diff options
| author |   Michael Orlitzky <mjo@gentoo.org> | 2019-06-23 13:13:53 -0400 |
|---|---|---|
| committer | Michael Orlitzky <mjo@gentoo.org> | 2019-06-23 13:15:16 -0400 |
| commit | c32aef5d13c57017978860eb65c1c4f5ce88721c (patch) | |
| tree | 3b0d4fb1b2204f63741f2872db911710dbac3abc /net-im | |
| parent | app-office/scribus-9999: updated docdir patch (diff) | |
| download | gentoo-c32aef5d13c57017978860eb65c1c4f5ce88721c.tar.gz gentoo-c32aef5d13c57017978860eb65c1c4f5ce88721c.tar.bz2 gentoo-c32aef5d13c57017978860eb65c1c4f5ce88721c.zip | |
net-im/openfire: new revision to clean up ownership handling.
The new revision (-r2) is intended to clean up some of the ownership
and group handling that led to the security issue in bug 630914. Note
that while that *particular* bug was fixed, the ebuild was still
calling "chmod" in a user-controlled directory, which is also
exploitable. The following changes hopefully eliminate all of
those problems:
* Add /opt/openfire/conf to CONFIG_PROTECT.
* Use insopts/diropts to create everything under /opt/openfire with
the correct ownership and permissions to begin with.
* Install conf/openfire.xml and conf/security.xml in src_install(),
instead of creating (and chmod'ing) them later in pkg_postinst().
* Drop pkg_postinst() entirely now that we install {openfire,security}.xml
in src_install().
Bug: https://bugs.gentoo.org/630914
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Package-Manager: Portage-2.3.66, Repoman-2.3.11
Diffstat (limited to 'net-im')
| -rw-r--r-- | net-im/openfire/openfire-4.2.3-r2.ebuild | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/net-im/openfire/openfire-4.2.3-r2.ebuild b/net-im/openfire/openfire-4.2.3-r2.ebuild new file mode 100644 index 000000000000..d504e403abae --- /dev/null +++ b/net-im/openfire/openfire-4.2.3-r2.ebuild @@ -0,0 +1,80 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit eutils java-pkg-2 java-ant-2 systemd + +MY_P=${PN}_src_${PV//./_} +DESCRIPTION="Openfire (formerly wildfire) real time collaboration (RTC) server" +HOMEPAGE="http://www.igniterealtime.org/projects/openfire/" +SRC_URI="http://www.igniterealtime.org/builds/openfire/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="doc" + +RDEPEND=">=virtual/jre-1.7" +DEPEND="net-im/jabber-base + ~dev-java/ant-contrib-1.0_beta2 + >=virtual/jdk-1.7" + +S=${WORKDIR}/${PN}_src + +pkg_setup() { + java-pkg-2_pkg_setup +} + +src_compile() { + # Jikes doesn't support -source 1.5 + java-pkg_filter-compiler jikes + + ANT_TASKS="ant-contrib" + eant -f build/build.xml openfire plugins $(use_doc) + + # delete nativeAuth prebuilt libs: + # uses outdated unmaintained libshaj, does not support amd64 + rm -rfv target/openfire/resources/nativeAuth || die +} + +src_install() { + #Protect ssl key on upgrade + dodir /etc/env.d/ + echo 'CONFIG_PROTECT="/opt/openfire/resources/security/"' > "${D}"/etc/env.d/98openfire + echo 'CONFIG_PROTECT="/opt/openfire/conf/"' > "${D}"/etc/env.d/98openfire + + newinitd "${FILESDIR}"/openfire-initd openfire + newconfd "${FILESDIR}"/openfire-confd openfire + systemd_dounit "${FILESDIR}"/${PN}.service + + diropts --owner=jabber --group=jabber + insopts --owner=jabber --group=jabber + dodir /opt/openfire + + dodir /opt/openfire/logs + keepdir /opt/openfire/logs + + dodir /opt/openfire/lib + insinto /opt/openfire/lib + doins target/openfire/lib/* + + dodir /opt/openfire/plugins + insinto /opt/openfire/plugins + doins -r target/openfire/plugins/* + + dodir /opt/openfire/resources + insinto /opt/openfire/resources + doins -r target/openfire/resources/* + + if use doc; then + dohtml -r documentation/docs/* + fi + dodoc documentation/dist/* + + dodir /opt/openfire/conf + insinto /opt/openfire/conf + insopts --mode=0600 --owner=jabber --group=jabber + newins target/openfire/conf/openfire.xml openfire.xml + newins target/openfire/conf/security.xml security.xml +} |