diff options
author | adrianp <adrianp@pkgsrc.org> | 2006-08-10 10:55:51 +0000 |
---|---|---|
committer | adrianp <adrianp@pkgsrc.org> | 2006-08-10 10:55:51 +0000 |
commit | 8ea989d41f5668e7e714dcda47af927f6920f1ab (patch) | |
tree | 6fc7873d2d85c000a498e98c8413e393ab569770 /net | |
parent | 37fcb1749eef07f50c8e346721093d0543bf2bb2 (diff) | |
download | pkgsrc-8ea989d41f5668e7e714dcda47af927f6920f1ab.tar.gz |
Default to running radiusd as a non-root user
bump to nb2
Diffstat (limited to 'net')
-rw-r--r-- | net/freeradius/MESSAGE | 17 | ||||
-rw-r--r-- | net/freeradius/Makefile | 61 | ||||
-rw-r--r-- | net/freeradius/distinfo | 3 | ||||
-rw-r--r-- | net/freeradius/files/radiusd.sh | 4 | ||||
-rw-r--r-- | net/freeradius/patches/patch-ak | 15 |
5 files changed, 77 insertions, 23 deletions
diff --git a/net/freeradius/MESSAGE b/net/freeradius/MESSAGE new file mode 100644 index 00000000000..b093491972f --- /dev/null +++ b/net/freeradius/MESSAGE @@ -0,0 +1,17 @@ +=========================================================================== +$NetBSD: MESSAGE,v 1.1 2006/08/10 10:55:52 adrianp Exp $ + +Note to users who have been running radiusd as root before: + +As radiusd now runs unprivileged by default (as ${RADIUS_USER}:${RADIUS_GROUP}), +you'll have to adapt some permissions: + + ${CHOWN} -R ${RADIUS_USER}:${RADIUS_GROUP} ${VARBASE}/run/radiusd + ${CHOWN} -R ${RADIUS_USER}:${RADIUS_GROUP} ${PKG_SYSCONFDIR} + ${FIND} ${PKG_SYSCONFDIR} -type d | ${XARGS} ${CHMOD} 0750 + ${FIND} ${PKG_SYSCONFDIR} -type f | ${XARGS} ${CHMOD} 0640 + +In addition to this the base logging directory has now been moved from +${VARBASE}/log to ${VARBASE}/log/radiusd. + +=========================================================================== diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile index b0f88e92d82..cba4da2a278 100644 --- a/net/freeradius/Makefile +++ b/net/freeradius/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.52 2006/08/09 16:42:09 adrianp Exp $ +# $NetBSD: Makefile,v 1.53 2006/08/10 10:55:52 adrianp Exp $ DISTNAME= freeradius-${RADVER} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= net MASTER_SITES= ftp://ftp.freeradius.org/pub/radius/ \ ftp://ftp.Awfulhak.org/pub/radius/ @@ -15,18 +15,37 @@ COMMENT= Free RADIUS server implementation CONFLICTS+= radiusd-cistron-[0-9]* USE_TOOLS+= gmake perl:run GNU_CONFIGURE= YES +USE_LIBTOOL= YES +USE_OLD_DES_API= YES + +BUILD_DEFS= VARBASE RADIUS_USER RADIUS_GROUP PLIST_SRC= ${WRKDIR}/.PLIST_SRC -FILES_SUBST+= ROOT_USER=${ROOT_USER:Q} -FILES_SUBST+= ROOT_GROUP=${ROOT_GROUP:Q} +FILES_SUBST+= RADIUS_USER=${RADIUS_USER:Q} +FILES_SUBST+= RADIUS_GROUP=${RADIUS_GROUP:Q} PLIST_SUBST+= RADVER=${RADVER} -USE_OLD_DES_API= YES +MESSAGE_SUBST+= CHOWN=${CHOWN:Q} CHMOD=${CHMOD:Q} VARBASE=${VARBASE} +MESSAGE_SUBST+= RADIUS_USER=${RADIUS_USER:Q} XARGS=${XARGS:Q} +MESSAGE_SUBST+= RADIUS_GROUP=${RADIUS_GROUP:Q} FIND=${FIND:Q} + +PKG_SYSCONFSUBDIR= raddb +RCD_SCRIPTS= radiusd +RADIUS_USER?= radius +RADIUS_GROUP?= radius +PKG_GROUPS= ${RADIUS_USER} +PKG_USERS= ${RADIUS_USER}:${RADIUS_GROUP} +OWN_DIRS_PERMS+= ${VARBASE}/run/radiusd \ + ${RADIUS_USER} ${RADIUS_GROUP} 0750 +OWN_DIRS_PERMS+= ${VARBASE}/log/radiusd \ + ${RADIUS_USER} ${RADIUS_GROUP} 0750 +OWN_DIRS_PERMS+= ${VARBASE}/log/radiusd/radacct \ + ${RADIUS_USER} ${RADIUS_GROUP} 0750 + RADVER= 1.1.2 +EGDIR= ${PREFIX}/share/examples/freeradius BUILDLINK_API_DEPENDS.openssl+= openssl>=0.9.7 -USE_LIBTOOL= YES - -CONFIGURE_ARGS+= --with-logdir=${VARBASE}/log +CONFIGURE_ARGS+= --with-logdir=${VARBASE}/log/radiusd CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q} CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFBASEDIR:Q} CONFIGURE_ARGS+= --disable-ltdl-install @@ -37,6 +56,7 @@ CONFIGURE_ARGS+= --without-rlm_smb CONFIGURE_ARGS+= --without-rlm_sql_iodbc CONFIGURE_ARGS+= --without-rlm_sql_oracle CONFIGURE_ARGS+= --without-rlm_sql_unixodbc +CONFIGURE_ARGS+= --quiet #CONFIGURE_ARGS+= --without-rlm_eap_peap #CONFIGURE_ARGS+= --without-rlm_eap_sim #CONFIGURE_ARGS+= --without-rlm_eap_tls @@ -54,15 +74,14 @@ SUBST_SED.make+= -e "s|RLM_SQL_LIBS =|RLM_SQL_LIBS = \ -L${PREFIX}/lib|g" SUBST_MESSAGE.make= Fixing Makefiles. -.include "options.mk" - -RCD_SCRIPTS= radiusd - -OWN_DIRS= ${VARBASE}/run/radiusd +SUBST_CLASSES+= config +SUBST_STAGE.config= post-patch +SUBST_FILES.config= raddb/radiusd.conf.in +SUBST_SED.config= -e "s|@@RADIUS_USER@@|${RADIUS_USER}|g" +SUBST_SED.config+= -e "s|@@RADIUS_GROUP@@|${RADIUS_GROUP}|g" +SUBST_MESSAGE.config= Fixing configuration files. -PKG_SYSCONFSUBDIR= raddb -EGDIR= ${PREFIX}/share/examples/freeradius -CONF_FILES_MODE= 0640 +.include "options.mk" EGFILES= acct_users attrs certs/demoCA/index.txt.old \ certs/demoCA/cacert.pem certs/demoCA/index.txt \ @@ -79,7 +98,8 @@ EGFILES= acct_users attrs certs/demoCA/index.txt.old \ otp.conf otppasswd.sample .for f in ${EGFILES} -CONF_FILES+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} +CONF_FILES_PERMS+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} \ + ${RADIUS_USER} ${RADIUS_GROUP} 0640 .endfor .include "../../security/openssl/buildlink3.mk" @@ -101,9 +121,6 @@ SUBST_SED.make+= -e 's|@ldap_ldflags@|@ldap_ldflags@ \ ${PTHREAD_LDFLAGS:Q} ${PTHREAD_LIBS:Q}|g' .endif -.if ${OPSYS} == "DragonFly" -.endif - .if ${MACHINE_ARCH} == "amd64" CFLAGS+= -fPIC .endif @@ -121,5 +138,9 @@ post-install: ${INSTALL_SCRIPT} ${WRKSRC}/src/modules/rlm_perl/example.pl ${EGDIR} ${MKDIR} ${PKG_SYSCONFDIR}/certs ${MKDIR} ${PKG_SYSCONFDIR}/certs/demoCA + ${CHOWN} ${RADIUS_USER}:${RADIUS_GROUP} ${PKG_SYSCONFDIR}/certs + ${CHOWN} ${RADIUS_USER}:${RADIUS_GROUP} ${PKG_SYSCONFDIR}/certs/demoCA + ${CHMOD} 0750 ${PKG_SYSCONFDIR}/certs + ${CHMOD} 0750 ${PKG_SYSCONFDIR}/certs/demoCA .include "../../mk/bsd.pkg.mk" diff --git a/net/freeradius/distinfo b/net/freeradius/distinfo index 1c8558e37f0..060757dac1f 100644 --- a/net/freeradius/distinfo +++ b/net/freeradius/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.21 2006/07/14 22:10:01 adrianp Exp $ +$NetBSD: distinfo,v 1.22 2006/08/10 10:55:52 adrianp Exp $ SHA1 (freeradius-1.1.2.tar.gz) = 0636c1afb14fc22e78ecb83aeaf63150d515d73d RMD160 (freeradius-1.1.2.tar.gz) = 3c0960bd30d29af9bab699ee7a38c22ec0472eb5 @@ -7,3 +7,4 @@ SHA1 (patch-ab) = 7a23eb75a9818b073263fd36cbf17b692fa19a9f SHA1 (patch-ae) = cf3497723b15b8a61c5458f312697a2d4a147439 SHA1 (patch-ai) = 128c5984464241294b201384d43a287e9bcb147e SHA1 (patch-aj) = 422c9dfbde08c26acf41a040c57508ab9725004e +SHA1 (patch-ak) = 7be986e3949a6f8368f7e01ba93521fac48eff7d diff --git a/net/freeradius/files/radiusd.sh b/net/freeradius/files/radiusd.sh index 5c2eadeacaf..cc14a98c709 100644 --- a/net/freeradius/files/radiusd.sh +++ b/net/freeradius/files/radiusd.sh @@ -1,6 +1,6 @@ #!@RCD_SCRIPTS_SHELL@ # -# $NetBSD: radiusd.sh,v 1.5 2005/02/09 09:14:26 seb Exp $ +# $NetBSD: radiusd.sh,v 1.6 2006/08/10 10:55:51 adrianp Exp $ # # PROVIDE: radiusd # REQUIRE: network @@ -22,7 +22,7 @@ radiusd_precmd() if [ ! -d @VARBASE@/run/radiusd ]; then @MKDIR@ @VARBASE@/run/radiusd @CHMOD@ 0750 @VARBASE@/run/radiusd - @CHOWN@ @ROOT_USER@:@ROOT_GROUP@ @VARBASE@/run/radiusd + @CHOWN@ @RADIUS_USER@:@RADIUS_GROUP@ @VARBASE@/run/radiusd fi } diff --git a/net/freeradius/patches/patch-ak b/net/freeradius/patches/patch-ak new file mode 100644 index 00000000000..75214ae619a --- /dev/null +++ b/net/freeradius/patches/patch-ak @@ -0,0 +1,15 @@ +$NetBSD: patch-ak,v 1.7 2006/08/10 10:55:52 adrianp Exp $ + +--- raddb/radiusd.conf.in.orig 2006-04-20 19:40:29.000000000 +0100 ++++ raddb/radiusd.conf.in +@@ -106,8 +106,8 @@ pidfile = ${run_dir}/radiusd.pid + # that the debugging mode server is running as a user that can read the + # shadow info, and the user listed below can not. + # +-#user = nobody +-#group = nobody ++user = @@RADIUS_USER@@ ++group = @@RADIUS_GROUP@@ + + # max_request_time: The maximum time (in seconds) to handle a request. + # |