ports/177668: [PATCH] security/shibboleth2-sp: create cert on first use; other fixes
Craig Leres
leres at ee.lbl.gov
Sat Apr 6 18:30:00 UTC 2013
>Number: 177668
>Category: ports
>Synopsis: [PATCH] security/shibboleth2-sp: create cert on first use; other fixes
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Apr 06 18:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Craig Leres
>Release: FreeBSD 9.1-RELEASE amd64
>Organization:
Lawrence Berkeley National Laboratory
>Environment:
System: FreeBSD fun.ee.lbl.gov 9.1-RELEASE FreeBSD 9.1-RELEASE #4 r13: Fri Feb 1 19:03:16 PST 2013 leres at fun.ee.lbl.gov:/sys/amd64/compile/LBL amd64
>Description:
An openssl certificate and private key are generated at
build time and are stored in the package. This means when
you install shibboleth2-sp from a package on another machine,
the CN doesn't match its hostname. And anyone with access
to the package has a copy of the private key.
>How-To-Repeat:
% openssl x509 -text -in /usr/local/etc/shibboleth/sp-cert.pem | \
fgrep 'Subject: CN'
Subject: CN=fun.ee.lbl.gov
>Fix:
Create the certificate and key on first use from the rc.d
script (just like sshd).
Obey WWWOWN/WWWGRP when creating /var/run/shibboleth.
Update Makefile headers.
Remove obsolete WITH_APACHE_20 stuff.
Add missing lib files to pkg-plist.
Please see attached patches.
--- patch.txt begins here ---
--- Makefile.orig 2013-04-05 17:41:02.000000000 -0700
+++ Makefile 2013-04-06 10:53:44.000000000 -0700
@@ -1,13 +1,9 @@
-# New ports collection makefile for: security/shibboleth2-sp
-# Date created: 17 Sept2008
-# Whom: Janos Mohacsi <janos.mohacsi at bsd.hu>
-#
+# Created by: Janos Mohacsi <janos.mohacsi at bsd.hu>
# $FreeBSD: head/security/shibboleth2-sp/Makefile 302724 2012-08-18 14:29:08Z ohauer $
-#
PORTNAME= shibboleth-sp
PORTVERSION= 2.4.3
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security www
MASTER_SITES= http://www.shibboleth.net/downloads/service-provider/${PORTVERSION}/
@@ -27,20 +23,16 @@
WRKSRC= ${WRKDIR}/shibboleth-${PORTVERSION}
LATEST_LINK= shibboleth2-sp
+SUB_LIST+= SH=${SH}
+PLIST_SUB+= WWWOWN=${WWWOWN} WWWGRP=${WWWGRP}
.include <bsd.port.pre.mk>
.if defined(WITH_APACHE22)
USE_APACHE= 22
-CONFIGURE_ARGS= --enable-apache-22 --with-apxs22=${APXS}
-PLIST_SUB+= WITH_APACHE_22=""
-PLIST_SUB+= WITH_APACHE_20="@comment "
+CONFIGURE_ARGS+= --enable-apache-22 --with-apxs22=${APXS}
.else
IGNORE= apache20 is no longer available
-#USE_APACHE= 20
-#CONFIGURE_ARGS= --enable-apache-20 --with-apxs2=${APXS} --with-apr=${PREFIX}/lib/apache2/apr-config --with-apu=${PREFIX}/lib/apache2/apu-config
-PLIST_SUB+= WITH_APACHE_22="@comment "
-PLIST_SUB+= WITH_APACHE_20=""
.endif
CONFIGURE_ARGS+= --localstatedir=/var --with-log4shib=${LOCALBASE}
CONFIGURE_ARGS+= --with-openssl=${OPENSSLBASE} --with-xmltooling=${LOCALBASE}
--- pkg-descr.orig 2013-04-06 10:39:48.000000000 -0700
+++ pkg-descr 2013-04-06 10:40:35.000000000 -0700
@@ -10,4 +10,4 @@
is based on assertions received by the service provider (SP) from
an identity provider.
-WWW: http://shibboleth.internet2.edu/
+WWW: http://shibboleth.internet2.edu/
--- pkg-plist.orig 2013-04-05 04:25:11.000000000 -0700
+++ pkg-plist 2013-04-06 10:48:25.000000000 -0700
@@ -67,8 +67,6 @@
etc/shibboleth/apache22.config
etc/shibboleth/keygen.sh
etc/shibboleth/upgrade.xsl
-etc/shibboleth/sp-key.pem
-etc/shibboleth/sp-cert.pem
@unexec if cmp -s %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; then rm -f %D/etc/shibboleth/postTemplate.html; fi
etc/shibboleth/postTemplate.html.dist
@exec if [ ! -f %D/etc/shibboleth/postTemplate.html ] ; then cp -p %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; fi
@@ -130,16 +128,16 @@
include/shibsp/util/SPConstants.h
include/shibsp/util/TemplateParameters.h
include/shibsp/version.h
-lib/libshibsp.so.5
lib/libshibsp.so
-lib/shibboleth/adfs.so
-lib/shibboleth/adfs.la
-lib/shibboleth/adfs-lite.so
+lib/libshibsp.so.5
lib/shibboleth/adfs-lite.la
-%%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so
-%%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.la
-%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.so
-%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.la
+lib/shibboleth/adfs-lite.so
+lib/shibboleth/adfs.la
+lib/shibboleth/adfs.so
+lib/shibboleth/mod_shib_22.la
+lib/shibboleth/mod_shib_22.so
+lib/shibboleth/odbc-store.la
+lib/shibboleth/odbc-store.so
lib/libshibsp-lite.so.5
lib/libshibsp-lite.so
sbin/shibd
@@ -167,7 +165,7 @@
@exec mkdir -p %D/data
@exec mkdir -p /var/log/shibboleth
@exec mkdir -p /var/run/shibboleth
- at exec chown www:www /var/run/shibboleth
+ at exec chown %%WWWOWN%%:%%WWWGRP%% /var/run/shibboleth
@exec chmod -R ug=rwx,o= /var/run/shibboleth
@unexec rm -rf /var/run/shibboleth 2>&1 >/dev/null || true
@dirrmtry share/doc/shibboleth/api
--- files/shibboleth-sp.in.orig 2013-04-05 17:23:50.000000000 -0700
+++ files/shibboleth-sp.in 2013-04-06 10:29:03.000000000 -0700
@@ -12,8 +12,27 @@
rcvar=shibboleth_sp_enable
command=${shibboleth_sp_program:-%%PREFIX%%/sbin/shibd}
+keygen_cmd="shibboleth_sp_keygen"
+start_precmd="shibboleth_sp_precmd"
+
pidfile="${shibboleth_sp_pidfile:-/var/run/${name}.pid}"
+confdir=%%PREFIX%%/etc/shibboleth
+certfn=sp-cert.pem
+keyfn=sp-key.pem
command_args="-f -p ${pidfile}"
+extra_commands="keygen"
+
+shibboleth_sp_keygen()
+{
+ %%SH%% ${confdir}/keygen.sh -o ${confdir} || exit 1
+}
+
+shibboleth_sp_precmd()
+{
+ if [ ! -s ${confdir}/${keyfn} -a ! -s ${confdir}/${keyfn} ]; then
+ run_rc_command keygen
+ fi
+}
load_rc_config $name
run_rc_command "$1"
--- /dev/null 2013-04-06 10:56:58.000000000 -0700
+++ files/patch-configs_Makefile.am 2013-04-05 18:07:50.000000000 -0700
@@ -0,0 +1,17 @@
+--- configs/Makefile.am.orig 2013-04-05 18:06:00.000000000 -0700
++++ configs/Makefile.am 2013-04-05 18:07:26.000000000 -0700
+@@ -121,10 +121,10 @@
+ install-data-hook:
+ chmod +x $(DESTDIR)$(pkgsysconfdir)/keygen.sh
+ chmod +x $(DESTDIR)$(pkgsysconfdir)/metagen.sh
+- if test -z "$(NOKEYGEN)"; then \
+- cd $(DESTDIR)$(pkgsysconfdir); \
+- sh ./keygen.sh -b ; \
+- fi
++# if test -z "$(NOKEYGEN)"; then \
++# cd $(DESTDIR)$(pkgsysconfdir); \
++# sh ./keygen.sh -b ; \
++# fi
+
+ CLEANFILES = \
+ apache.config \
--- /dev/null 2013-04-06 10:56:58.000000000 -0700
+++ files/patch-shibboleth.spec.in 2013-04-05 17:21:43.000000000 -0700
@@ -0,0 +1,13 @@
+--- shibboleth.spec.in.orig 2013-04-05 17:21:12.000000000 -0700
++++ shibboleth.spec.in 2013-04-05 17:21:21.000000000 -0700
+@@ -147,8 +147,8 @@
+ %endif
+
+ # Key generation
+-cd %{_sysconfdir}/%{name}
+-sh ./keygen.sh -b
++##cd %{_sysconfdir}/%{name}
++##sh ./keygen.sh -b
+
+ %if "%{_vendor}" == "redhat"
+ # This adds the proper /etc/rc*.d links for the script
--- patch.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list