Date: Fri, 6 Aug 2004 20:43:33 -0700 (PDT) From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/70106: cgiwrap port update Message-ID: <200408070343.i773hXt2079172@pentarou.parodius.com> Resent-Message-ID: <200408070350.i773oEGC006306@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 70106
>Category: ports
>Synopsis: cgiwrap port update
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sat Aug 07 03:50:14 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Jeremy Chadwick
>Release: FreeBSD 4.10-PRERELEASE i386
>Organization:
Parodius Networking
>Environment:
System: FreeBSD pentarou.parodius.com 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #0: Wed May 5 03:33:17 PDT 2004 root@pentarou.parodius.com:/usr/obj/usr/src/sys/PENTAROU i386
>Description:
Update to the cgiwrap port. This adds a slew of things:
1. Uses WWWOWN and WWWGRP, which is the standard for www-oriented ports.
2. Adds --with-local-contact (CGIWRAP_CONTACT).
3. Changes tweaks to CGIWRAP_ALLOWFILE and CGIWRAP_DENYFILE.
4. Removal of WITHOUTCHECK; moved into multiple CGIWRAP_WITHOUT_* tweaks.
5. Adds --with-logging-file (CGIWRAP_LOGGING) for those who need it (me :) ).
6. Adds CGIWRAP_DEBUG, which adds support for the cgiwrapd/nph-cgiwrapd binaries.
7. Adds --without-check-owner (CGIWRAP_WITHOUT_CHECK_OWNER).
8. Adds --without-check-group (CGIWRAP_WITHOUT_CHECK_GROUP).
9. Adds --without-check-setuid (CGIWRAP_WITHOUT_CHECK_SETUID).
10. Adds --without-check-setgid (CGIWRAP_WITHOUT_CHECK_SETGID).
11. Adds --without-check-group-writable (CGIWRAP_WITHOUT_CHECK_GROUP_WRITABLE).
12. Adds --without-check-world-writable (CGIWRAP_WITHOUT_CHECK_WORLD_WRITABLE).
13. Runs pkg-message through ${SED} so that %%PREFIX%% gets expanded.
14. Proper/secure permissions on the binaries (4550). Note that we can't set this
as 4510 or 4110; mod_mime_magic in Apache needs read access to the binary when
being called (otherwise warnings appear in the httpd_error log; might as well be
nice to Apache...). Global-read/execute is a Bad Idea(tm).
15. Minor cosmetical update to pkg-descr.
The port maintainer should DEFINITELY review this. If the maintainer isn't
available, I can take over maintenance of this port.
>How-To-Repeat:
n/a
>Fix:
Apply below patch to the ports/www/cgiwrap tree.
--- Makefile.orig Tue Mar 2 14:42:24 2004
+++ Makefile Fri Aug 6 20:20:28 2004
@@ -7,6 +7,7 @@
PORTNAME= cgiwrap
PORTVERSION= 3.9
+PORTREVISION= 1
CATEGORIES= www security
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -15,48 +16,90 @@
COMMENT= Securely execute ~user CGI scripts
GNU_CONFIGURE= yes
-CONFIGURE_ARGS= --with-httpd-user=${HTTPDUSER} \
+CONFIGURE_ARGS= --with-httpd-user=${WWWOWN} \
+ --with-install-group=${WWWGRP} \
--with-install-dir=${MAINCGIDIR} \
- --with-install-group=${BINGRP} \
- --with-cgi-dir=${CGIDIR} \
- --with-allow-file=${ALLOWFILE} \
- --with-deny-file=${DENYFILE} \
- ${WITHOUTCHECK}
+ --with-cgi-dir=${CGIWRAP_CGIDIR} \
+ --with-local-contact=${CGIWRAP_CONTACT} \
+ --with-allow-file=${CGIWRAP_ALLOWFILE} \
+ --with-deny-file=${CGIWRAP_DENYFILE}
-###
+#
# Set this to the directory (relative to each user's home) where CGI
-# scripts will be found. (Another common value is "www/cgi-bin".)
-###
-CGIDIR?= public_html/cgi-bin
-###
-# The default security settings are very tight; enable one or more
-# of these to loosen them. Run "configure -help" for information on
-# these and other options.
-###
-#WITHOUTCHECK?= --without-check-owner --without-check-setuid \
-# --without-check-group --without-check-setgid \
-# --without-check-group-writable \
-# --without-check-world-writable
-###
-# Use these options for Apache:
-###
+# scripts will be found. Common alternate values are "www/cgi-bin"
+# (a.k.a. ~user/www/cgi-bin) and "cgi-bin" (a.k.a. ~user/cgi-bin)
+#
+CGIWRAP_CGIDIR?= public_html/cgi-bin
+
+#
+# MAINCGIDIR is the directory the cgiwrap binaries get installed to.
+#
MAINCGIDIR?= ${PREFIX}/www/cgi-bin
-HTTPDUSER?= www
-###
+
+#
# The allow and deny files control access to cgiwrap.
+#
+CGIWRAP_ALLOWFILE?= ${PREFIX}/etc/${PORTNAME}.allow
+CGIWRAP_DENYFILE?= ${PREFIX}/etc/${PORTNAME}.deny
+
+#
+# Set the contact Email address.
+#
+CGIWRAP_CONTACT?= webmaster@dummy-host.example.com
+
+#
+# Define CGIWRAP_LOGGING and specify where you want the logfile.
+#
+.if defined(CGIWRAP_LOGGING)
+CONFIGURE_ARGS+= --with-logging-file=${CGIWRAP_LOGGING}
+.endif
+
+#
+# Some users enjoy being able to debug their own CGI scripts, since
+# the standard "Internal server error" response doesn't help much.
+# Administrators may find this useful as well. See the cgiwrap
+# documentation for details on how to use this.
+#
+.if defined(CGIWRAP_DEBUG)
+PLIST_SUB+= CGIWRAPDFLAG=
+.else
+PLIST_SUB+= CGIWRAPDFLAG="@comment "
+.endif
+
+#
+# A slew of --without-* configure flags exist for cgiwrap. You
+# should refer to the cgiwrap documentation for details regarding
+# what these do, and when (if) they're necessary.
+#
###
-ALLOWFILE?= ${PREFIX}/etc/${PORTNAME}.allow
-DENYFILE?= ${PREFIX}/etc/${PORTNAME}.deny
+.if defined(CGIWRAP_WITHOUT_CHECK_OWNER)
+CONFIGURE_ARGS+= --without-check-owner
+.endif
+.if defined(CGIWRAP_WITHOUT_CHECK_GROUP)
+CONFIGURE_ARGS+= --without-check-group
+.endif
+.if defined(CGIWRAP_WITHOUT_CHECK_SETUID)
+CONFIGURE_ARGS+= --without-check-setuid
+.endif
+.if defined(CGIWRAP_WITHOUT_CHECK_SETGID)
+CONFIGURE_ARGS+= --without-check-setgid
+.endif
+.if defined(CGIWRAP_WITHOUT_CHECK_GROUP_WRITABLE)
+CONFIGURE_ARGS+= --without-check-group-writable
+.endif
+.if defined(CGIWRAP_WITHOUT_CHECK_WORLD_WRITABLE)
+CONFIGURE_ARGS+= --without-check-world-writable
+.endif
pre-install:
@${MKDIR} ${MAINCGIDIR}
post-install:
- ${STRIP_CMD} ${MAINCGIDIR}/cgiwrap
- ${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
- ${CP} ${MAINCGIDIR}/cgiwrap ${MAINCGIDIR}/cgiwrapd
- ${LN} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
- ${CHMOD} 644 ${MAINCGIDIR}/cgiwrapd
+ @${STRIP_CMD} ${MAINCGIDIR}/cgiwrap
+ @${CHMOD} 4550 ${MAINCGIDIR}/cgiwrap
+.if !defined(CGIWRAP_WITH_DEBUG)
+ @${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd
+.endif
.if !defined(NOPORTDOCS)
@${MKDIR} ${DOCSDIR}
.for file in accesscontrol.html afs.html changes.html chroot.html \
@@ -68,6 +111,6 @@
.endfor
@${ECHO} "Documentation installed in ${DOCSDIR}"
.endif
- @${CAT} ${PKGMESSAGE}
+ @${CAT} ${PKGMESSAGE} | ${SED} -e's#%%PREFIX%%#${PREFIX}#g'
.include <bsd.port.mk>
--- pkg-descr.orig Fri Nov 15 19:01:07 2002
+++ pkg-descr Fri Aug 6 19:40:42 2004
@@ -9,6 +9,3 @@
server software that supports CGI.
WWW: http://cgiwrap.sourceforge.net/
-
-- Pete
-petef@databits.net
--- pkg-message.orig Thu Aug 8 11:58:23 2002
+++ pkg-message Fri Aug 6 19:37:28 2004
@@ -6,14 +6,10 @@
recommended to try the Apache web server package.
The cgiwrap scripts have been installed in:
- ${PREFIX}/www/cgi-bin
+ %%PREFIX%%/www/cgi-bin
...the default location for Apache's cgi-bin directory.
-The cgiwrapd and nph-cgiwrapd scripts are disabled by default, as they
-may give away sensitive information about the CGI environment. To
-enable them, you must chmod 4755 ${PREFIX}/www/cgi-bin/cgiwrapd
-
-Access control enabled, you must create either
-${PREFIX}/etc/cgiwrap.allow or ${PREFIX}/etc/cgiwrap.deny before
-cgiwrap will function.
+If cgiwrap's allow/deny control is enabled, you must create either
+%%PREFIX%%/etc/cgiwrap.allow and/or %%PREFIX%%/etc/cgiwrap.deny
+before cgiwrap will function.
-----------------------------------------------------------------
--- pkg-plist.orig Tue Jun 8 23:16:03 2004
+++ pkg-plist Fri Aug 6 20:12:37 2004
@@ -18,8 +18,8 @@
%%PORTDOCS%%%%DOCSDIR%%/tricks.html
%%PORTDOCS%%%%DOCSDIR%%/y2k.html
www/cgi-bin/cgiwrap
-www/cgi-bin/cgiwrapd
+%%CGIWRAPDFLAG%%www/cgi-bin/cgiwrapd
www/cgi-bin/nph-cgiwrap
-www/cgi-bin/nph-cgiwrapd
+%%CGIWRAPDFLAG%%www/cgi-bin/nph-cgiwrapd
@unexec rmdir %D/www/cgi-bin 2>/dev/null || true
%%PORTDOCS%%@dirrm %%DOCSDIR%%
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408070343.i773hXt2079172>