ports/157400: [PATCH] net/freeradius: Run under an unprivileged user
Sevan Janiyan
venture37 at geeklan.co.uk
Sun May 29 20:40:03 UTC 2011
>Number: 157400
>Category: ports
>Synopsis: [PATCH] net/freeradius: Run under an unprivileged user
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 29 20:40:02 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Sevan Janiyan
>Release: FreeBSD 8.2-RELEASE amd64
>Organization:
Venture 37 Ltd
>Environment:
System: FreeBSD somebox 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011
>Description:
Run under an unprivileged user (freeradius)
Rework the make file
utilise bsd.port.options.mk
remove Makefile hack for python
change the ownership of files & directories to new user
A note will need to be added for existing users to UPDATING
the user & group ownership of
/usr/local/etc/raddb
/var/run/radiusd
/var/log/radacct
/var/log/radius.log
needs to be set to freeradius
Added file(s):
- files/patch-raddb_radiusd.conf.in
- files/radiusd.in
Removed file(s):
- files/radiusd.sh.in
Port maintainer (rpsfa at rit.edu) is cc'd.
Generated with FreeBSD Port Tools 0.99
>How-To-Repeat:
>Fix:
--- freeradius-1.1.8_2.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/Makefile /usr/ports/net/freeradius/Makefile
--- /usr/ports/net/freeradius.orig/Makefile 2011-05-29 15:11:25.332448784 +0000
+++ /usr/ports/net/freeradius/Makefile 2011-05-29 19:48:19.890683698 +0000
@@ -15,38 +15,67 @@
http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/%SUBDIR%/ \
http://freeradius.portal-to-web.de/%SUBDIR%/
MASTER_SITE_SUBDIR= . old
+# If FREERADIUS_SLAVE_MYSQL is defined, we want to build the
+# freeradius-mysql slave port
+.ifdef(FREERADIUS_SLAVE_MYSQL)
+PKGNAMESUFFIX= -mysql
+.endif
MAINTAINER?= rpsfa at rit.edu
COMMENT?= A free RADIUS server implementation
-USE_BZIP2= yes
-WANT_PERL= yes
-
LIB_DEPENDS= gdbm.3:${PORTSDIR}/databases/gdbm
-LOGDIR?= /var/log
-
+CONFLICTS= gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].*
# If FREERADIUS_SLAVE_MYSQL is defined, we want to build the
# freeradius-mysql slave port
-
-CONFLICTS= gnu-radius-[0-9].* openradius-[0-9].* radiusd-cistron-[0-9].*
.ifdef(FREERADIUS_SLAVE_MYSQL)
CONFLICTS+= freeradius-[0-9].* freeradius-mysql-[02-9].*
-PKGNAMESUFFIX= -mysql
.else
CONFLICTS+= freeradius-mysql-[0-9].* freeradius-[02-9].*
.endif
+
+MAN1= radclient.1 radeapclient.1 radlast.1 radtest.1 radwho.1 \
+ radzap.1
+MAN5= acct_users.5 clients.5 clients.conf.5 dictionary.5 naslist.5 \
+ radiusd.conf.5 rlm_acct_unique.5 rlm_always.5 \
+ rlm_attr_filter.5 rlm_attr_rewrite.5 rlm_chap.5 rlm_counter.5 \
+ rlm_detail.5 rlm_expr.5 rlm_files.5 rlm_mschap.5 rlm_pap.5 \
+ rlm_passwd.5 rlm_realm.5 rlm_sql.5 rlm_sql_log.5 rlm_unix.5 \
+ users.5
+MAN8= radiusd.8 radrelay.8 radsqlrelay.8 radwatch.8 rlm_ippool_tool.8
+
+USE_BZIP2= yes
+WANT_PERL= yes
+
+LOGDIR?= /var/log
+
NO_LATEST_LINK= yes
-USE_RC_SUBR= radiusd.sh
+USE_RC_SUBR= radiusd
USE_AUTOTOOLS= libltdl libtool autoconf
USE_GMAKE= yes
USE_OPENSSL= yes
+USE_LDCONFIG= yes
+CONFIGURE_ARGS= --quiet \
+ --prefix=${PREFIX} \
+ --localstatedir=/var \
+ --with-system-libtool \
+ --with-logdir=${LOGDIR} \
+ --with-large-files \
+ --with-openssl-includes=${OPENSSLINC} \
+ --without-rlm_sql_db2 \
+ --without-rlm_sql_freetds \
+ --without-rlm_sql_iodbc \
+ --without-rlm_sql_oracle \
+ --without-rlm_sql_sybase
MAKE_ARGS+= LDFLAGS="-L${LOCALBASE}/lib ${PTHREAD_LIBS}"
CFLAGS+= -I${LOCALBASE}/include -L${LOCALBASE}/lib
MAKE_JOBS_UNSAFE= yes
PLIST_SUB= PORTVERSION=${PORTVERSION}
+USERS= freeradius
+GROUPS= freeradius
OPTIONS= KERBEROS "With Kerberos support" off \
HEIMDAL "With Heimdal Kerberos support" off \
@@ -62,19 +91,15 @@
NOPERL "Do not require perl (use only if necessary)" off \
EXPERIMENTAL "Build experimental modules" off
-.include <bsd.port.pre.mk>
-
# Default requirements for rc script
_REQUIRE= NETWORKING SERVERS
+.include <bsd.port.options.mk>
+
.ifdef(FREERADIUS_SLAVE_MYSQL)
WITH_MYSQL= yes
.endif
-CONFIGURE_ARGS= --quiet \
- --prefix=${PREFIX} \
- --localstatedir=/var \
- --with-system-libtool
.ifdef(NOPORTDOCS)
CONFIGURE_ARGS+=--without-docdir
PLIST_SUB+= PORTDOCS="@comment "
@@ -82,23 +107,6 @@
CONFIGURE_ARGS+=--with-docdir=${DOCSDIR}
PLIST_SUB+= PORTDOCS=""
.endif
-CONFIGURE_ARGS+=--with-logdir=${LOGDIR} \
- --with-large-files \
- --with-openssl-includes=${OPENSSLINC}
-# This conditionality avoids -L/usr/lib in the radiusd build step when
-# building with base system OpenSSL
-.if ${OPENSSLLIB} != "/usr/lib"
-CONFIGURE_ARGS+=--with-openssl-libraries=${OPENSSLLIB}
-.endif
-CONFIGURE_ARGS+=--without-rlm_sql_db2 \
- --without-rlm_sql_freetds \
- --without-rlm_sql_iodbc \
- --without-rlm_sql_oracle \
- --without-rlm_sql_sybase
-
-.if ${ARCH} == amd64
-CONFIGURE_ARGS+= --with-pic
-.endif
.if defined(WITH_HEIMDAL) && !defined(WITH_KERBEROS)
WITH_KERBEROS= yes
@@ -187,8 +195,6 @@
.ifdef(WITH_EXPERIMENTAL)
USE_PYTHON= yes
-# hack to get the dependency
-.include "${PORTSDIR}/Mk/bsd.python.mk"
CONFIGURE_ARGS+=--with-experimental-modules
PLIST_SUB+= EXPM=""
.else
@@ -208,19 +214,19 @@
PLIST_SUB+= RLMPERL=""
.endif
-USE_LDCONFIG= yes
+SUB_LIST+= REQUIRE="${_REQUIRE}"
-MAN1= radclient.1 radeapclient.1 radlast.1 radtest.1 radwho.1 \
- radzap.1
-MAN5= acct_users.5 clients.5 clients.conf.5 dictionary.5 naslist.5 \
- radiusd.conf.5 rlm_acct_unique.5 rlm_always.5 \
- rlm_attr_filter.5 rlm_attr_rewrite.5 rlm_chap.5 rlm_counter.5 \
- rlm_detail.5 rlm_expr.5 rlm_files.5 rlm_mschap.5 rlm_pap.5 \
- rlm_passwd.5 rlm_realm.5 rlm_sql.5 rlm_sql_log.5 rlm_unix.5 \
- users.5
-MAN8= radiusd.8 radrelay.8 radsqlrelay.8 radwatch.8 rlm_ippool_tool.8
+.include <bsd.port.pre.mk>
-SUB_LIST+= REQUIRE="${_REQUIRE}"
+# This conditionality avoids -L/usr/lib in the radiusd build step when
+# building with base system OpenSSL
+.if ${OPENSSLLIB} != "/usr/lib"
+CONFIGURE_ARGS+=--with-openssl-libraries=${OPENSSLLIB}
+.endif
+
+.if ${ARCH} == amd64
+CONFIGURE_ARGS+= --with-pic
+.endif
post-patch:
# Patch Makefile / Makefile.in throughout the source tree to install raddb
@@ -263,5 +269,11 @@
# Set ${PREFIX}/etc/raddb and all the files and folders in it to g-w,o-rwx
# (FreeRADIUS will probably complain if this is not done)
@${CHMOD} -R g-w,o-rwx ${PREFIX}/etc/raddb
+ @${CHOWN} -R ${USERS}:${GROUPS} ${PREFIX}/etc/raddb
+
+ @${TOUCH} ${LOGDIR}/radius.log
+ @${CHOWN} ${USERS}:${GROUPS} ${LOGDIR}/radius.log
+ @${CHOWN} ${USERS}:${GROUPS} ${LOGDIR}/radacct
+ @${CHOWN} ${USERS}:${GROUPS} /var/run/radiusd
.include <bsd.port.post.mk>
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/files/patch-raddb_radiusd.conf.in /usr/ports/net/freeradius/files/patch-raddb_radiusd.conf.in
--- /usr/ports/net/freeradius.orig/files/patch-raddb_radiusd.conf.in 1970-01-01 00:00:00.000000000 +0000
+++ /usr/ports/net/freeradius/files/patch-raddb_radiusd.conf.in 2011-05-29 19:25:50.755014780 +0000
@@ -0,0 +1,13 @@
+--- raddb/radiusd.conf.in.orig 2011-05-29 19:22:10.091905921 +0000
++++ raddb/radiusd.conf.in 2011-05-29 19:22:36.633918942 +0000
+@@ -106,8 +106,8 @@ pidfile = ${run_dir}/radiusd.pid
+ # that the debugging mode server is running as a user that can read the
+ # shadow info, and the user listed below can not.
+ #
+-#user = nobody
+-#group = nobody
++user = freeradius
++group = freeradius
+
+ # max_request_time: The maximum time (in seconds) to handle a request.
+ #
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/files/radiusd.in /usr/ports/net/freeradius/files/radiusd.in
--- /usr/ports/net/freeradius.orig/files/radiusd.in 1970-01-01 00:00:00.000000000 +0000
+++ /usr/ports/net/freeradius/files/radiusd.in 2011-05-29 16:45:15.101239510 +0000
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# PROVIDE: radiusd
+# REQUIRE: %%REQUIRE%%
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable radiusd:
+#
+# radiusd_enable="YES"
+#
+
+. /etc/rc.subr
+
+name=radiusd
+rcvar=`set_rcvar`
+load_rc_config $name
+
+command=%%PREFIX%%/sbin/radiusd
+pidfile=/var/run/radiusd/radiusd.pid
+
+# The radiusd_config parameter is now obsolete. Instead, derive the
+# configuration directory name from radiusd_flags if possible, otherwise
+# default to %%PREFIX%%/etc/raddb
+required_dirs=`echo ${radiusd_flags} | sed -Ene 's:.*\-[^[:space:]d]*d[[:space:]]*([^[:space:]]+).*:\1:p'`
+required_dirs=${required_dirs:-"%%PREFIX%%/etc/raddb"}
+
+required_files="${required_dirs}/radiusd.conf"
+
+radiusd_enable=${radiusd_enable-"NO"}
+
+command_args="&"
+
+run_rc_command "$1"
diff -ruN --exclude=CVS /usr/ports/net/freeradius.orig/files/radiusd.sh.in /usr/ports/net/freeradius/files/radiusd.sh.in
--- /usr/ports/net/freeradius.orig/files/radiusd.sh.in 2011-05-29 15:11:25.322448630 +0000
+++ /usr/ports/net/freeradius/files/radiusd.sh.in 1970-01-01 00:00:00.000000000 +0000
@@ -1,34 +0,0 @@
-#!/bin/sh
-
-# PROVIDE: radiusd
-# REQUIRE: %%REQUIRE%%
-# KEYWORD: shutdown
-
-#
-# Add the following lines to /etc/rc.conf to enable radiusd:
-#
-# radiusd_enable="YES"
-#
-
-. /etc/rc.subr
-
-name=radiusd
-rcvar=`set_rcvar`
-load_rc_config $name
-
-command=%%PREFIX%%/sbin/radiusd
-pidfile=/var/run/radiusd/radiusd.pid
-
-# The radiusd_config parameter is now obsolete. Instead, derive the
-# configuration directory name from radiusd_flags if possible, otherwise
-# default to %%PREFIX%%/etc/raddb
-required_dirs=`echo ${radiusd_flags} | sed -Ene 's:.*\-[^[:space:]d]*d[[:space:]]*([^[:space:]]+).*:\1:p'`
-required_dirs=${required_dirs:-"%%PREFIX%%/etc/raddb"}
-
-required_files="${required_dirs}/radiusd.conf"
-
-radiusd_enable=${radiusd_enable-"NO"}
-
-command_args="&"
-
-run_rc_command "$1"
--- freeradius-1.1.8_2.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list