ports/180573: MAINTAINER-UPDATE shells/rssh -> support latest rsync
Jason Harris
jharris at widomaker.com
Mon Jul 15 13:10:02 UTC 2013
>Number: 180573
>Category: ports
>Synopsis: MAINTAINER-UPDATE shells/rssh -> support latest rsync
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 15 13:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Jason Harris
>Release: FreeBSD 9.1-RELEASE amd64
>Organization:
bitrote.org
>Environment:
FreeBSD laptop 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
Note: This supersedes PR ports/175176
1) Add support for the latest rsync (command line invocations) using
the Debian patch provided by John Marshall in PR ports/175176.
2) Freshen pkg-descr and COMMENT.
>How-To-Repeat:
1) apply patch below
2) %mkdir files
3) %mv optional-patch-util.c files/
3) %svn add files/optional-patch-util.c
...
n-1) please close PR ports/175176, which this PR supersedes
n++) please commit PR ports/180491: MAINTAINER-UPDATE math/units -> 2.02
n++) please commit PR ports/180221: new port: ftp/p5-curl
>Fix:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
diff -r b6ef9fe7aaec Makefile
--- a/Makefile Mon Jul 15 08:33:12 2013 -0400
+++ b/Makefile Mon Jul 15 08:36:25 2013 -0400
@@ -3,19 +3,24 @@
PORTNAME= rssh
PORTVERSION= 2.3.4
+PORTREVISION= 1
CATEGORIES= shells security
MASTER_SITES= SF
MAINTAINER= jharris at widomaker.com
-COMMENT= Restricted Secure SHell only for sftp or/and scp
+COMMENT= Restricted Secure SHell only for sftp/scp/rdist/rsync/CVS
+
+LICENSE= BSD
+LICENSE_FILE= ${WRKSRC}/LICENSE
GNU_CONFIGURE= yes
MAN1= rssh.1
MAN5= rssh.conf.5
-OPTIONS_DEFINE= RDIST
+OPTIONS_DEFINE= RDIST RSYNC3
RDIST_DESC= rdist support
+RSYNC3_DESC= Add support for rsync 3 (Debian patch)
.include <bsd.port.options.mk>
@@ -24,6 +29,10 @@
CONFIGURE_ARGS+=--with-rdist=${LOCALBASE}/bin/rdist6
.endif
+.if ${PORT_OPTIONS:MRSYNC3}
+EXTRA_PATCHES= ${FILESDIR}/optional-patch-util.c
+.endif
+
post-patch:
@${REINPLACE_CMD} -E -e 's,(\$$\(DESTDIR\)\$$\(sysconfdir\)/\$$\$$f),\1.dist,g' \
${WRKSRC}/Makefile.in
diff -r b6ef9fe7aaec files/optional-patch-util.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/files/optional-patch-util.c Mon Jul 15 08:36:25 2013 -0400
@@ -0,0 +1,103 @@
+--- util.c.orig 2012-11-27 12:14:49.000000000 +1100
++++ util.c 2013-01-09 17:52:54.000000000 +1100
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -198,6 +199,73 @@
+
+
+ /*
++ * rsync_e_okay() - take the command line passed to rssh and look for an -e
++ * option. If one is found, make sure --server is provided
++ * and the option contains only the protocol information.
++ * Also check for and reject any --rsh option. Returns FALSE
++ * if the command line should not be allowed, TRUE if it is
++ * okay.
++ */
++static int rsync_e_okay( char **vec )
++{
++ regex_t re;
++ int server = FALSE;
++ int e_found = FALSE;
++
++ /*
++ * rsync will send -e, followed by either just "." (meaning no special
++ * protocol) or "N.N" (meaning a pre-release protocol version),
++ * followed by some number of alphabetic flags indicating various
++ * supported options. There may be other options between - and the e,
++ * but -e will always be the last option in the string. A typical
++ * option passed by the client is "-ltpre.iL".
++ *
++ * Note that if --server is given, this should never be parsed as a
++ * shell, but we'll tightly verify it anyway, just in case.
++ *
++ * This regex matches the acceptable flags containing -e, so if it
++ * does not match, the command line should be rejected.
++ */
++ static const char pattern[]
++ = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$";
++
++ /*
++ * Only recognize --server if it's the first option. rsync itself
++ * always passes it that way, and if it's not the first argument, it
++ * could be hidden from the server as an argument to some other
++ * option.
++ */
++ if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
++ server = TRUE;
++ }
++
++ /* Check the remaining options for -e or --rsh. */
++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++ return FALSE;
++ }
++ while (vec && *vec){
++ if ( strcmp(*vec, "--") == 0 ) break;
++ if ( strcmp(*vec, "--rsh") == 0
++ || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
++ regfree(&re);
++ return FALSE;
++ }
++ if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){
++ e_found = TRUE;
++ if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
++ regfree(&re);
++ return FALSE;
++ }
++ }
++ vec++;
++ }
++ regfree(&re);
++ if ( e_found && !server ) return FALSE;
++ return TRUE;
++}
++
++
++/*
+ * check_command_line() - take the command line passed to rssh, and verify
+ * that the specified command is one the user is
+ * allowed to run and validate the arguments. Return the
+@@ -230,14 +298,10 @@
+
+ if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ /* filter -e option */
+- if ( opt_filter(cl, 'e') ) return NULL;
+- while (cl && *cl){
+- if ( strstr(*cl, "--rsh" ) ){
+- fprintf(stderr, "\ninsecure --rsh= not allowed.");
+- log_msg("insecure --rsh option in rsync command line!");
+- return NULL;
+- }
+- cl++;
++ if ( !rsync_e_okay(cl) ){
++ fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
++ log_msg("insecure -e or --rsh option in rsync command line!");
++ return NULL;
+ }
+ return PATH_RSYNC;
+ }
diff -r b6ef9fe7aaec pkg-descr
--- a/pkg-descr Mon Jul 15 08:33:12 2013 -0400
+++ b/pkg-descr Mon Jul 15 08:36:25 2013 -0400
@@ -1,6 +1,6 @@
-rssh is a Restricted Secure SHell that allow only the use of sftp
-or scp. It could be use when you need an account (and a valid
-shell) in order to execute sftp or scp but when you don't want to
-give the possibility to log in to this user.
+rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp.
+It now also includes support for rdist, rsync, and CVS. For example, if you
+have a server which you only want to allow users to copy files off of via scp,
+without providing shell access, you can use rssh to do that.
WWW: http://www.pizzashack.org/rssh/index.shtml
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (FreeBSD)
iJ0EARECAF0FAlHj7M1WGGh0dHA6Ly9rZXlzZXJ2ZXIua2pzbC5jb206MTEzNzEv
cGtzL2xvb2t1cD9vcD1nZXQmc2VhcmNoPTB4RDM5REEwRTMmd2VoYXZleW91bm93
PXRydWUACgkQSypIl9OdoONfuACZAe99zTNywbCtjd416/7cxL9chMUAoJ3W2d/u
PGfSt1QGdtJe+pjxHKf/
=ZJjs
-----END PGP SIGNATURE-----
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list