diff options
author | cjep <cjep@pkgsrc.org> | 2021-02-10 13:00:05 +0000 |
---|---|---|
committer | cjep <cjep@pkgsrc.org> | 2021-02-10 13:00:05 +0000 |
commit | 6af67d0dbba255eaf5aa292df531938b3fef2657 (patch) | |
tree | 216681f3dfcc5d7df565703b4cd441244d449aba | |
parent | 44eb16e657b79d2964b402520239bf06be2a95e5 (diff) | |
download | pkgsrc-6af67d0dbba255eaf5aa292df531938b3fef2657.tar.gz |
PR#22362. Add Darwin support.
Also avoid overlapping strcpy.
Should be noted that this package needs an upgrade. There is one being
developed in pkgsrc-wip.
-rw-r--r-- | security/tripwire/MESSAGE | 9 | ||||
-rw-r--r-- | security/tripwire/Makefile | 6 | ||||
-rw-r--r-- | security/tripwire/distinfo | 4 | ||||
-rw-r--r-- | security/tripwire/files/conf-darwin.h | 54 | ||||
-rw-r--r-- | security/tripwire/files/tw.conf.darwin | 117 | ||||
-rw-r--r-- | security/tripwire/patches/patch-ae | 53 |
6 files changed, 228 insertions, 15 deletions
diff --git a/security/tripwire/MESSAGE b/security/tripwire/MESSAGE index 44490050e0b..883c4eb55c3 100644 --- a/security/tripwire/MESSAGE +++ b/security/tripwire/MESSAGE @@ -1,10 +1,11 @@ =========================================================================== -$NetBSD: MESSAGE,v 1.2 2003/05/01 21:47:42 jmmv Exp $ +$NetBSD: MESSAGE,v 1.3 2021/02/10 13:00:05 cjep Exp $ -To use tripwire to protect your systems, you should first initialise -the databases: +To use tripwire to protect your systems, you should first tune the +configure in ${PKG_SYSCONFDIR} and then initialise the databases: - (cd ${PKG_SYSCONFDIR}; ${PREFIX}/sbin/tripwire -initialize) + cd ${PKG_SYSCONFDIR} + ${PREFIX}/sbin/tripwire -initialize which creates the database in the ${PKG_SYSCONFDIR}/databases directory. diff --git a/security/tripwire/Makefile b/security/tripwire/Makefile index 2a4d669ab18..8884faccd9c 100644 --- a/security/tripwire/Makefile +++ b/security/tripwire/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.36 2015/07/12 07:22:08 dholland Exp $ +# $NetBSD: Makefile,v 1.37 2021/02/10 13:00:05 cjep Exp $ # DISTNAME= tripwire-1.2 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_BACKUP} @@ -13,7 +13,7 @@ COMMENT= File and directory integrity checker USE_TOOLS+= pax lex yacc MAKE_JOBS_SAFE= NO -BROKEN_EXCEPT_ON_PLATFORM= NetBSD-*-* FreeBSD-*-* SunOS-*-* +BROKEN_EXCEPT_ON_PLATFORM= NetBSD-*-* FreeBSD-*-* SunOS-*-* Darwin-*-* PKG_SYSCONFSUBDIR= tripwire OWN_DIRS= ${PKG_SYSCONFDIR}/databases diff --git a/security/tripwire/distinfo b/security/tripwire/distinfo index 8b1102362a8..d94cd8ddd66 100644 --- a/security/tripwire/distinfo +++ b/security/tripwire/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2015/11/04 01:18:12 agc Exp $ +$NetBSD: distinfo,v 1.15 2021/02/10 13:00:05 cjep Exp $ SHA1 (tripwire-1.2.tar.gz) = 6fc91e25b3e1af3881fd5b6acf240ab6c1133e38 RMD160 (tripwire-1.2.tar.gz) = f745db5973f14b1abbc0c2e7030f90e6fdac3257 @@ -8,7 +8,7 @@ SHA1 (patch-aa) = e131fff1f7d3e5c589a4d1f6eb9bf4da4a5b970b SHA1 (patch-ab) = 78a8e7050b51c05f94273581ffed8f56c89387ad SHA1 (patch-ac) = 35b3fe52f497e6cbbf7edfeaee398f0d24aff219 SHA1 (patch-ad) = 4b8ad8d0cd7c17a8f3a655c5a574856670533ea5 -SHA1 (patch-ae) = 6eb1767af3d881ed4181ab83bd02c960edd0a84e +SHA1 (patch-ae) = 5be740c8fb8b8f1c4b219f86872431d9131adaa2 SHA1 (patch-af) = 1e4eb327ddda18ef08d4b62ca846262dfdf059a6 SHA1 (patch-ag) = 3bfc6965782d727b6b5cf20da4dd44e45327925f SHA1 (patch-ah) = 97eccc44190e165dbf174f04c3acab5f1b442bc7 diff --git a/security/tripwire/files/conf-darwin.h b/security/tripwire/files/conf-darwin.h new file mode 100644 index 00000000000..5386545db9b --- /dev/null +++ b/security/tripwire/files/conf-darwin.h @@ -0,0 +1,54 @@ +/* Original Id: conf-bsd.h,v 1.2 1993/08/19 05:26:52 genek Exp */ + +/* + * conf-bsd.h + * + * Tripwire configuration file + * + * Gene Kim + * Purdue University + */ + +/*** + *** Operating System specifics + *** + *** If the answer to a question in the comment is "Yes", then + *** change the corresponding "#undef" to a "#define" + ***/ + +/* + * is your OS a System V derivitive? if so, what version? + * (e.g., define SYSV 4) + */ + +#undef SYSV + +/* + * does your system have a <malloc.h> like System V? + */ + +#undef MALLOCH + +/* + * does your system have a <stdlib.h> like POSIX says you should? + */ + +#define STDLIBH + +/* + * does your system use readdir(3) that returns (struct dirent *)? + */ + +#define DIRENT + +/* + * is #include <string.h> ok? (as opposed to <strings.h>) + */ + +#undef STRINGH + +/* + * does your system have gethostname(2) (instead of uname(2))? + */ + +#define GETHOSTNAME diff --git a/security/tripwire/files/tw.conf.darwin b/security/tripwire/files/tw.conf.darwin new file mode 100644 index 00000000000..b732f9ca7d4 --- /dev/null +++ b/security/tripwire/files/tw.conf.darwin @@ -0,0 +1,117 @@ +# $NetBSD +# From NetBSD: tw.conf.netbsd,v 1.3 2001/11/05 14:29:23 hubertf Exp +# +# tripwire.config +# Generic version for Darwin +# YOU SHOULD EDIT THIS TO MEET YOUR REQUIREMENTS! +# +# This file contains a list of files and directories that System +# Preener will scan. Information collected from these files will be +# stored in the tripwire.database file. +# +# Format: [!|=] entry [ignore-flags] +# +# where: '!' signifies the entry is to be pruned (inclusive) from +# the list of files to be scanned. +# '=' signifies the entry is to be added, but if it is +# a directory, then all its contents are pruned +# (useful for /tmp). +# +# where: entry is the absolute pathname of a file or a directory +# +# where ignore-flags are in the format: +# [template][ [+|-][pinugsam12] ... ] +# +# - : ignore the following atributes +# + : do not ignore the following attributes +# +# p : permission and file mode bits a: access timestamp +# i : inode number m: modification timestamp +# n : number of links (ref count) c: inode creation timestamp +# u : user id of owner 1: signature 1 +# g : group id of owner 2: signature 2 +# s : size of file +# +# +# Ex: The following entry will scan all the files in /etc, and report +# any changes in mode bits, inode number, reference count, uid, +# gid, modification and creation timestamp, and the signatures. +# However, it will ignore any changes in the access timestamp. +# +# /etc +pinugsm12-a +# +# The following templates have been pre-defined to make these long ignore +# mask descriptions unecessary. +# +# Templates: (default) R : [R]ead-only (+pinugsm12-a) +# L : [L]og file (+pinug-sam12) +# N : ignore [N]othing (+pinusgsamc12) +# E : ignore [E]verything (-pinusgsamc12) +# +# By default, Tripwire uses the R template -- it ignores +# only the access timestamp. +# +# You can use templates with modifiers, like: +# Ex: /etc/lp E+ug +# +# Example configuration file: +# /etc R # all system files +# !/etc/lp R # ...but not those logs +# =/tmp N # just the directory, not its files +# +# Note the difference between pruning (via "!") and ignoring everything +# (via "E" template): Ignoring everything in a directory still monitors +# for added and deleted files. Pruning a directory will prevent Tripwire +# from even looking in the specified directory. +# +# +# Tripwire running slowly? Modify your tripwire.config entries to +# ignore the (signature 2) attribute when this computationally-exorbitant +# protection is not needed. (See README and design document for further +# details.) +# + +# First, root's "home" +=/ L +/var/root R-2 +!/var/root/Library # noisy + +# /bin and exceptions +/bin R-2 + +# /dev +/dev L + +!/dev/fd R # Grumbles on Darwin + +# /etc and exceptions +/etc R-2 +/etc/master.passwd L +/etc/motd L +/etc/passwd L +/etc/uucp L + +# Home directories +=/Users + +# /sbin +/sbin R-2 + +# /usr/bin +/usr/bin R-2 + +/usr/lib R-2 + +/usr/libexec R-2 + +/usr/local/bin R-2 + +/usr/local/etc L + +/usr/sbin R-2 + +# packages... +=@localbase@ +=@x11base@ + +########################################### diff --git a/security/tripwire/patches/patch-ae b/security/tripwire/patches/patch-ae index c11b40d78fb..ba504f89e5e 100644 --- a/security/tripwire/patches/patch-ae +++ b/security/tripwire/patches/patch-ae @@ -1,7 +1,10 @@ -$NetBSD: patch-ae,v 1.2 2005/12/05 20:50:58 rillig Exp $ +$NetBSD ---- src/config.parse.c.orig 1994-07-20 18:03:26.000000000 -0700 -+++ src/config.parse.c +strcpy used on overlapping strings. Place in a string to avoid this. +Fixes package on Darwin. + +--- src/config.parse.c.orig 1994-07-21 02:03:26.000000000 +0100 ++++ src/config.parse.c 2021-02-09 14:24:32.000000000 +0000 @@ -55,7 +55,6 @@ #endif @@ -10,7 +13,15 @@ $NetBSD: patch-ae,v 1.2 2005/12/05 20:50:58 rillig Exp $ static void configfile_descend(); #ifndef L_tmpnam -@@ -90,6 +89,7 @@ configfile_read(pp_list, pp_entry_list) +@@ -83,6 +82,7 @@ + { + FILE *fpin, *fpout = (FILE *) NULL; + char filename[MAXPATHLEN+512]; ++ char cpfilename[MAXPATHLEN+512]; + char ignorestring[1024]; + char s[MAXPATHLEN+1024]; + char configfile[MAXPATHLEN+512]; +@@ -90,6 +90,7 @@ char number[128]; int entrynum = 0; int err; @@ -18,7 +29,7 @@ $NetBSD: patch-ae,v 1.2 2005/12/05 20:50:58 rillig Exp $ /* to make code semi-reentrant */ list_reset(&prune_list); -@@ -105,8 +105,9 @@ configfile_read(pp_list, pp_entry_list) +@@ -105,8 +106,9 @@ }; (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); @@ -30,7 +41,7 @@ $NetBSD: patch-ae,v 1.2 2005/12/05 20:50:58 rillig Exp $ exit(1); } -@@ -149,7 +150,7 @@ configfile_read(pp_list, pp_entry_list) +@@ -149,7 +151,7 @@ err = umask(077); /* to protect the tempfile */ @@ -39,3 +50,33 @@ $NetBSD: patch-ae,v 1.2 2005/12/05 20:50:58 rillig Exp $ sprintf(s, "tripwire: Couldn't open config file '%s'", configfile); perror(s); exit(1); +@@ -221,11 +223,17 @@ + switch (*filename) { + case '!': + prune_mode = PRUNE_ALL; +- (void) strcpy(filename, filename+1); /* adjust name */ ++ /* overlapping strings - undefined behaviour, at least ++ * on Darwin ++ * (void) strcpy(filename, filename+1); ++ */ ++ (void) strcpy(cpfilename, filename+1); /* adjust name */ ++ (void) strcpy(filename, cpfilename); /* adjust name */ + break; + case '=': + prune_mode = PRUNE_ONE; +- (void) strcpy(filename, filename+1); /* adjust name */ ++ (void) strcpy(cpfilename, filename+1); /* adjust name */ ++ (void) strcpy(filename, cpfilename); /* adjust name */ + break; + default: + continue; /* nothing */ +@@ -295,7 +303,8 @@ + + /* check for leading '=', prune after one recursion */ + else if (*filename == '=') { +- (void) strcpy(filename, filename+1); ++ (void) strcpy(cpfilename, filename+1); /* adjust name */ ++ (void) strcpy(filename, cpfilename); /* adjust name */ + prunedir++; + } + |