diff options
| -rw-r--r-- | net-misc/scponly/ChangeLog | 9 | ||||
| -rw-r--r-- | net-misc/scponly/Manifest | 5 | ||||
| -rw-r--r-- | net-misc/scponly/metadata.xml | 31 | ||||
| -rw-r--r-- | net-misc/scponly/scponly-4.8-r1.ebuild | 285 |
4 files changed, 320 insertions, 10 deletions
diff --git a/net-misc/scponly/ChangeLog b/net-misc/scponly/ChangeLog index 733bbe9bf848..fb6861b9a925 100644 --- a/net-misc/scponly/ChangeLog +++ b/net-misc/scponly/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for net-misc/scponly # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/scponly/ChangeLog,v 1.37 2008/01/23 13:34:41 matsuu Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/scponly/ChangeLog,v 1.38 2008/11/13 22:47:23 sbriesen Exp $ + +*scponly-4.8-r1 (13 Nov 2008) + + 13 Nov 2008; Stefan Briesenick <sbriesen@gentoo.org> metadata.xml, + +scponly-4.8-r1.ebuild: + complete cleanup of ebuild, adding many new use-flags (bug #209579), + reworked chroot setup (bug #246514), respect LDFLAGS (bug #209800). 23 Jan 2008; MATSUU Takuto <matsuu@gentoo.org> -files/scponly-4.3-getopt.patch, -files/scponly-4.6-helper.patch, diff --git a/net-misc/scponly/Manifest b/net-misc/scponly/Manifest index 8c4f22968e81..92933bb8a9a1 100644 --- a/net-misc/scponly/Manifest +++ b/net-misc/scponly/Manifest @@ -1,4 +1,5 @@ DIST scponly-4.8.tgz 101687 RMD160 de6b58fcb8108d42a1576c69003e9136b9417869 SHA1 154de34901ce22fd9d406f6e02cddc440c435afc SHA256 1693dd678355749c5d9e48ecdd4628dbfe71d82955afde950ee8d88b5adc01cf +EBUILD scponly-4.8-r1.ebuild 8700 RMD160 271ed00ae17e632bf8189f25ad51ea8486b56826 SHA1 331f0e99182e42fa0a43c966505b1d87bb39aff4 SHA256 5a781224079cdd074892a74190912a99a77fadf9f1ebb300f6342fb9be0cee4a EBUILD scponly-4.8.ebuild 4283 RMD160 2e555f2bf02554ccf2c6005476c90e637690e3be SHA1 a73ad3c22ba463951c3827f5b1a515fd3e621a13 SHA256 ea3d3d88d8079353a846129de71679bcdf7021f2f91593a0ee95d218a9c11a90 -MISC ChangeLog 5351 RMD160 5218e2bc23cb420a79f21f5b449d67aea43ed3fd SHA1 514f74aabde1ff343b4cdeee7e022954a2d08544 SHA256 346270b495edf12ccf642e09545a1d200b21f4c910a567cd333ce25ce14af711 -MISC metadata.xml 336 RMD160 298d54c6467d5bb27be28031acd7c51f3821170a SHA1 bd3af7108aa1801f3c629db295e8c9cf6f77131e SHA256 78dc3136b02c14893e231cf14116c2611d93318f9ed5a8209fc581e1f621e3ca +MISC ChangeLog 5621 RMD160 c3acfc3701480dbf96bc94bfa2c3f7e197c497a8 SHA1 aaa9c65b3aa4a0967570a8ef20cbd83821ef0a18 SHA256 6ca131d5d9e8da44b6710b5048013d3e6987371a4865d948575ad85574a32912 +MISC metadata.xml 1424 RMD160 bedfada17f8ebfb8964a627769b1f6f96114ada4 SHA1 c7063171c58a7d6195e291232b96820957df8fbf SHA256 39e481515e78825063291d053dd92d5652d0c824b706e67dadaccecdcad491e2 diff --git a/net-misc/scponly/metadata.xml b/net-misc/scponly/metadata.xml index d03eddbc6a6f..23ee51c242ce 100644 --- a/net-misc/scponly/metadata.xml +++ b/net-misc/scponly/metadata.xml @@ -1,11 +1,28 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> - <herd>no-herd</herd> - <maintainer> - <email>matsuu@gentoo.org</email> - </maintainer> - <use> - <flag name="rsync">Enabling rsync compatibility with potential security risks</flag> - </use> + <herd>no-herd</herd> + <maintainer> + <email>matsuu@gentoo.org</email> + </maintainer> + <longdescription lang="en"> + scponly is an alternative 'shell' (of sorts) for system administrators + who would like to provide access to remote users to both read and write + local files without providing any remote execution priviledges. + Functionally, it is best described as a wrapper to the tried and true + ssh suite of applications. + </longdescription> + <use> + <flag name="rsync">Enables rsync compatibility with potential security risks</flag> + <flag name="unison">Enables Unison compatibility with potential security risks</flag> + <flag name="subversion">Enables Subversion compatibility with potential security risks</flag> + <flag name="winscp">Enables WinSCP 2.0 compatibility with potential security risks</flag> + <flag name="scp">Enables scp compatibility with potential security risks</flag> + <flag name="sftp">Enables SFTP compatibility</flag> + <flag name="gftp">Enables gFTP compatibility</flag> + <flag name="quota">Enables quota compatibility</flag> + <flag name="passwd">Enables passwd compatibility</flag> + <flag name="logging">Enables SFTP logging compatibility</flag> + <flag name="wildcards">Enables wildcard processing with potential security risks</flag> + </use> </pkgmetadata> diff --git a/net-misc/scponly/scponly-4.8-r1.ebuild b/net-misc/scponly/scponly-4.8-r1.ebuild new file mode 100644 index 000000000000..e1dab2e33d79 --- /dev/null +++ b/net-misc/scponly/scponly-4.8-r1.ebuild @@ -0,0 +1,285 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/scponly/scponly-4.8-r1.ebuild,v 1.1 2008/11/13 22:47:23 sbriesen Exp $ + +inherit eutils multilib toolchain-funcs + +DESCRIPTION="A tiny pseudoshell which only permits scp and sftp" +HOMEPAGE="http://www.sublimation.org/scponly/" +SRC_URI="mirror://sourceforge/scponly/${P}.tgz" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~amd64 ~mips ~ppc ~sparc ~x86" +IUSE="sftp scp winscp gftp rsync unison subversion wildcards quota passwd logging" + +RDEPEND="virtual/libc + sys-apps/sed + net-misc/openssh + quota? ( sys-fs/quota ) + passwd? ( sys-apps/shadow ) + rsync? ( net-misc/rsync ) + unison? ( net-misc/unison ) + subversion? ( dev-util/subversion )" +DEPEND="${RDEPEND}" + +myuser="scponly" +myhome="/home/${myuser}" +mysubdir="/pub" + +pkg_setup() { + if use unison; then + if [ ! -e "${ROOT}usr/bin/unison" ]; then + eerror + eerror "please run 'eselect unison set <version>' first!" + die "can't find /usr/bin/unison" + fi + fi + + if ! use subversion && ! use unison && ! use rsync && \ + ! use sftp && ! use scp && ! use winscp; then + eerror + eerror "you have to enable at least one of the following use-flags:" + eerror "sftp scp winscp rsync unison subversion" + die "your build will quite useless without any compatibility mode" + fi + + if use subversion || use unison || use rsync || use wildcards || use scp || use winscp; then + ewarn + ewarn "NOTE THE FOLLOWING SECURITY RISKS:" + ewarn + if use wildcards; then + ewarn "-- by enabling wildcards, there is a slightly higher chance of an exploit" + fi + if use scp || use winscp; then + ewarn "-- by enabling scp and/or winscp compatibility, more programs will need" + ewarn " to be installed in the chroot which increases the risk." + fi + if use subversion; then + ewarn "-- CAUTION: by enabling subversion the user WILL BE ABLE TO EXECUTE" + ewarn " SCRIPTS OR PROGRAMS INDIRECTLY! svn and svnserve will try to execute" + ewarn " pre-commit, post-commit hooks, as well as a few others. These files" + ewarn " have specific filenames at specific locations relative to the svn" + ewarn " repository root. Thus, unless you are *very* careful about security," + ewarn " the user WILL BE ABLE TO EXECUTE SCRIPTS OR PROGRAMS INDIRECTLY!" + ewarn " This can be prevented by a careful configuration." + fi + if use subversion || use unison || use rsync; then + ewarn "-- The following programs use configuration files that might allow the" + ewarn " user to bypass security restrictions placed on command line arguments:" + ewarn " svn, svnserve, rsync, unison" + fi + ewarn + ewarn "please read /usr/share/doc/${PF}/SECURITY* after install!" + ewarn + ebeep 5 + fi +} + +src_compile() { + CFLAGS="${CFLAGS} ${LDFLAGS}" econf \ + --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \ + --with-default-chdir="/" \ + --disable-restrictive-names \ + --enable-chrooted-binary \ + --enable-chroot-checkdir \ + $(use_enable winscp winscp-compat) \ + $(use_enable gftp gftp-compat) \ + $(use_enable scp scp-compat) \ + $(use_enable sftp sftp) \ + $(use_enable quota quota-compat) \ + $(use_enable passwd passwd-compat) \ + $(use_enable rsync rsync-compat) \ + $(use_enable unison unison-compat) \ + $(use_enable subversion svn-compat) \ + $(use_enable subversion svnserv-compat) \ + $(use_enable logging sftp-logging-compat) \ + $(use_enable wildcards wildcards) \ + || die "econf failed" + emake CC=$(tc-getCC) || die "emake failed" +} + +src_install() { + emake DESTDIR="${D}" install || die + + dodoc AUTHOR BUILDING-JAILS.TXT CHANGELOG CONTRIB README SECURITY TODO + + # don't compress setup-script, so it is usable if necessary + insinto /usr/share/doc/${PF}/chroot + doins setup_chroot.sh config.h +} + +pkg_postinst() { + elog + elog "You might want to run" + elog " emerge --config =${CATEGORY}/${PF}" + elog "to setup the chroot. Otherwise you will have to setup chroot manually." + elog + elog "Please read the docs in /usr/share/doc/${PF} for more informations!" + elog + + # two slashes ('//') are used by scponlyc to determine the chroot point. + enewgroup "${myuser}" + enewuser "${myuser}" -1 /usr/sbin/scponlyc "${myhome}//" "${myuser}" +} + +pkg_config() { + # pkg_postinst is based on ${S}/setup_chroot.sh. + + einfo "Collecting binaries and libraries..." + + # Binaries launched in sftp compat mode + if built_with_use =${CATEGORY}/${PF} sftp; then + BINARIES="/usr/$(get_libdir)/misc/sftp-server" + fi + + # Binaries launched by vanilla- and WinSCP modes + if built_with_use =${CATEGORY}/${PF} scp || \ + built_with_use =${CATEGORY}/${PF} winscp; then + BINARIES="${BINARIES} /usr/bin/scp /bin/ls /bin/rm /bin/ln /bin/mv" + BINARIES="${BINARIES} /bin/chmod /bin/chown /bin/chgrp /bin/mkdir /bin/rmdir" + fi + + # Binaries launched in WinSCP compatibility mode + if built_with_use =${CATEGORY}/${PF} winscp; then + BINARIES="${BINARIES} /bin/pwd /bin/groups /usr/bin/id /bin/echo" + fi + + # Rsync compatability mode + if built_with_use =${CATEGORY}/${PF} rsync; then + BINARIES="${BINARIES} /usr/bin/rsync" + fi + + # Unison compatability mode + if built_with_use =${CATEGORY}/${PF} unison; then + BINARIES="${BINARIES} /usr/bin/unison" + fi + + # subversion cli/svnserv compatibility + if built_with_use =${CATEGORY}/${PF} subversion; then + BINARIES="${BINARIES} /usr/bin/svn /usr/bin/svnserve" + fi + + # passwd compatibility + if built_with_use =${CATEGORY}/${PF} passwd; then + BINARIES="${BINARIES} /bin/passwd" + fi + + # quota compatibility + if built_with_use =${CATEGORY}/${PF} quota; then + BINARIES="${BINARIES} /usr/bin/quota" + fi + + # build lib dependencies + LIB_LIST=$(ldd ${BINARIES} | sed -n 's:.* => \(/[^ ]\+\).*:\1:p' | sort -u) + + # search and add ld*.so + for LIB in /$(get_libdir)/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 \ + /usr/libexec/ld.so /$(get_libdir)/ld-linux.so.2 /usr/libexec/ld-elf.so.1; do + [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" + done + + # search and add libnss_*.so + for LIB in /$(get_libdir)/libnss_{compat,files}*.so.*; do + [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" + done + + # create base dirs + if [ ! -d "${myhome}" ]; then + einfo "Creating ${myhome}" + install -o0 -g0 -m0755 -d "${myhome}" + fi + + if [ ! -d "${myhome}/etc" ]; then + einfo "Creating ${myhome}/etc" + install -o0 -g0 -m0755 -d "${myhome}/etc" + fi + + if [ ! -d "${myhome}/$(get_libdir)" ]; then + einfo "Creating ${myhome}/$(get_libdir)" + install -o0 -g0 -m0755 -d "${myhome}/$(get_libdir)" + fi + + if [ ! -e "${myhome}/lib" ]; then + einfo "Creating ${myhome}/lib" + ln -snf $(get_libdir) "${myhome}/lib" + fi + + if [ ! -d "${myhome}/usr/$(get_libdir)" ]; then + einfo "Creating ${myhome}/usr/$(get_libdir)" + install -o0 -g0 -m0755 -d "${myhome}/usr/$(get_libdir)" + fi + + if [ ! -e "${myhome}/usr/lib" ]; then + einfo "Creating ${myhome}/usr/lib" + ln -snf $(get_libdir) "${myhome}/usr/lib" + fi + + if [ ! -d "${myhome}${mysubdir}" ]; then + einfo "Creating ${myhome}${mysubdir} directory for uploading files" + install -o${myuser} -g${myuser} -m0755 -d "${myhome}${mysubdir}" + fi + + # create /dev/null (Bug 135505) + if [ ! -e "${myhome}/dev/null" ]; then + install -o0 -g0 -m0755 -d "${myhome}/dev" + mknod -m0777 "${myhome}/dev/null" c 1 3 + fi + + # install binaries + for BIN in ${BINARIES}; do + einfo "Install ${BIN}" + install -o0 -g0 -m0755 -d "${myhome}$(dirname ${BIN})" + install "${BIN}" "${myhome}/${BIN}" + done + + # install libs + for LIB in ${LIB_LIST}; do + einfo "Install ${LIB}" + install -o0 -g0 -m0755 -d "${myhome}$(dirname ${LIB})" + install "${LIB}" "${myhome}/${LIB}" + done + + # create ld.so.conf + einfo "Creating /etc/ld.so.conf" + for LIB in ${LIB_LIST}; do + dirname ${LIB} + done | sort -u | while read DIR; do + if ! grep 2>/dev/null -q "^${DIR}$" "${myhome}/etc/ld.so.conf"; then + echo "${DIR}" >> "${myhome}/etc/ld.so.conf" + fi + done + ldconfig -r "${myhome}" + + # update shells + einfo "Updating /etc/shells" + grep 2>/dev/null -q "^/usr/bin/scponly$" /etc/shells \ + || echo "/usr/bin/scponly" >> /etc/shells + + grep 2>/dev/null -q "^/usr/sbin/scponlyc$" /etc/shells \ + || echo "/usr/sbin/scponlyc" >> /etc/shells + + # create /etc/passwd + if [ ! -e "${myhome}/etc/passwd" ]; then + ( + echo "root:x:0:0:root:/:/bin/sh" + sed -n "s|^\(${myuser}:[^:]*:[^:]*:[^:]*:[^:]*:\).*|\1${mysubdir}:/bin/sh|p" /etc/passwd + ) > "${myhome}/etc/passwd" + fi + + # create /etc/group + if [ ! -e "${myhome}/etc/group" ]; then + ( + echo "root:x:0:" + sed -n "s|^\(${myuser}:[^:]*:[^:]*:\).*|\1|p" /etc/group + ) > "${myhome}/etc/group" + fi + + # fix permissions + #chown 0:0 "${myhome}" + #for DIR in .ssh .unison .subversion; do + # if [ -d "${myhome}/${DIR}" ]; then + # chown 0:0 "${myhome}/${DIR}" + # fi + #done +} |