can be done with the
+following commands:
+
+ # pw userdel -n $sphinx_usr
+ # rm -rf $sphinx_dir
+EOMSG
+ echo
+ ;;
+esac
+
+#
+# That's All Folks!
+#
diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-install.in sphinxsearch/files/pkg-install.in
--- /usr/ports/textproc/sphinxsearch/files/pkg-install.in Thu Jan 1 01:00:00 1970
+++ sphinxsearch/files/pkg-install.in Tue Jan 30 22:18:31 2007
@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+PATH=/usr/sbin:/usr/bin:/bin ; export PATH
+
+sphinx_dir=%%SPHINX_DIR%%
+sphinx_usr=%%SPHINX_USR%%
+sphinx_uid=%%SPHINX_UID%%
+sphinx_grp=%%SPHINX_GRP%%
+sphinx_gid=%%SPHINX_GID%%
+sphinx_run=%%SPHINX_RUN%%
+sphinx_log=%%SPHINX_LOG%%
+sphinx_name=%%PORTNAME%%
+
+sphinx_gcos="Sphinxsearch Owner"
+sphinx_home=/nonexistent
+sphinx_shell=/sbin/nologin
+
+create_group() {
+ local user uid group gid gcos home shell
+
+ user=$1
+ uid=$2
+ group=$3
+ gid=$4
+ gcos=$5
+ home=$6
+ shell=$7
+
+ if pw groupadd -n $group -g $gid ; then
+ echo "===> Group $group created"
+ else
+ cat <<-EOERRORMSG
+ *** Failed to create the $group group.
+
+ Please add the $user user and $group group
+ manually with the commands:
+
+ pw groupadd -n $group -g $gid
+ pw useradd -n $user -u $uid -g $group -c "$gcos" \\
+ -d $home -s $shell -h -
+
+ and retry installing this package.
+ EOERRORMSG
+ exit 1
+ fi
+}
+
+
+create_user() {
+ local user uid group gid gcos home shell
+
+ user=$1
+ uid=$2
+ group=$3
+ gid=$4
+ gcos=$5
+ home=$6
+ shell=$7
+
+ if pw useradd -n $user -u $uid -g $group -c "$gcos" -d $home \\
+ -s $shell -h - ; then
+ echo "===> Created $user user"
+ else
+ cat <<-EOERRORMSG
+ *** Failed to create the $user user.
+
+ Please add the $user user manually with the command:
+
+ pw useradd -n $user -u $uid -g $group -c "$gcos" \\
+ -d $home -s $shell -h -
+
+ and retry installing this package.
+ EOERRORMSG
+ exit 1
+ fi
+}
+
+
+case $2 in
+ PRE-INSTALL)
+
+ # Create the sphinx user and group if they do not already exist
+
+ if pw user show -n $sphinx_usr >/dev/null 2>&1 ; then
+ echo "===> Using pre-existing user $sphinx_usr"
+ else
+ if ! pw group show -n $sphinx_grp >/dev/null 2>&1 ; then
+ create_group $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \
+ "$sphinx_gcos" $sphinx_home $sphinx_shell
+ fi
+ create_user $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \
+ "$sphinx_gcos" $sphinx_home $sphinx_shell
+ fi
+ ;;
+ POST-INSTALL)
+
+ # Create and set ownership of the Sphinx working directory
+ if [ -d $sphinx_dir ]; then
+ echo "==> Using pre-existing directory $sphinx_dir"
+ else
+ echo "==> Creating the Sphinx working directory: $sphinx_dir"
+ mkdir -m 755 $sphinx_dir || exit 1
+ fi
+
+ # Create and set ownership of the Sphinx data directory
+ if [ -d $sphinx_dir/data ]; then
+ echo "==> Using pre-existing directory $sphinx_dir/data"
+ else
+ echo "==> Creating the Sphinx data directory: $sphinx_dir/data"
+ mkdir -m 755 $sphinx_dir/data || exit 1
+ fi
+
+ echo "===> Adjusting file ownership in $sphinx_dir"
+ chown -R $sphinx_usr:$sphinx_grp $sphinx_dir || exit 1
+ ;;
+esac
+
+#
+# That's All Folks!
+#
diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-install.in~ sphinxsearch/files/pkg-install.in~
--- /usr/ports/textproc/sphinxsearch/files/pkg-install.in~ Thu Jan 1 01:00:00 1970
+++ sphinxsearch/files/pkg-install.in~ Tue Jan 30 22:13:46 2007
@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+PATH=/usr/sbin:/usr/bin:/bin ; export PATH
+
+sphinx_dir=%%SPHINX_DIR%%
+sphinx_usr=%%SPHINX_USR%%
+sphinx_uid=%%SPHINX_UID%%
+sphinx_grp=%%SPHINX_GRP%%
+sphinx_gid=%%SPHINX_GID%%
+sphinx_run=%%SPHINX_RUN%%
+sphinx_log=%%SPHINX_LOG%%
+sphinx_name=%%PORTNAME%%
+
+sphinx_gcos="Sphinxsearch Owner"
+sphinx_home=/nonexistent
+sphinx_shell=/sbin/nologin
+
+create_group() {
+ local user uid group gid gcos home shell
+
+ user=$1
+ uid=$2
+ group=$3
+ gid=$4
+ gcos=$5
+ home=$6
+ shell=$7
+
+ if pw groupadd -n $group -g $gid ; then
+ echo "===> Group $group created"
+ else
+ cat <<-EOERRORMSG
+ *** Failed to create the $group group.
+
+ Please add the $user user and $group group
+ manually with the commands:
+
+ pw groupadd -n $group -g $gid
+ pw useradd -n $user -u $uid -g $group -c "$gcos" \\
+ -d $home -s $shell -h -
+
+ and retry installing this package.
+ EOERRORMSG
+ exit 1
+ fi
+}
+
+
+create_user() {
+ local user uid group gid gcos home shell
+
+ user=$1
+ uid=$2
+ group=$3
+ gid=$4
+ gcos=$5
+ home=$6
+ shell=$7
+
+ if pw useradd -n $user -u $uid -g $group -c "$gcos" -d $home \\
+ -s $shell -h - ; then
+ echo "===> Created $user user"
+ else
+ cat <<-EOERRORMSG
+ *** Failed to create the $user user.
+
+ Please add the $user user manually with the command:
+
+ pw useradd -n $user -u $uid -g $group -c "$gcos" \\
+ -d $home -s $shell -h -
+
+ and retry installing this package.
+ EOERRORMSG
+ exit 1
+ fi
+}
+
+
+case $2 in
+ PRE-INSTALL)
+
+ # Create the sphinx user and group if they do not already exist
+
+ if pw user show -n $sphinx_usr >/dev/null 2>&1 ; then
+ echo "===> Using pre-existing user $sphinx_usr"
+ else
+ if ! pw group show -n $sphinx_grp >/dev/null 2>&1 ; then
+ create_group $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \
+ "$sphinx_gcos" $sphinx_home $sphinx_shell
+ fi
+ create_user $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \
+ "$sphinx_gcos" $sphinx_home $sphinx_shel
+ fi
+ ;;
+ POST-INSTALL)
+
+ # Create and set ownership of the Sphinx working directory
+ if [ -d $sphinx_dir ]; then
+ echo "==> Using pre-existing directory $sphinx_dir"
+ else
+ echo "==> Creating the Sphinx working directory: $sphinx_dir"
+ mkdir -m 755 $sphinx_dir || exit 1
+ fi
+
+ # Create and set ownership of the Sphinx data directory
+ if [ -d $sphinx_dir/data ]; then
+ echo "==> Using pre-existing directory $sphinx_dir/data"
+ else
+ echo "==> Creating the Sphinx data directory: $sphinx_dir/data"
+ mkdir -m 755 $sphinx_dir/data || exit 1
+ fi
+
+ echo "===> Adjusting file ownership in $sphinx_dir"
+ chown -R $sphinx_usr:$sphinx_grp $sphinx_dir || exit 1
+ ;;
+esac
+
+#
+# That's All Folks!
+#
diff -Nur /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in sphinxsearch/files/sphinxsearch.sh.in
--- /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in Sat Nov 18 22:54:07 2006
+++ sphinxsearch/files/sphinxsearch.sh.in Sun Jan 28 23:45:56 2007
@@ -15,11 +15,16 @@
#
# %%PORTNAME%%_conffile="%%CFGFILE%%"
# -- path to config file
-# %%PORTNAME%%_pidfile="/var/run/searchd.pid"
+# %%PORTNAME%%_pidfile="%%SPHINX_RUN%%/searchd.pid"
# -- location of pidfile: must match setting
# in ${%%PORTNAME%%_conffile}
+# %%PORTNAME%%_user="%%SPHINX_USR%%"
+# -- user to run searchd as
+# %%PORTNAME%%_group="%%SPHINX_GRP%%"
+# -- group to run searchd as
+# %%PORTNAME%%_logdir="%%SPHINX_LOG%%"
+# -- directory searchd writes logs to
#
-
. /etc/rc.subr
name=%%PORTNAME%%
@@ -27,12 +32,31 @@
%%PORTNAME%%_enable=${%%PORTNAME%%_enable-"NO"}
%%PORTNAME%%_conffile=${%%PORTNAME%%_conffile-"%%CFGFILE%%"}
-%%PORTNAME%%_pidfile=${%%PORTNAME%%_pidfile-"/var/run/searchd.pid"}
+%%PORTNAME%%_pidfile=${%%PORTNAME%%_pidfile-"%%SPHINX_RUN%%/searchd.pid"}
+%%PORTNAME%%_user=${%%PORTNAME%%_user-"%%SPHINX_USR%%"}
+%%PORTNAME%%_group=${%%PORTNAME%%_group-"%%SPHINX_GRP%%"}
+%%PORTNAME%%_logdir=${%%PORTNAME%%_logdir-"%%SPHINX_LOG%%"}
+
+start_precmd="create_dirs"
command=%%PREFIX%%/sbin/searchd
pidfile=${%%PORTNAME%%_pidfile}
required_files=${%%PORTNAME%%_conffile}
%%PORTNAME%%_flags="--config ${%%PORTNAME%%_conffile}"
+
+create_dirs ()
+{
+ piddir=$(dirname ${%%PORTNAME%%_pidfile})
+ if [ ! -d ${piddir} ]; then
+ mkdir -m 755 -p ${piddir}
+ chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} ${piddir}
+ fi
+ if [ ! -d ${%%PORTNAME%%_logdir} ]; then
+ mkdir -m 755 -p ${%%PORTNAME%%_logdir}
+ chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} \
+ ${%%PORTNAME%%_logdir}
+ fi
+}
load_rc_config ${name}
run_rc_command "$1"
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
More information about the freebsd-ports-bugs
mailing list