ports/153115: [maintainer] [patch] shells/scponly Note security concern, cleanups
Rob Farmer
rfarmer at predatorlabs.net
Mon Dec 13 04:00:23 UTC 2010
>Number: 153115
>Category: ports
>Synopsis: [maintainer] [patch] shells/scponly Note security concern, cleanups
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 13 04:00:19 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Rob Farmer
>Release: 9.0-CURRENT
>Organization:
>Environment:
FreeBSD topaz.predatorlabs.net 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r216392: Sun Dec 12 03:46:58 PST 2010 rfarmer at topaz.predatorlabs.net:/usr/obj/usr/src/sys/TOPAZ amd64
>Description:
Most important:
-Patch SECURITY doc to include note about bypassing rsync argument checking with popt (from upstream) and tell people to read it
And some minor cleanup:
-Drop long comment describing knobs - it just duplicates OPTIONS
-For SCPONLY_DEFAULT_CHDIR, print a note about setting it. I'm not sure if post-patch is the best place for this, though?
-Drop dead site and just use Sourceforge
-Use the PORTDOCS variable
-Install some useful docs and drop useless one (TODO)
-Drop pre-everything message about defaults changing; that was 5 years ago
-LOCALBASE vs. PREFIX correction
-Add post-install messages to the plist so package users see them too
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/shells/scponly/Makefile,v
retrieving revision 1.35
diff -u -r1.35 Makefile
--- Makefile 7 Dec 2010 21:46:51 -0000 1.35
+++ Makefile 12 Dec 2010 16:51:17 -0000
@@ -5,76 +5,11 @@
# $FreeBSD: ports/shells/scponly/Makefile,v 1.35 2010/12/07 21:46:51 ohauer Exp $
#
-# There are many knobs to tune scponly towards your specific wishes
-# and preferences.
-# You can activate a knob by typing something like
-# "make -DKNOB" or "make KNOB=yes" instead of just "make"
-#
-# A description of the several possibilities is available here:
-#
-#
-# Core funcionality:
-#
-# SCPONLY_DEFAULT_CHDIR=DIR
-# default: undefined
-# example: public_html
-# define if you want to make users `cd' to this directory after authentication
-#
-# WITHOUT_SCPONLY_WILDCARDS
-# default: undefined
-# define if you want to disable wildcard processing.
-#
-# WITHOUT_SCPONLY_GFTP
-# default: undefined
-# define if you want to disable gftp compatibility.
-#
-# WITH_SCPONLY_CHROOT
-# default: undefined
-# define if you want to use chroot functionality (set UID to root).
-#
-# WITH_SCPONLY_RSYNC
-# default: undefined
-# define if you want to enable rsync compatibility.
-#
-# WITH_SCPONLY_SCP
-# default: undefined
-# define if you want to enable vanilla scp compatibility.
-#
-# WITH_SCPONLY_SFTP_LOGGING
-# default: undefined
-# define if you want to enable sftp logging compatibility.
-#
-# WITH_SCPONLY_SVN
-# default: undefined
-# define if you want to enable subversion compatibility.
-#
-# WITH_SCPONLY_SVNSERVE
-# default: undefined
-# define if you want to enable subversion compatibility with svn+ssh://
-#
-# WITH_SCPONLY_UNISON
-# default: undefined
-# define if you want to enable unison compatibility.
-#
-# WITH_SCPONLY_WINSCP
-# default: undefined
-# define if you want to enable WinSCP compatibility.
-#
-#
-# Additional knobs:
-#
-# NOPORTDOCS
-# default: undefined
-# This knob prevents the ports system from installing additional
-# documentation. If you define this, only the manpage is going
-# to be installed.
-
PORTNAME= scponly
PORTVERSION= 4.8
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= shells security
-MASTER_SITES= http://www.sublimation.org/scponly/ \
- SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}
+MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}
EXTRACT_SUFX= .tgz
MAINTAINER= rfarmer at predatorlabs.net
@@ -82,6 +17,8 @@
MAN8= scponly.8
+PORTDOCS= BUILDING-JAILS.TXT INSTALL README SECURITY
+
GNU_CONFIGURE= yes
OPTIONS= SCPONLY_WILDCARDS "wildcards processing" on \
@@ -153,14 +90,10 @@
CONFIGURE_ARGS+=--enable-winscp-compat
.endif
-pre-everything::
- @${ECHO_MSG} "From scponly 4.2, scp & WinSCP compatibilities are not"
- @${ECHO_MSG} "enabled by default. To enable those compatibilities,"
- @${ECHO_MSG} "define WITH_SCPONLY_SCP and/or WITH_SCPONLY_WINSCP,"
- @${ECHO_MSG} "respectively."
- @${ECHO_MSG} ""
- @${ECHO_MSG} "You can enable chroot functionality by defining WITH_SCPONLY_CHROOT."
- @${ECHO_MSG} ""
+post-patch:
+ @${ECHO_MSG} "In addition to knobs available from the OPTIONS dialog,"
+ @${ECHO_MSG} "you may set SCPONLY_DEFAULT_CHDIR to make users 'cd' to"
+ @${ECHO_MSG} "this directory after authentication."
post-install:
@${ECHO_MSG} "Updating /etc/shells"
@@ -180,14 +113,19 @@
@${ECHO_MSG} "To setup chroot cage, run the following commands:"
@${ECHO_MSG} " 1) cd ${EXAMPLESDIR}/ && ${SH} setup_chroot.sh"
@${ECHO_MSG} " 2) Set scponlyc_enable=\"YES\" in /etc/rc.conf"
- @${ECHO_MSG} " 3) Run ${LOCALBASE}/etc/rc.d/scponly start"
+ @${ECHO_MSG} " 3) Run ${PREFIX}/etc/rc.d/scponly start"
@${ECHO_MSG} ""
.endif
.if !defined(NOPORTDOCS)
@${MKDIR} ${DOCSDIR}
-.for i in README INSTALL TODO
+.for i in ${PORTDOCS}
@${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR}
.endfor
+ @${ECHO_MSG} ""
+ @${ECHO_MSG} "For information on several potential security concerns,"
+ @${ECHO_MSG} "please read:"
+ @${ECHO_MSG} "${DOCSDIR}/SECURITY"
+ @${ECHO_MSG} ""
.endif
.include <bsd.port.post.mk>
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/shells/scponly/pkg-plist,v
retrieving revision 1.5
diff -u -r1.5 pkg-plist
--- pkg-plist 20 Mar 2004 09:54:29 -0000 1.5
+++ pkg-plist 12 Dec 2010 16:42:50 -0000
@@ -1,15 +1,20 @@
bin/scponly
@exec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak
@unexec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak
+%%SCPONLY_CHROOT%%@exec echo ""
+%%SCPONLY_CHROOT%%@exec echo "To setup chroot cage, run the following commands:"
+%%SCPONLY_CHROOT%%@exec echo " 1) cd %%PREFIX%%/%%EXAMPLESDIR%%/ && /bin/sh setup_chroot.sh"
+%%SCPONLY_CHROOT%%@exec echo " 2) Set scponlyc_enable=\"YES\" in /etc/rc.conf"
+%%SCPONLY_CHROOT%%@exec echo " 3) Run %%PREFIX%%/etc/rc.d/scponly start"
+%%PORTDOCS%%@exec echo ""
+%%PORTDOCS%%@exec echo "For information on several potential security concerns,"
+%%PORTDOCS%%@exec echo "please read:"
+%%PORTDOCS%%@exec echo "%%PREFIX%%/%%DOCSDIR%%/SECURITY"
%%SCPONLY_CHROOT%%sbin/scponlyc
%%SCPONLY_CHROOT%%@exec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak
%%SCPONLY_CHROOT%%@unexec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak
%%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/setup_chroot.sh
%%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/config.h
etc/scponly/debuglevel
-%%PORTDOCS%%%%DOCSDIR%%/README
-%%PORTDOCS%%%%DOCSDIR%%/INSTALL
-%%PORTDOCS%%%%DOCSDIR%%/TODO
@dirrm etc/scponly
-%%PORTDOCS%%@dirrm %%DOCSDIR%%
%%SCPONLY_CHROOT%%@dirrm %%EXAMPLESDIR%%
Index: files/patch-SECURITY
===================================================================
RCS file: files/patch-SECURITY
diff -N files/patch-SECURITY
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-SECURITY 12 Dec 2010 16:26:47 -0000
@@ -0,0 +1,32 @@
+--- SECURITY.orig 2010-12-10 15:03:24.950162769 -0800
++++ SECURITY 2010-12-10 15:03:31.669374009 -0800
+@@ -28,6 +28,10 @@
+
+ svn, svnserve, rsync, and unison
+
++ Note specifically that rsync uses popt for parsing command line arguments
++ and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
++ users can likely bypass argument checking for rsync.
++
+ 4) Make sure that all files required for the chroot have the IMMUTABLE and
+ UNDELETABLE bits set. Other bits might also be prudent. See: man 1 chattr.
+
+@@ -39,13 +43,16 @@
+ ~/.ssh, ~/.unison, ~/.subversion
+
+ NOTE: depending on file permissions in the above, ssh, unison, and
+- subversion may not work correctly.
++ subversion may not work correctly. Also note that the location of the
++ above directories is sometimes system dependent, so please check the
++ documentation specific to your system.
+
+ 7) Make sure that every directory the users have write permissions to are
+ on a filesystem that is mounted NODEV, NOEXEC. Eg. Make sure that they
+ cannot execute files that they have permissions to upload. They should
+ also not need permissions to create any devices. If the user can't execute
+- any files that he has access to upload, then you need not worry about the
++ any files that he has access to upload and the executable files on the
++ system are not considered harmful, then you need not worry about the
+ security problems referencing svn/svnserve above!
+
+ 8) Monitor your logs! If you start to see something funny, odd, or strange in
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list