From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Mar 25 23:30:01 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 318E0106566B for ; Tue, 25 Mar 2008 23:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E44528FC23 for ; Tue, 25 Mar 2008 23:30:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2PNU0X8004562 for ; Tue, 25 Mar 2008 23:30:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2PNU0Ws004561; Tue, 25 Mar 2008 23:30:00 GMT (envelope-from gnats) Resent-Date: Tue, 25 Mar 2008 23:30:00 GMT Resent-Message-Id: <200803252330.m2PNU0Ws004561@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, David Wood Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0060B1065673 for ; Tue, 25 Mar 2008 23:22:47 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id C56328FC1F for ; Tue, 25 Mar 2008 23:22:47 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m2PNMZwm035757 for ; Tue, 25 Mar 2008 23:22:35 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m2PNMZi3035756; Tue, 25 Mar 2008 23:22:35 GMT (envelope-from nobody) Message-Id: <200803252322.m2PNMZi3035756@www.freebsd.org> Date: Tue, 25 Mar 2008 23:22:35 GMT From: David Wood To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/122097: net/freeradius2 - update to 2.0.3 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 23:30:01 -0000 >Number: 122097 >Category: ports >Synopsis: net/freeradius2 - update to 2.0.3 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Mar 25 23:30:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: David Wood >Release: 6.2-RELEASE i386 >Organization: >Environment: FreeBSD titanium.wood2.org.uk 6.2-RELEASE-p10 FreeBSD 6.2-RELEASE-p10 #0: Tue Jan 15 17:30:36 GMT 2008 david@titanium.wood2.org.uk:/usr/obj/usr/src/sys/TITANIUM i386 >Description: FreeBSD enhancements ==================== A new USER option has been added to run FreeRADIUS as the freeradius user and freeradius group. Running as root is not recommended from a security point of view. This option makes it easy to secure your FreeRADIUS server 'out of the box'. Some unnecessary code has been removed from the patch to rlm_python in files/patch-pthread. Release notes ============= 2.0.2: Feature improvements * Added notes on how to debug the server in radiusd.conf * Moved all "log_*" in radiusd.conf to log{} section. The old configurations are still accepted, though. * Added ca.der target in raddb/certs/Makefile. This is needed for importing CA certs into Windows. * Added ability send raw attributes via "Raw-Attribute = 0x0102..." This is available only debug builds. It can be used to create invalid packets! Use it with care. * Permit "unlang" policies inside of Auth-Type{} sub-sections of the authenticate{} section. This makes some policies easier to implement. * "listen" sections can now have "type = proxy". This lets you control which IP is used for sending proxied requests. * Added note on SSL performance to raddb/certs/README Bug fixes * Fixed reading of "detail" files. * Allow inner EAP tunneled sessions to be proxied. * Corrected MySQL schemas * syslog now works in log{} section. * Corrected typo in raddb/certs/client.cnf * Updated raddb/sites-available/proxy-inner-tunnel to permit authentication to work. * Ignore zero-length attributes in received packets. * Correct memcpy when dealing with unknown attributes. * Corrected debugging messages in attr_rewrite. * Corrected generation of State attribute in EAP. This fixes the "failed to remember handler" issues. * Fall back to DEFAULT realm if no realm was found. Based on a patch from Vincent Magnin. * Updated example raddb/sites-available/proxy-inner-tunnel * Corrected behavior of attr_filter to match documentation. This is NOT backwards compatible with previous versions! See "man rlm_attr_filter" for details. 2.0.3: Feature improvements * Updated raddb/certs/ca.cnf with extensions to allow ca.der to be imported as a CA on Symbian and Windows Mobile devices. Closes bug #524 * Enable multiple matches in "hints" via Fall-Through = Yes. Closes bug #477 * Added preliminary SQLite driver, contibuted by Apple. Untested, with no sample configuration. This address bug #470. * Updated logging sub-system so that log messages from libfreeradius can go to the log file, and not stdout. * Added dictionary.rfc5176 * EAP module now checks for instance name, and uses that for authentication. This avoids the need to set Auth-Type when there are multiple instances of the EAP module. * Added Module-Return-Code attribute, which contains the value returned by the previous module (ok/fail/update/etc.) Bug fixes * Corrected typos in rlm_dbm. Closes bugs #521 and #522. * Detail file "listen" sections now work much better. * Don't allow old "log_*" to over-ride new format. Closes bug #525 * Initialize allocated memory in Oracle SQL driver. This fixes occasional crashes on some systems. Closes bug #518 * Call correct function in rlm_protocol_filter. This enables the module to build. Closes bug #512. * Added deprecated flag to build for rlm_krb5. This allows it to run on 64-bit systems. Closes bug #491 * Corrected error message when parsing invalid configurations so it doesn't crash. Closes bug #527 * Fix handling of timeouts in rlm_ldap that affected 64-bit systems. * Handle $INCLUDE's in "instantiate" section. Closes #528. * Format updates to "man" pages from Stephen Gran. >How-To-Repeat: >Fix: Files added: files/patch-sites-available, files/pkg-deinstall.in, files/pkg-install.in Files deleted: Add the following line to /usr/ports/UIDs: freeradius:*:133:133:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin Add the following line to /usr/ports/GIDs: freeradius:*:133: (if UID / GID 133 have been taken by the time this is committed, use the next free UID / GID) Patch attached with submission follows: Index: distinfo =================================================================== --- distinfo (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181) +++ distinfo (.../trunk/freeradius2) (revision 181) @@ -1,3 +1,3 @@ -MD5 (freeradius-server-2.0.1.tar.bz2) = 670810d0ee7e80999fcd753cfdcecdb4 -SHA256 (freeradius-server-2.0.1.tar.bz2) = d5e1cd96762cc2091d64198bc50d03690f94dfd4d96b36a042dda1490b8143df -SIZE (freeradius-server-2.0.1.tar.bz2) = 2270018 +MD5 (freeradius-server-2.0.3.tar.bz2) = 3cd647f40880dee8693f2e74ab5416e9 +SHA256 (freeradius-server-2.0.3.tar.bz2) = 3184e9be6d88df3cdf72a08a7e00222c17bc360289ecf14219df9c81d68d7f79 +SIZE (freeradius-server-2.0.3.tar.bz2) = 2298963 Index: files/patch-sites-available =================================================================== --- files/patch-sites-available (.../branches/FreeBSD-ports-tree/freeradius2) (revision 0) +++ files/patch-sites-available (.../trunk/freeradius2) (revision 181) @@ -0,0 +1,31 @@ +--- raddb/Makefile Tue Feb 26 09:32:29 2008 ++++ raddb/Makefile Tue Mar 18 13:13:41 2008 +@@ -1,7 +1,7 @@ + # + # Makefile + # +-# Version: $Id: Makefile,v 1.37 2008/02/26 09:32:29 aland Exp $ ++# Version: $Id: Makefile,v 1.38 2008/03/18 06:33:03 aland Exp $ + # + + include ../Make.inc +@@ -13,9 +13,7 @@ + attrs.pre-proxy clients.conf dictionary eap.conf templates.conf \ + experimental.conf hints huntgroups ldap.attrmap otp.conf \ + policy.txt preproxy_users proxy.conf radiusd.conf \ +- snmp.conf sql.conf sqlippool.conf users policy.conf \ +- sites-available/default sites-available/example \ +- sites-available/README ++ snmp.conf sql.conf sqlippool.conf users policy.conf + + # + # This target is here for local debugging +@@ -33,7 +31,7 @@ + $(INSTALL) -d -m 750 $(R)$(raddbdir)/sites-available + $(INSTALL) -d -m 750 $(R)$(raddbdir)/sites-enabled + @echo "Creating/updating files in $(R)$(raddbdir)"; \ +- for i in $(FILES); do \ ++ for i in $(FILES) `ls sites-available/* | sed 's/CVS//'`; do \ + [ ! -f $(R)$(raddbdir)/$$i ] && $(INSTALL) -m 640 $$i $(R)$(raddbdir)/$$i; \ + if [ "`find $$i -newer $(R)$(raddbdir)/$$i`" ]; then \ + echo "** $(R)$(raddbdir)/$$i"; \ Index: files/pkg-deinstall.in =================================================================== --- files/pkg-deinstall.in (.../branches/FreeBSD-ports-tree/freeradius2) (revision 0) +++ files/pkg-deinstall.in (.../trunk/freeradius2) (revision 181) @@ -0,0 +1,32 @@ +#!/bin/sh + +if [ %%RUN_AS_USER%% != "yes" ]; then exit 0; fi + +case $2 in + POST-DEINSTALL) + cat </dev/null 2>&1 ; then + echo "===> Using pre-existing group $group" + else + if pw groupadd -n $group -g $gid ; then + echo "===> Group $group created" + else + cat <<-EOERRORMSG +*** Failed to create the $group group. + +Please add the $user user and $group group +manually with the commands: + + pw groupadd -n $group -g $gid + pw useradd -n $user -u $uid -g $group -c "$gecos" \\ + -d $home -s $shell -h - + +and retry installing this package. +EOERRORMSG + exit 1 + fi + fi + +} + + +create_user() { + local user uid group gid gecos home shell + + user=$1 + uid=$2 + group=$3 + gid=$4 + gecos=$5 + home=$6 + shell=$7 + + if pw user show -n $user >/dev/null 2>&1 ; then + echo "===> Using pre-existing user $user" + else + if pw useradd -n $user -u $uid -g $group -c "$gecos" \ + -d $home -s $shell -h - ; then + echo "===> Created $user user" + else + cat <<-EOERRORMSG +*** Failed to create the $user user. + +Please add the $user user manually with the command: + + pw useradd -n $user -u $uid -g $group -c "$gecos" \\ + -d $home -s $shell -h - + +and retry installing this package. +EOERRORMSG + exit 1 + fi + fi +} + + +if [ ${radius_run_as_user} != "yes" ]; then exit 0; fi + +case $2 in + PRE-INSTALL) + # Create the radius user and group if they do not already exist + create_group $radius_user $radius_uid $radius_group $radius_gid \ + "$radius_gecos" $radius_home $radius_shell + create_user $radius_user $radius_uid $radius_group $radius_gid \ + "$radius_gecos" $radius_home $radius_shell + + # Fix the user and group in raddb/radiusd.conf + echo "===> Setting user and group in radiusd.conf" + for file in ${radius_raddb_work}/radiusd.conf ${radius_raddb}/radiusd.conf; do + if [ -f ${file} ]; then + if ! sed -Ee "s/^[[:space:]#](user[[:space:]]*=[[:space:]]*).*$/\1${radius_user}/" \ + -e "s/^[[:space:]#](group[[:space:]]*=[[:space:]]*).*$/\1${radius_group}/" \ + -i .orig ${file}; then + echo "Failed to patch ${file}." + exit 1 + fi + if [ -f ${file}.orig ]; then + if ! rm ${file}.orig; then + echo "Failed to delete backup file ${file}.orig." + exit 1 + fi + fi + fi + done + + ;; + + POST-INSTALL) + # Change ownership of directories + for dir in $radius_raddb $radius_logdir/radacct \ + /var/run/radiusd ; do + if [ -d $dir ] || [ -L $dir ]; then + echo "===> Adjusting ownership of the ${dir} directory." + if ! chown -HR $radius_user:$radius_group $dir; then + echo "Failed to adjust ownership of ${dir}." + exit 1 + fi + fi + done + + for file in $radius_logdir/radius.log $radius_logdir/radutmp \ + $radius_logdir/radwtmp; do + if [ -f $file ]; then + echo "===> Adjusting ownership of ${file}." + if ! chown $radius_user:$radius_group $file; then + echo "Failed to adjust ownership of ${file}." + exit 1 + fi + fi + done + + ;; +esac + + +# Emacs variables + +# Local Variables: +# mode: sh +# sh-basic-offset: 4 +# sh-indent-comment: nil +# End: Index: pkg-plist =================================================================== --- pkg-plist (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181) +++ pkg-plist (.../trunk/freeradius2) (revision 181) @@ -48,9 +48,15 @@ %%EXAMPLESDIR%%/raddb/proxy.conf %%EXAMPLESDIR%%/raddb/radiusd.conf %%EXAMPLESDIR%%/raddb/sites-available/README +%%EXAMPLESDIR%%/raddb/sites-available/buffered-sql +%%EXAMPLESDIR%%/raddb/sites-available/copy-acct-to-home-server %%EXAMPLESDIR%%/raddb/sites-available/default %%EXAMPLESDIR%%/raddb/sites-available/example +%%EXAMPLESDIR%%/raddb/sites-available/inner-tunnel +%%EXAMPLESDIR%%/raddb/sites-available/proxy-inner-tunnel +%%EXAMPLESDIR%%/raddb/sites-available/vmps %%EXAMPLESDIR%%/raddb/sites-enabled/default +%%EXAMPLESDIR%%/raddb/sites-enabled/inner-tunnel %%EXAMPLESDIR%%/raddb/snmp.conf %%EXAMPLESDIR%%/raddb/sql.conf %%EXAMPLESDIR%%/raddb/sql/mssql/dialup.conf @@ -485,6 +491,7 @@ %%PORTDOCS%%%%DOCSDIR%%/rfc/rfc4818.txt %%PORTDOCS%%%%DOCSDIR%%/rfc/rfc4849.txt %%PORTDOCS%%%%DOCSDIR%%/rfc/rfc5080.txt +%%PORTDOCS%%%%DOCSDIR%%/rfc/rfc5176.txt %%PORTDOCS%%%%DOCSDIR%%/rlm_dbm %%PORTDOCS%%%%DOCSDIR%%/rlm_eap %%PORTDOCS%%%%DOCSDIR%%/rlm_expiration @@ -596,6 +603,7 @@ %%DATADIR%%/dictionary.rfc4679 %%DATADIR%%/dictionary.rfc4818 %%DATADIR%%/dictionary.rfc4849 +%%DATADIR%%/dictionary.rfc5176 %%DATADIR%%/dictionary.riverstone %%DATADIR%%/dictionary.roaringpenguin %%DATADIR%%/dictionary.shasta @@ -622,7 +630,7 @@ %%DATADIR%%/dictionary.xylan %%DATADIR%%/dictionary.zyxel @dirrm %%DATADIR%% -@exec mkdir -p /var/log/raddb -@exec chmod -R og= /var/log/raddb +@exec if [ ! -d /var/log/radacct ]; then mkdir -p /var/log/radacct; chmod -R go= /var/log/radacct; fi +@exec for i in /var/log/radius.log /var/log/radutmp /var/log/radwtmp; do if [ ! -f ${i} ]; then touch ${i}; chmod go= ${i}; fi; done @exec mkdir -p /var/run/radiusd @unexec rm -fr /var/run/radiusd Index: Makefile =================================================================== --- Makefile (.../branches/FreeBSD-ports-tree/freeradius2) (revision 181) +++ Makefile (.../trunk/freeradius2) (revision 181) @@ -6,7 +6,7 @@ # PORTNAME= freeradius -DISTVERSION= 2.0.1 +DISTVERSION= 2.0.3 CATEGORIES= net MASTER_SITES= ftp://ftp.freeradius.org/pub/freeradius/%SUBDIR%/ \ ftp://ftp.ntua.gr/pub/net/radius/freeradius/%SUBDIR%/ \ @@ -40,7 +40,8 @@ PLIST_SUB= PORTVERSION=${DISTVERSION} -OPTIONS= KERBEROS "With Kerberos support" off \ +OPTIONS= USER "Run as user freeradius, group freeradius" on \ + KERBEROS "With Kerberos support" off \ HEIMDAL "With Heimdal Kerberos support" off \ LDAP "With LDAP database support" off \ MYSQL "With MySQL database support" off \ @@ -54,6 +55,10 @@ # Default requirements for rc script _REQUIRE= NETWORKING SERVERS +# User and group to use if USER is set +USER= freeradius +GROUP= freeradius + CONFIGURE_ARGS= --quiet \ --prefix=${PREFIX} \ --localstatedir=/var \ @@ -80,6 +85,7 @@ --without-rlm_sql_db2 \ --without-rlm_sql_iodbc \ --without-rlm_sql_oracle \ + --without-rlm_sql_sqlite \ --without-rlm_sql_sybase \ --without-rlm_sql_unixodbc \ --with-vmps @@ -88,6 +94,41 @@ CONFIGURE_ARGS+= --with-pic .endif +# Credentials for WITH_USER are RADIUS_USER, RADIUS_UID, RADIUS_GECOS, +# RADIUS_HOME, RADIUS_SHELL, RADIUS_GROUP and RADIUS_GID. + +# Parse ${PORTSDIR}/UIDs and GIDs for the defaults +USER!= ${GREP} -E '^${USER}:' ${PORTSDIR}/UIDs | \ + ${SED} -Ee 's/^([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)$$/USER="\1" UID="\3" GECOS="\5" HOME="\6" SHELL="\7"/' +GROUP!= ${GREP} -E '^${GROUP}:' ${PORTSDIR}/GIDs | \ + ${SED} -Ee 's/^([^:]*):([^:]*):([^:]*):$$/GROUP="\1" GID="\3"/' + +# Apply the defaults where necessary +RADIUS_USER?= ${USER:MUSER*:C/^[^=]*=\"([^\"]*)\"$/\1/} +RADIUS_UID?= ${USER:MUID*:C/^[^=]*=\"([^\"]*)\"$/\1/} +RADIUS_GECOS?= ${USER:MGECOS*:C/^[^=]*=\"([^\"]*)\"$/\1/} +RADIUS_HOME?= ${USER:MHOME*:C/^[^=]*=\"([^\"]*)\"$/\1/} +RADIUS_SHELL?= ${USER:MSHELL*:C/^[^=]*=\"([^\"]*)\"$/\1/} +RADIUS_GROUP?= ${GROUP:MGROUP*:C/^[^=]*=\"([^\"]*)\"$/\1/} +RADIUS_GID?= ${GROUP:MGID*:C/^[^=]*=\"([^\"]*)\"$/\1/} + +SUB_LIST+= USER="${RADIUS_USER}" \ + UID="${RADIUS_UID}" \ + GECOS="${RADIUS_GECOS}" \ + HOME="${RADIUS_HOME}" \ + SHELL="${RADIUS_SHELL}" \ + GROUP="${RADIUS_GROUP}" \ + GID="${RADIUS_GID}" \ + RADDB_WORK="${WRKSRC}/raddb" \ + RADDB="${PREFIX}/etc/raddb" \ + LOGDIR="${LOGDIR}" +SUB_FILES+= pkg-install pkg-deinstall +.ifdef(WITH_USER) +SUB_LIST+= RUN_AS_USER="yes" +.else +SUB_LIST+= RUN_AS_USER="no" +.endif + .if defined(WITH_HEIMDAL) && !defined(WITH_KERBEROS) WITH_KERBEROS= yes .endif @@ -226,6 +267,11 @@ && ${AUTOCONF} -I ${WRKSRC} @cd ${WRKSRC}/src/modules/rlm_python && ${AUTOCONF} -I ${WRKSRC} +pre-install: +# Run pkg-install PRE-INSTALL + @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} \ + PRE-INSTALL + post-install: # Create (if necessary) ${PREFIX}/etc/raddb and subdirectories using # ${EXAMPLESDIR}/raddb as the model layout @@ -247,5 +293,8 @@ # Set ${PREFIX}/etc/raddb and all the files and folders in it to g-w,o-rwx # (FreeRADIUS will probably complain if this is not done) @${CHMOD} -R g-w,o-rwx ${PREFIX}/etc/raddb +# Run pkg-install POST-INSTALL + @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} \ + POST-INSTALL .include >Release-Note: >Audit-Trail: >Unformatted: