ports/157400: [PATCH] net/freeradius: Run under an unprivileged user

Sevan Janiyan venture37 at geeklan.co.uk
Sun May 29 20:40:03 UTC 2011


>Number:         157400
>Category:       ports
>Synopsis:       [PATCH] net/freeradius: Run under an unprivileged user
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 29 20:40:02 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Sevan Janiyan
>Release:        FreeBSD 8.2-RELEASE amd64
>Organization:
Venture 37 Ltd
>Environment:
System: FreeBSD somebox 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011
>Description:
Run under an unprivileged user (freeradius)
Rework the make file
utilise bsd.port.options.mk
remove Makefile hack for python
change the ownership of files & directories to new user

A note will need to be added for existing users to UPDATING
the user & group ownership of
/usr/local/etc/raddb
/var/run/radiusd
/var/log/radacct
/var/log/radius.log
needs to be set to freeradius

Added file(s):
- files/patch-raddb_radiusd.conf.in
- files/radiusd.in

Removed file(s):
- files/radiusd.sh.in

Port maintainer (rpsfa at rit.edu) is cc'd.

Generated with FreeBSD Port Tools 0.99
>How-To-Repeat:
>Fix:

--- freeradius-1.1.8_2.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/Makefile /usr/ports/net/freeradius/Makefile
--- /usr/ports/net/freeradius.orig/Makefile	2011-05-29 15:11:25.332448784 +0000
+++ /usr/ports/net/freeradius/Makefile	2011-05-29 19:48:19.890683698 +0000
@@ -15,38 +15,67 @@
 		http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/%SUBDIR%/ \
 		http://freeradius.portal-to-web.de/%SUBDIR%/
 MASTER_SITE_SUBDIR=	. old
+# If FREERADIUS_SLAVE_MYSQL is defined, we want to build the
+# freeradius-mysql slave port
+.ifdef(FREERADIUS_SLAVE_MYSQL)
+PKGNAMESUFFIX=	-mysql
+.endif
 
 MAINTAINER?=	rpsfa at rit.edu
 COMMENT?=	A free RADIUS server implementation
 
-USE_BZIP2=	yes
-WANT_PERL=	yes
-
 LIB_DEPENDS=	gdbm.3:${PORTSDIR}/databases/gdbm
 
-LOGDIR?=	/var/log
-
+CONFLICTS=	gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].*
 # If FREERADIUS_SLAVE_MYSQL is defined, we want to build the
 # freeradius-mysql slave port
-
-CONFLICTS=	gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].*
 .ifdef(FREERADIUS_SLAVE_MYSQL)
 CONFLICTS+=	freeradius-[0-9].* freeradius-mysql-[02-9].*
-PKGNAMESUFFIX=	-mysql
 .else
 CONFLICTS+=	freeradius-mysql-[0-9].* freeradius-[02-9].*
 .endif
+
+MAN1=		radclient.1 radeapclient.1 radlast.1 radtest.1 radwho.1 \
+		radzap.1
+MAN5=		acct_users.5 clients.5 clients.conf.5 dictionary.5 naslist.5 \
+		radiusd.conf.5 rlm_acct_unique.5 rlm_always.5 \
+		rlm_attr_filter.5 rlm_attr_rewrite.5 rlm_chap.5 rlm_counter.5 \
+		rlm_detail.5 rlm_expr.5 rlm_files.5 rlm_mschap.5 rlm_pap.5 \
+		rlm_passwd.5 rlm_realm.5 rlm_sql.5 rlm_sql_log.5 rlm_unix.5 \
+		users.5
+MAN8=		radiusd.8 radrelay.8 radsqlrelay.8 radwatch.8 rlm_ippool_tool.8
+
+USE_BZIP2=	yes
+WANT_PERL=	yes
+
+LOGDIR?=	/var/log
+
 NO_LATEST_LINK=	yes
 
-USE_RC_SUBR=	radiusd.sh
+USE_RC_SUBR=	radiusd
 USE_AUTOTOOLS=	libltdl libtool autoconf
 USE_GMAKE=	yes
 USE_OPENSSL=	yes
+USE_LDCONFIG=	yes
+CONFIGURE_ARGS=	--quiet \
+		--prefix=${PREFIX} \
+		--localstatedir=/var \
+		--with-system-libtool \
+		--with-logdir=${LOGDIR} \
+		--with-large-files \
+		--with-openssl-includes=${OPENSSLINC} \
+		--without-rlm_sql_db2 \
+		--without-rlm_sql_freetds \
+		--without-rlm_sql_iodbc \
+		--without-rlm_sql_oracle \
+		--without-rlm_sql_sybase
 MAKE_ARGS+=	LDFLAGS="-L${LOCALBASE}/lib ${PTHREAD_LIBS}"
 CFLAGS+=	-I${LOCALBASE}/include -L${LOCALBASE}/lib
 MAKE_JOBS_UNSAFE=	yes
 
 PLIST_SUB=	PORTVERSION=${PORTVERSION}
+USERS=		freeradius
+GROUPS=	freeradius
 
 OPTIONS=	KERBEROS	"With Kerberos support" off \
 		HEIMDAL		"With Heimdal Kerberos support" off \
@@ -62,19 +91,15 @@
 		NOPERL		"Do not require perl (use only if necessary)" off \
 		EXPERIMENTAL	"Build experimental modules" off
 
-.include <bsd.port.pre.mk>
-
 # Default requirements for rc script
 _REQUIRE=	NETWORKING SERVERS
 
+.include <bsd.port.options.mk>
+
 .ifdef(FREERADIUS_SLAVE_MYSQL)
 WITH_MYSQL=	yes
 .endif
 
-CONFIGURE_ARGS=	--quiet \
-		--prefix=${PREFIX} \
-		--localstatedir=/var \
-		--with-system-libtool
 .ifdef(NOPORTDOCS)
 CONFIGURE_ARGS+=--without-docdir
 PLIST_SUB+=	PORTDOCS="@comment "
@@ -82,23 +107,6 @@
 CONFIGURE_ARGS+=--with-docdir=${DOCSDIR}
 PLIST_SUB+=	PORTDOCS=""
 .endif
-CONFIGURE_ARGS+=--with-logdir=${LOGDIR} \
-		--with-large-files \
-		--with-openssl-includes=${OPENSSLINC}
-# This conditionality avoids -L/usr/lib in the radiusd build step when
-# building with base system OpenSSL
-.if ${OPENSSLLIB} != "/usr/lib"
-CONFIGURE_ARGS+=--with-openssl-libraries=${OPENSSLLIB}
-.endif
-CONFIGURE_ARGS+=--without-rlm_sql_db2 \
-		--without-rlm_sql_freetds \
-		--without-rlm_sql_iodbc \
-		--without-rlm_sql_oracle \
-		--without-rlm_sql_sybase
-
-.if ${ARCH} == amd64
-CONFIGURE_ARGS+=	--with-pic
-.endif
 
 .if defined(WITH_HEIMDAL) && !defined(WITH_KERBEROS)
 WITH_KERBEROS=	yes
@@ -187,8 +195,6 @@
 
 .ifdef(WITH_EXPERIMENTAL)
 USE_PYTHON=	yes
-# hack to get the dependency
-.include "${PORTSDIR}/Mk/bsd.python.mk"
 CONFIGURE_ARGS+=--with-experimental-modules
 PLIST_SUB+=	EXPM=""
 .else
@@ -208,19 +214,19 @@
 PLIST_SUB+=	RLMPERL=""
 .endif
 
-USE_LDCONFIG=	yes
+SUB_LIST+=	REQUIRE="${_REQUIRE}"
 
-MAN1=		radclient.1 radeapclient.1 radlast.1 radtest.1 radwho.1 \
-		radzap.1
-MAN5=		acct_users.5 clients.5 clients.conf.5 dictionary.5 naslist.5 \
-		radiusd.conf.5 rlm_acct_unique.5 rlm_always.5 \
-		rlm_attr_filter.5 rlm_attr_rewrite.5 rlm_chap.5 rlm_counter.5 \
-		rlm_detail.5 rlm_expr.5 rlm_files.5 rlm_mschap.5 rlm_pap.5 \
-		rlm_passwd.5 rlm_realm.5 rlm_sql.5 rlm_sql_log.5 rlm_unix.5 \
-		users.5
-MAN8=		radiusd.8 radrelay.8 radsqlrelay.8 radwatch.8 rlm_ippool_tool.8
+.include <bsd.port.pre.mk>
 
-SUB_LIST+=	REQUIRE="${_REQUIRE}"
+# This conditionality avoids -L/usr/lib in the radiusd build step when
+# building with base system OpenSSL
+.if ${OPENSSLLIB} != "/usr/lib"
+CONFIGURE_ARGS+=--with-openssl-libraries=${OPENSSLLIB}
+.endif
+
+.if ${ARCH} == amd64
+CONFIGURE_ARGS+=	--with-pic
+.endif
 
 post-patch:
 # Patch Makefile / Makefile.in throughout the source tree to install raddb
@@ -263,5 +269,11 @@
 # Set ${PREFIX}/etc/raddb and all the files and folders in it to g-w,o-rwx
 # (FreeRADIUS will probably complain if this is not done)
 	@${CHMOD} -R g-w,o-rwx ${PREFIX}/etc/raddb
+	@${CHOWN} -R ${USERS}:${GROUPS} ${PREFIX}/etc/raddb
+
+	@${TOUCH} ${LOGDIR}/radius.log
+	@${CHOWN} ${USERS}:${GROUPS} ${LOGDIR}/radius.log
+	@${CHOWN} ${USERS}:${GROUPS} ${LOGDIR}/radacct
+	@${CHOWN} ${USERS}:${GROUPS} /var/run/radiusd
 
 .include <bsd.port.post.mk>
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/files/patch-raddb_radiusd.conf.in /usr/ports/net/freeradius/files/patch-raddb_radiusd.conf.in
--- /usr/ports/net/freeradius.orig/files/patch-raddb_radiusd.conf.in	1970-01-01 00:00:00.000000000 +0000
+++ /usr/ports/net/freeradius/files/patch-raddb_radiusd.conf.in	2011-05-29 19:25:50.755014780 +0000
@@ -0,0 +1,13 @@
+--- raddb/radiusd.conf.in.orig	2011-05-29 19:22:10.091905921 +0000
++++ raddb/radiusd.conf.in	2011-05-29 19:22:36.633918942 +0000
+@@ -106,8 +106,8 @@ pidfile = ${run_dir}/radiusd.pid
+ #  that the debugging mode server is running as a user that can read the
+ #  shadow info, and the user listed below can not.
+ #
+-#user = nobody
+-#group = nobody
++user = freeradius
++group = freeradius
+ 
+ #  max_request_time: The maximum time (in seconds) to handle a request.
+ #
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/files/radiusd.in /usr/ports/net/freeradius/files/radiusd.in
--- /usr/ports/net/freeradius.orig/files/radiusd.in	1970-01-01 00:00:00.000000000 +0000
+++ /usr/ports/net/freeradius/files/radiusd.in	2011-05-29 16:45:15.101239510 +0000
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# PROVIDE: radiusd
+# REQUIRE: %%REQUIRE%%
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable radiusd:
+#
+# radiusd_enable="YES"
+#
+
+. /etc/rc.subr
+
+name=radiusd
+rcvar=`set_rcvar`
+load_rc_config $name
+
+command=%%PREFIX%%/sbin/radiusd
+pidfile=/var/run/radiusd/radiusd.pid
+
+# The radiusd_config parameter is now obsolete. Instead, derive the
+# configuration directory name from radiusd_flags if possible, otherwise
+# default to %%PREFIX%%/etc/raddb
+required_dirs=`echo ${radiusd_flags} | sed -Ene 's:.*\-[^[:space:]d]*d[[:space:]]*([^[:space:]]+).*:\1:p'`
+required_dirs=${required_dirs:-"%%PREFIX%%/etc/raddb"}
+
+required_files="${required_dirs}/radiusd.conf"
+
+radiusd_enable=${radiusd_enable-"NO"}
+
+command_args="&"
+
+run_rc_command "$1"
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/files/radiusd.sh.in /usr/ports/net/freeradius/files/radiusd.sh.in
--- /usr/ports/net/freeradius.orig/files/radiusd.sh.in	2011-05-29 15:11:25.322448630 +0000
+++ /usr/ports/net/freeradius/files/radiusd.sh.in	1970-01-01 00:00:00.000000000 +0000
@@ -1,34 +0,0 @@
-#!/bin/sh
-
-# PROVIDE: radiusd
-# REQUIRE: %%REQUIRE%%
-# KEYWORD: shutdown
-
-#
-# Add the following lines to /etc/rc.conf to enable radiusd:
-#
-# radiusd_enable="YES"
-#
-
-. /etc/rc.subr
-
-name=radiusd
-rcvar=`set_rcvar`
-load_rc_config $name
-
-command=%%PREFIX%%/sbin/radiusd
-pidfile=/var/run/radiusd/radiusd.pid
-
-# The radiusd_config parameter is now obsolete. Instead, derive the
-# configuration directory name from radiusd_flags if possible, otherwise
-# default to %%PREFIX%%/etc/raddb
-required_dirs=`echo ${radiusd_flags} | sed -Ene 's:.*\-[^[:space:]d]*d[[:space:]]*([^[:space:]]+).*:\1:p'`
-required_dirs=${required_dirs:-"%%PREFIX%%/etc/raddb"}
-
-required_files="${required_dirs}/radiusd.conf"
-
-radiusd_enable=${radiusd_enable-"NO"}
-
-command_args="&"
-
-run_rc_command "$1"
--- freeradius-1.1.8_2.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list