ports/122097: net/freeradius2 - update to 2.0.3
David Wood
david at wood2.org.uk
Tue Mar 25 23:30:01 UTC 2008
>Number: 122097
>Category: ports
>Synopsis: net/freeradius2 - update to 2.0.3
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 25 23:30:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: David Wood
>Release: 6.2-RELEASE i386
>Organization:
>Environment:
FreeBSD titanium.wood2.org.uk 6.2-RELEASE-p10 FreeBSD 6.2-RELEASE-p10 #0: Tue Jan 15 17:30:36 GMT 2008 david at titanium.wood2.org.uk:/usr/obj/usr/src/sys/TITANIUM i386
>Description:
FreeBSD enhancements
====================
A new USER option has been added to run FreeRADIUS as the freeradius user and
freeradius group. Running as root is not recommended from a security point of
view. This option makes it easy to secure your FreeRADIUS server 'out of the
box'.
Some unnecessary code has been removed from the patch to rlm_python in
files/patch-pthread.
Release notes
=============
2.0.2:
Feature improvements
* Added notes on how to debug the server in radiusd.conf
* Moved all "log_*" in radiusd.conf to log{} section.
The old configurations are still accepted, though.
* Added ca.der target in raddb/certs/Makefile. This is
needed for importing CA certs into Windows.
* Added ability send raw attributes via
"Raw-Attribute = 0x0102..."
This is available only debug builds. It can be used
to create invalid packets! Use it with care.
* Permit "unlang" policies inside of Auth-Type{} sub-sections
of the authenticate{} section. This makes some policies
easier to implement.
* "listen" sections can now have "type = proxy". This lets you
control which IP is used for sending proxied requests.
* Added note on SSL performance to raddb/certs/README
Bug fixes
* Fixed reading of "detail" files.
* Allow inner EAP tunneled sessions to be proxied.
* Corrected MySQL schemas
* syslog now works in log{} section.
* Corrected typo in raddb/certs/client.cnf
* Updated raddb/sites-available/proxy-inner-tunnel to
permit authentication to work.
* Ignore zero-length attributes in received packets.
* Correct memcpy when dealing with unknown attributes.
* Corrected debugging messages in attr_rewrite.
* Corrected generation of State attribute in EAP. This
fixes the "failed to remember handler" issues.
* Fall back to DEFAULT realm if no realm was found.
Based on a patch from Vincent Magnin.
* Updated example raddb/sites-available/proxy-inner-tunnel
* Corrected behavior of attr_filter to match documentation.
This is NOT backwards compatible with previous versions!
See "man rlm_attr_filter" for details.
2.0.3:
Feature improvements
* Updated raddb/certs/ca.cnf with extensions to allow ca.der
to be imported as a CA on Symbian and Windows Mobile devices.
Closes bug #524
* Enable multiple matches in "hints" via Fall-Through = Yes.
Closes bug #477
* Added preliminary SQLite driver, contibuted by Apple.
Untested, with no sample configuration. This address bug #470.
* Updated logging sub-system so that log messages from libfreeradius
can go to the log file, and not stdout.
* Added dictionary.rfc5176
* EAP module now checks for instance name, and uses that for
authentication. This avoids the need to set Auth-Type when
there are multiple instances of the EAP module.
* Added Module-Return-Code attribute, which contains the value
returned by the previous module (ok/fail/update/etc.)
Bug fixes
* Corrected typos in rlm_dbm. Closes bugs #521 and #522.
* Detail file "listen" sections now work much better.
* Don't allow old "log_*" to over-ride new format. Closes bug #525
* Initialize allocated memory in Oracle SQL driver. This fixes
occasional crashes on some systems. Closes bug #518
* Call correct function in rlm_protocol_filter. This enables the
module to build. Closes bug #512.
* Added deprecated flag to build for rlm_krb5. This allows it to
run on 64-bit systems. Closes bug #491
* Corrected error message when parsing invalid configurations
so it doesn't crash. Closes bug #527
* Fix handling of timeouts in rlm_ldap that affected 64-bit systems.
* Handle $INCLUDE's in "instantiate" section. Closes #528.
* Format updates to "man" pages from Stephen Gran.
>How-To-Repeat:
>Fix:
Files added: files/patch-sites-available, files/pkg-deinstall.in, files/pkg-install.in
Files deleted: <none>
Add the following line to /usr/ports/UIDs:
freeradius:*:133:133:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin
Add the following line to /usr/ports/GIDs:
freeradius:*:133:
(if UID / GID 133 have been taken by the time this is committed, use the next
free UID / GID)
Patch attached with submission follows:
Index: distinfo
===================================================================
--- distinfo (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181)
+++ distinfo (.../trunk/freeradius2) (revision 181)
@@ -1,3 +1,3 @@
-MD5 (freeradius-server-2.0.1.tar.bz2) = 670810d0ee7e80999fcd753cfdcecdb4
-SHA256 (freeradius-server-2.0.1.tar.bz2) = d5e1cd96762cc2091d64198bc50d03690f94dfd4d96b36a042dda1490b8143df
-SIZE (freeradius-server-2.0.1.tar.bz2) = 2270018
+MD5 (freeradius-server-2.0.3.tar.bz2) = 3cd647f40880dee8693f2e74ab5416e9
+SHA256 (freeradius-server-2.0.3.tar.bz2) = 3184e9be6d88df3cdf72a08a7e00222c17bc360289ecf14219df9c81d68d7f79
+SIZE (freeradius-server-2.0.3.tar.bz2) = 2298963
Index: files/patch-sites-available
===================================================================
--- files/patch-sites-available (.../branches/FreeBSD-ports-tree/freeradius2) (revision 0)
+++ files/patch-sites-available (.../trunk/freeradius2) (revision 181)
@@ -0,0 +1,31 @@
+--- raddb/Makefile Tue Feb 26 09:32:29 2008
++++ raddb/Makefile Tue Mar 18 13:13:41 2008
+@@ -1,7 +1,7 @@
+ #
+ # Makefile
+ #
+-# Version: $Id: Makefile,v 1.37 2008/02/26 09:32:29 aland Exp $
++# Version: $Id: Makefile,v 1.38 2008/03/18 06:33:03 aland Exp $
+ #
+
+ include ../Make.inc
+@@ -13,9 +13,7 @@
+ attrs.pre-proxy clients.conf dictionary eap.conf templates.conf \
+ experimental.conf hints huntgroups ldap.attrmap otp.conf \
+ policy.txt preproxy_users proxy.conf radiusd.conf \
+- snmp.conf sql.conf sqlippool.conf users policy.conf \
+- sites-available/default sites-available/example \
+- sites-available/README
++ snmp.conf sql.conf sqlippool.conf users policy.conf
+
+ #
+ # This target is here for local debugging
+@@ -33,7 +31,7 @@
+ $(INSTALL) -d -m 750 $(R)$(raddbdir)/sites-available
+ $(INSTALL) -d -m 750 $(R)$(raddbdir)/sites-enabled
+ @echo "Creating/updating files in $(R)$(raddbdir)"; \
+- for i in $(FILES); do \
++ for i in $(FILES) `ls sites-available/* | sed 's/CVS//'`; do \
+ [ ! -f $(R)$(raddbdir)/$$i ] && $(INSTALL) -m 640 $$i $(R)$(raddbdir)/$$i; \
+ if [ "`find $$i -newer $(R)$(raddbdir)/$$i`" ]; then \
+ echo "** $(R)$(raddbdir)/$$i"; \
Index: files/pkg-deinstall.in
===================================================================
--- files/pkg-deinstall.in (.../branches/FreeBSD-ports-tree/freeradius2) (revision 0)
+++ files/pkg-deinstall.in (.../trunk/freeradius2) (revision 181)
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+if [ %%RUN_AS_USER%% != "yes" ]; then exit 0; fi
+
+case $2 in
+ POST-DEINSTALL)
+ cat <<EOMSG
+
+If you are not upgrading and don't intend to use
+FreeRADIUS any more then you may wish to delete
+the %%GROUP%% group, which can be done with the
+following command:
+
+ # pw groupdel %%GROUP%%
+
+
+You may also wish to delete the %%USER%% user,
+which can be done with the following command:
+
+ # pw userdel %%USER%%
+EOMSG
+ ;;
+esac
+
+
+# Emacs variables
+
+# Local Variables:
+# mode: sh
+# sh-basic-offset: 4
+# sh-indent-comment: nil
+# End:
Index: files/patch-pthread
===================================================================
--- files/patch-pthread (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181)
+++ files/patch-pthread (.../trunk/freeradius2) (revision 181)
@@ -108,9 +108,9 @@
fi
if test "x$mysql_with_threads" = "xyes"; then
---- src/modules/rlm_python/configure.in Thu May 15 15:52:02 2003
-+++ src/modules/rlm_python/configure.in Thu Aug 2 12:43:47 2007
-@@ -84,6 +84,44 @@
+--- src/modules/rlm_python/configure.in Mon May 14 23:27:21 2007
++++ src/modules/rlm_python/configure.in Tue Mar 18 13:52:32 2008
+@@ -85,6 +85,34 @@
FR_SMART_CHECK_LIB(python${PY_VERSION}, Py_Initialize)
LIBS=$old_LIBS
@@ -118,10 +118,7 @@
+dnl # in case libpython is threaded
+
+ if test "x$smart_lib" = "x"; then
-+ AC_MSG_NOTICE([Checking to see if libpython may be threaded.])
-+ dnl pthread stuff is usually in -lpthread
-+ dnl or in -lc_r, on *BSD
-+ dnl FreeBSD uses -pthread
++ AC_MSG_NOTICE([Checking to see if libpython needs -pthread.])
+ libpython_with_threads="yes"
+ case "$host" in
+ *-freebsd*)
@@ -133,13 +130,6 @@
+ fi
+ ;;
+ *)
-+ AC_CHECK_LIB(pthread, pthread_create,
-+ [ LIBS="-lpthread $LIBS" ],
-+ AC_CHECK_LIB(c_r, pthread_create,
-+ [ LIBS="-lc_r $LIBS" ],
-+ [ libpython_with_threads="no" ]
-+ )
-+ )
+ ;;
+ esac
+
Index: files/pkg-install.in
===================================================================
--- files/pkg-install.in (.../branches/FreeBSD-ports-tree/freeradius2) (revision 0)
+++ files/pkg-install.in (.../trunk/freeradius2) (revision 181)
@@ -0,0 +1,157 @@
+#!/bin/sh
+
+PATH=/usr/sbin:/usr/bin:/bin ; export PATH
+
+radius_user="%%USER%%"
+radius_uid="%%UID%%"
+radius_gecos="%%GECOS%%"
+radius_home="%%HOME%%"
+radius_shell="%%SHELL%%"
+
+radius_group="%%GROUP%%"
+radius_gid="%%GID%%"
+
+radius_raddb_work="%%RADDB_WORK%%"
+radius_raddb="%%RADDB%%"
+radius_logdir="%%LOGDIR%%"
+
+radius_run_as_user="%%RUN_AS_USER%%"
+
+
+create_group() {
+ local user uid group gid gecos home shell
+
+ user=$1
+ uid=$2
+ group=$3
+ gid=$4
+ gecos=$5
+ home=$6
+ shell=$7
+
+
+ if pw group show -n $group >/dev/null 2>&1 ; then
+ echo "===> Using pre-existing group $group"
+ else
+ if pw groupadd -n $group -g $gid ; then
+ echo "===> Group $group created"
+ else
+ cat <<-EOERRORMSG
+*** Failed to create the $group group.
+
+Please add the $user user and $group group
+manually with the commands:
+
+ pw groupadd -n $group -g $gid
+ pw useradd -n $user -u $uid -g $group -c "$gecos" \\
+ -d $home -s $shell -h -
+
+and retry installing this package.
+EOERRORMSG
+ exit 1
+ fi
+ fi
+
+}
+
+
+create_user() {
+ local user uid group gid gecos home shell
+
+ user=$1
+ uid=$2
+ group=$3
+ gid=$4
+ gecos=$5
+ home=$6
+ shell=$7
+
+ if pw user show -n $user >/dev/null 2>&1 ; then
+ echo "===> Using pre-existing user $user"
+ else
+ if pw useradd -n $user -u $uid -g $group -c "$gecos" \
+ -d $home -s $shell -h - ; then
+ echo "===> Created $user user"
+ else
+ cat <<-EOERRORMSG
+*** Failed to create the $user user.
+
+Please add the $user user manually with the command:
+
+ pw useradd -n $user -u $uid -g $group -c "$gecos" \\
+ -d $home -s $shell -h -
+
+and retry installing this package.
+EOERRORMSG
+ exit 1
+ fi
+ fi
+}
+
+
+if [ ${radius_run_as_user} != "yes" ]; then exit 0; fi
+
+case $2 in
+ PRE-INSTALL)
+ # Create the radius user and group if they do not already exist
+ create_group $radius_user $radius_uid $radius_group $radius_gid \
+ "$radius_gecos" $radius_home $radius_shell
+ create_user $radius_user $radius_uid $radius_group $radius_gid \
+ "$radius_gecos" $radius_home $radius_shell
+
+ # Fix the user and group in raddb/radiusd.conf
+ echo "===> Setting user and group in radiusd.conf"
+ for file in ${radius_raddb_work}/radiusd.conf ${radius_raddb}/radiusd.conf; do
+ if [ -f ${file} ]; then
+ if ! sed -Ee "s/^[[:space:]#](user[[:space:]]*=[[:space:]]*).*$/\1${radius_user}/" \
+ -e "s/^[[:space:]#](group[[:space:]]*=[[:space:]]*).*$/\1${radius_group}/" \
+ -i .orig ${file}; then
+ echo "Failed to patch ${file}."
+ exit 1
+ fi
+ if [ -f ${file}.orig ]; then
+ if ! rm ${file}.orig; then
+ echo "Failed to delete backup file ${file}.orig."
+ exit 1
+ fi
+ fi
+ fi
+ done
+
+ ;;
+
+ POST-INSTALL)
+ # Change ownership of directories
+ for dir in $radius_raddb $radius_logdir/radacct \
+ /var/run/radiusd ; do
+ if [ -d $dir ] || [ -L $dir ]; then
+ echo "===> Adjusting ownership of the ${dir} directory."
+ if ! chown -HR $radius_user:$radius_group $dir; then
+ echo "Failed to adjust ownership of ${dir}."
+ exit 1
+ fi
+ fi
+ done
+
+ for file in $radius_logdir/radius.log $radius_logdir/radutmp \
+ $radius_logdir/radwtmp; do
+ if [ -f $file ]; then
+ echo "===> Adjusting ownership of ${file}."
+ if ! chown $radius_user:$radius_group $file; then
+ echo "Failed to adjust ownership of ${file}."
+ exit 1
+ fi
+ fi
+ done
+
+ ;;
+esac
+
+
+# Emacs variables
+
+# Local Variables:
+# mode: sh
+# sh-basic-offset: 4
+# sh-indent-comment: nil
+# End:
Index: pkg-plist
===================================================================
--- pkg-plist (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181)
+++ pkg-plist (.../trunk/freeradius2) (revision 181)
@@ -48,9 +48,15 @@
%%EXAMPLESDIR%%/raddb/proxy.conf
%%EXAMPLESDIR%%/raddb/radiusd.conf
%%EXAMPLESDIR%%/raddb/sites-available/README
+%%EXAMPLESDIR%%/raddb/sites-available/buffered-sql
+%%EXAMPLESDIR%%/raddb/sites-available/copy-acct-to-home-server
%%EXAMPLESDIR%%/raddb/sites-available/default
%%EXAMPLESDIR%%/raddb/sites-available/example
+%%EXAMPLESDIR%%/raddb/sites-available/inner-tunnel
+%%EXAMPLESDIR%%/raddb/sites-available/proxy-inner-tunnel
+%%EXAMPLESDIR%%/raddb/sites-available/vmps
%%EXAMPLESDIR%%/raddb/sites-enabled/default
+%%EXAMPLESDIR%%/raddb/sites-enabled/inner-tunnel
%%EXAMPLESDIR%%/raddb/snmp.conf
%%EXAMPLESDIR%%/raddb/sql.conf
%%EXAMPLESDIR%%/raddb/sql/mssql/dialup.conf
@@ -485,6 +491,7 @@
%%PORTDOCS%%%%DOCSDIR%%/rfc/rfc4818.txt
%%PORTDOCS%%%%DOCSDIR%%/rfc/rfc4849.txt
%%PORTDOCS%%%%DOCSDIR%%/rfc/rfc5080.txt
+%%PORTDOCS%%%%DOCSDIR%%/rfc/rfc5176.txt
%%PORTDOCS%%%%DOCSDIR%%/rlm_dbm
%%PORTDOCS%%%%DOCSDIR%%/rlm_eap
%%PORTDOCS%%%%DOCSDIR%%/rlm_expiration
@@ -596,6 +603,7 @@
%%DATADIR%%/dictionary.rfc4679
%%DATADIR%%/dictionary.rfc4818
%%DATADIR%%/dictionary.rfc4849
+%%DATADIR%%/dictionary.rfc5176
%%DATADIR%%/dictionary.riverstone
%%DATADIR%%/dictionary.roaringpenguin
%%DATADIR%%/dictionary.shasta
@@ -622,7 +630,7 @@
%%DATADIR%%/dictionary.xylan
%%DATADIR%%/dictionary.zyxel
@dirrm %%DATADIR%%
- at exec mkdir -p /var/log/raddb
- at exec chmod -R og= /var/log/raddb
+ at exec if [ ! -d /var/log/radacct ]; then mkdir -p /var/log/radacct; chmod -R go= /var/log/radacct; fi
+ at exec for i in /var/log/radius.log /var/log/radutmp /var/log/radwtmp; do if [ ! -f ${i} ]; then touch ${i}; chmod go= ${i}; fi; done
@exec mkdir -p /var/run/radiusd
@unexec rm -fr /var/run/radiusd
Index: Makefile
===================================================================
--- Makefile (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181)
+++ Makefile (.../trunk/freeradius2) (revision 181)
@@ -6,7 +6,7 @@
#
PORTNAME= freeradius
-DISTVERSION= 2.0.1
+DISTVERSION= 2.0.3
CATEGORIES= net
MASTER_SITES= ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \
ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \
@@ -40,7 +40,8 @@
PLIST_SUB= PORTVERSION=${DISTVERSION}
-OPTIONS= KERBEROS "With Kerberos support" off \
+OPTIONS= USER "Run as user freeradius, group freeradius" on \
+ KERBEROS "With Kerberos support" off \
HEIMDAL "With Heimdal Kerberos support" off \
LDAP "With LDAP database support" off \
MYSQL "With MySQL database support" off \
@@ -54,6 +55,10 @@
# Default requirements for rc script
_REQUIRE= NETWORKING SERVERS
+# User and group to use if USER is set
+USER= freeradius
+GROUP= freeradius
+
CONFIGURE_ARGS= --quiet \
--prefix=${PREFIX} \
--localstatedir=/var \
@@ -80,6 +85,7 @@
--without-rlm_sql_db2 \
--without-rlm_sql_iodbc \
--without-rlm_sql_oracle \
+ --without-rlm_sql_sqlite \
--without-rlm_sql_sybase \
--without-rlm_sql_unixodbc \
--with-vmps
@@ -88,6 +94,41 @@
CONFIGURE_ARGS+= --with-pic
.endif
+# Credentials for WITH_USER are RADIUS_USER, RADIUS_UID, RADIUS_GECOS,
+# RADIUS_HOME, RADIUS_SHELL, RADIUS_GROUP and RADIUS_GID.
+
+# Parse ${PORTSDIR}/UIDs and GIDs for the defaults
+USER!= ${GREP} -E '^${USER}:' ${PORTSDIR}/UIDs | \
+ ${SED} -Ee 's/^([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)$$/USER="\1" UID="\3" GECOS="\5" HOME="\6" SHELL="\7"/'
+GROUP!= ${GREP} -E '^${GROUP}:' ${PORTSDIR}/GIDs | \
+ ${SED} -Ee 's/^([^:]*):([^:]*):([^:]*):$$/GROUP="\1" GID="\3"/'
+
+# Apply the defaults where necessary
+RADIUS_USER?= ${USER:MUSER*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+RADIUS_UID?= ${USER:MUID*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+RADIUS_GECOS?= ${USER:MGECOS*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+RADIUS_HOME?= ${USER:MHOME*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+RADIUS_SHELL?= ${USER:MSHELL*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+RADIUS_GROUP?= ${GROUP:MGROUP*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+RADIUS_GID?= ${GROUP:MGID*:C/^[^=]*=\"([^\"]*)\"$/\1/}
+
+SUB_LIST+= USER="${RADIUS_USER}" \
+ UID="${RADIUS_UID}" \
+ GECOS="${RADIUS_GECOS}" \
+ HOME="${RADIUS_HOME}" \
+ SHELL="${RADIUS_SHELL}" \
+ GROUP="${RADIUS_GROUP}" \
+ GID="${RADIUS_GID}" \
+ RADDB_WORK="${WRKSRC}/raddb" \
+ RADDB="${PREFIX}/etc/raddb" \
+ LOGDIR="${LOGDIR}"
+SUB_FILES+= pkg-install pkg-deinstall
+.ifdef(WITH_USER)
+SUB_LIST+= RUN_AS_USER="yes"
+.else
+SUB_LIST+= RUN_AS_USER="no"
+.endif
+
.if defined(WITH_HEIMDAL) && !defined(WITH_KERBEROS)
WITH_KERBEROS= yes
.endif
@@ -226,6 +267,11 @@
&& ${AUTOCONF} -I ${WRKSRC}
@cd ${WRKSRC}/src/modules/rlm_python && ${AUTOCONF} -I ${WRKSRC}
+pre-install:
+# Run pkg-install PRE-INSTALL
+ @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} \
+ PRE-INSTALL
+
post-install:
# Create (if necessary) ${PREFIX}/etc/raddb and subdirectories using
# ${EXAMPLESDIR}/raddb as the model layout
@@ -247,5 +293,8 @@
# Set ${PREFIX}/etc/raddb and all the files and folders in it to g-w,o-rwx
# (FreeRADIUS will probably complain if this is not done)
@${CHMOD} -R g-w,o-rwx ${PREFIX}/etc/raddb
+# Run pkg-install POST-INSTALL
+ @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} \
+ POST-INSTALL
.include <bsd.port.post.mk>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list