From owner-freebsd-ports Tue Oct 31 21:40:13 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 791CB37B4D7 for ; Tue, 31 Oct 2000 21:40:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id VAA37378; Tue, 31 Oct 2000 21:40:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from spare.westbend.net (unknown [209.224.254.133]) by hub.freebsd.org (Postfix) with ESMTP id 5AD0437B4C5 for ; Tue, 31 Oct 2000 21:37:29 -0800 (PST) Received: (from root@localhost) by spare.westbend.net (8.9.3/8.9.3) id XAA31339; Tue, 31 Oct 2000 23:37:28 -0600 (CST) (envelope-from admin) Message-Id: <200011010537.XAA31339@spare.westbend.net> Date: Tue, 31 Oct 2000 23:37:28 -0600 (CST) From: "Scot W. Hetzel" Reply-To: hetzels@westbend.net To: FreeBSD-gnats-submit@freebsd.org, hetzels@westbend.net X-Send-Pr-Version: 3.2 Subject: ports/22462: Cyrus-SASL Change (Maintainer) Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 22462 >Category: ports >Synopsis: Misc Fixes to Cyrus-SASL port (Maintainer) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Oct 31 21:40:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Scot W. Hetzel >Release: FreeBSD 4.1-STABLE i386 >Organization: West Bend Internet >Environment: >Description: - Change /var/pwcheck permissions so Postfix can use pwcheck for SASL Authentication. - Update MySQL & LDAP Authentication Methods - Correct bento warning for extra file (Sendmail.conf). - Correct mysql detection code in configure.sasl, and use LIB_DEPENDS for db3. >How-To-Repeat: >Fix: Changed Files: Makefile files/patch-ai pkg-install pkg-plist scripts/configure.sasl New Files: pkg-deinstall diff -ruN cyrus-sasl.orig/Makefile cyrus-sasl/Makefile --- cyrus-sasl.orig/Makefile Wed Oct 25 11:56:35 2000 +++ cyrus-sasl/Makefile Tue Oct 31 21:07:32 2000 @@ -7,7 +7,7 @@ PORTNAME= cyrus-sasl PORTVERSION= 1.5.24 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ \ ${MASTER_SITE_LOCAL} \ @@ -120,7 +120,7 @@ @${SED} -e "/%%PREFIX%%/s##${PREFIX}#g" ${FILESDIR}/pwcheck.sh \ > ${PREFIX}/etc/rc.d/pwcheck.sh @${CHMOD} 755 ${PREFIX}/etc/rc.d/pwcheck.sh - ${INSTALL} -d -m 700 -o cyrus -g cyrus /var/pwcheck + ${INSTALL} -d -m 760 -o cyrus -g cyrus /var/pwcheck .if !defined(NOPORTDOCS) @${MKDIR} ${PREFIX}/share/doc/SASL/html .for file in ${DOCS} diff -ruN cyrus-sasl.orig/files/patch-ai cyrus-sasl/files/patch-ai --- cyrus-sasl.orig/files/patch-ai Mon Sep 18 21:59:28 2000 +++ cyrus-sasl/files/patch-ai Tue Oct 31 20:53:27 2000 @@ -1,5 +1,5 @@ --- lib/checkpw.c.orig Wed Jul 19 20:24:13 2000 -+++ lib/checkpw.c Sat Sep 16 21:07:33 2000 ++++ lib/checkpw.c Tue Oct 31 20:52:21 2000 @@ -95,10 +95,19 @@ #include #ifdef HAVE_UNISTD_H @@ -81,13 +81,14 @@ if (reply) { *reply = NULL; } -@@ -902,6 +928,260 @@ +@@ -902,6 +928,224 @@ #endif +#ifdef HAVE_MYSQL +/* DMZ mysql auth 12/29/1999 + * Updated to 1.5.24 by SWH 09/12/2000 ++ * changed to malloc qbuf Simon Loader 10/21/2000 + */ +#ifdef USE_CRYPT_PASSWORD +#define QUERY_STRING "select %s from %s where %s = '%s' and %s = password('%s')" @@ -105,7 +106,7 @@ + unsigned int numrows; + MYSQL mysql,*sock; + MYSQL_RES *result; -+ char qbuf[300]; ++ char *qbuf; + char *db_user="", + *db_passwd="", + *db_host="", @@ -152,9 +153,17 @@ + return SASL_FAIL; + } + /* select DB_UIDCOL from DB_TABLE where DB_UIDCOL = 'userid' AND DB_PWCOL = password('password') */ ++ if ( (qbuf = (char *)malloc(strlen(QUERY_STRING)+strlen(db_uidcol) ++ +strlen(db_table)+strlen(db_uidcol) ++ +strlen(userid)+strlen(db_pwcol) ++ +strlen(password)+1)) == NULL ) { ++ if (reply) { *reply = "cannot malloc memory for sql query"; } ++ return SASL_FAIL; ++ } + sprintf(qbuf,QUERY_STRING,db_uidcol,db_table,db_uidcol,userid,db_pwcol,password); + if (mysql_query(sock,qbuf) < 0 || !(result=mysql_store_result(sock))) + { ++ free(qbuf); + mysql_close(sock); + return SASL_FAIL; + } @@ -166,13 +175,16 @@ + mysql_free_result(result); + mysql_close(sock); + if ((numrows > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } ++ free(qbuf); + return SASL_BADAUTH; + } else { ++ free(qbuf); + mysql_free_result(result); + mysql_close(sock); + return SASL_OK; + } + } ++ free(qbuf); + mysql_free_result(result); + mysql_close(sock); + return SASL_BADAUTH; @@ -182,6 +194,7 @@ +#ifdef HAVE_LDAP +/* simon@surf.org.uk LDAP auth 07/11/2000 + * Updated to 1.5.24 by SWH 09/12/2000 ++ * changed to use malloc and simplify the auth by Simon@surf.org.uk 10/21/2000 + */ + +#define LDAP_SERVER "localhost" @@ -215,24 +228,19 @@ +{ + + LDAP *ld; -+ LDAPMessage *result; -+ LDAPMessage *entry; -+ char *attrs[2]; -+ char filter[200]; + char *dn, + *ldap_server="", + *ldap_basedn="", + *ldap_uidattr="", + *port_num=""; + int ldap_port = LDAP_PORT; -+ int count; + sasl_getopt_t *getopt; + void *context; + + /* If the password is NULL, reject the login... + * Otherwise the bind will succed as a reference bind. Not good... + */ -+ if (strcmp(password,"") == 0) ++ if (!userid || !password) + { + return SASL_BADPARAM; + } @@ -264,75 +272,31 @@ + /* Open the LDAP connection. */ + if ((ld = ldap_open(ldap_server, ldap_port)) == NULL) + { -+ if (reply) { *reply = "cannot connect to LDAP server"; } -+ return SASL_FAIL; -+ } -+ -+ /* Bind anonymously so that you can find the DN of the appropriate user. */ -+ if (ldap_simple_bind_s(ld,"","") != LDAP_SUCCESS) -+ { -+ ldap_unbind(ld); -+ if (reply) { *reply = "cannot bind to LDAP server"; } -+ return SASL_FAIL; -+ } -+ -+ /* Generate a filter that will return the entry with a matching UID */ -+ sprintf(filter,"(%s=%s)", ldap_uidattr,userid); -+ -+ /* Just return country...This doesn't actually matter, since we will -+ * not read the attributes and values, only the DN -+ */ -+ attrs[0] = "c"; -+ attrs[1] = NULL; -+ -+ /* Perform the search... */ -+ if (ldap_search_s(ld,ldap_basedn,LDAP_SCOPE_SUBTREE,filter,attrs,1,&result) != LDAP_SUCCESS ) -+ { -+ ldap_unbind(ld); -+ return SASL_BADAUTH; -+ } -+ -+ /* If the entry count is not equal to one, either the UID was not unique or -+ * there was no match -+ */ -+ if ((count = ldap_count_entries(ld,result)) != 1) -+ { -+ ldap_msgfree(result); -+ ldap_unbind(ld); -+ if ((count > 1) && (reply)) { *reply = "Detected duplicate entries for user"; } -+ return SASL_BADAUTH; -+ } -+ -+ /* Get the first entry */ -+ if ((entry = ldap_first_entry(ld,result)) == NULL) -+ { -+ ldap_msgfree(result); -+ ldap_unbind(ld); -+ return SASL_BADAUTH; ++ if (reply) { *reply = "cannot connect to LDAP server"; } ++ return SASL_FAIL; + } + -+ /* Get the DN of the entry */ -+ if ((dn = ldap_get_dn(ld,entry)) == NULL) -+ { -+ ldap_msgfree(entry); -+ ldap_unbind(ld); -+ return SASL_BADAUTH; ++ if ( (dn = (char *)malloc(strlen(ldap_uidattr) ++ +strlen(userid)+strlen(ldap_basedn)+3)) == NULL ) { ++ if (reply) { *reply = "cannnot allocate memory for ldap dn"; } ++ return SASL_FAIL; + } ++ /* Generate a dn that we will try and login with */ ++ sprintf(dn,"%s=%s,%s", ldap_uidattr,userid,ldap_basedn); + -+ /* Now bind as the DN with the password supplied earlier... -+ * Successful bind means the password was correct, otherwise the -+ * password is invalid. ++ /* ++ * Just try and bind with the dn we have been given ++ * In most cases the basedn is correct. ++ * If this is not so I have a version or that too ++ * Simon@surf.org.uk + */ -+ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) -+ { -+ free(dn); -+ ldap_msgfree(entry); -+ ldap_unbind(ld); -+ return SASL_BADAUTH; ++ if (ldap_simple_bind_s(ld,dn,(char *)password) != LDAP_SUCCESS) { ++ free(dn); ++ ldap_unbind(ld); ++ return SASL_BADAUTH; + } + + free(dn); -+ ldap_msgfree(entry); + ldap_unbind(ld); + return SASL_OK; +} @@ -342,7 +306,7 @@ struct sasl_verify_password_s _sasl_verify_password[] = { { "sasldb", &sasldb_verify_password }, #ifdef HAVE_KRB -@@ -921,6 +1201,12 @@ +@@ -921,6 +1165,12 @@ #endif #ifdef HAVE_PWCHECK { "pwcheck", &pwcheck_verify_password }, diff -ruN cyrus-sasl.orig/pkg-deinstall cyrus-sasl/pkg-deinstall --- cyrus-sasl.orig/pkg-deinstall Wed Dec 31 18:00:00 1969 +++ cyrus-sasl/pkg-deinstall Tue Oct 31 21:19:54 2000 @@ -0,0 +1,39 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Created by: hetzels@westbend.net + +#set -vx + +PKG_BATCH=${BATCH:=NO} + +PKG_PREFIX=${PKG_PREFIX:=/usr/local} + +# delete sasldb database + +delete_sasldb() { + [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db +} + +# This should really be uninstalled by Sendmail + +sendmail_conf() { + if [ -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf ]; then + echo "pwcheck_method: pwcheck" > ${PKG_PREFIX}/lib/sasl/Sendmail.conf.tmp + if cmp -s ${PKG_PREFIX}/lib/sasl/Sendmail.conf ${PKG_PREFIX}/lib/sasl/Sendmail.conf.tmp; then + rm -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf + fi + rm -f ${PKG_PREFIX}/lib/sasl/Sendmail.conf.tmp + fi +} + +case $2 in + DEINSTALL) + delete_sasldb + sendmail_conf + ;; + POST-DEINSTALL) + ;; + +esac diff -ruN cyrus-sasl.orig/pkg-install cyrus-sasl/pkg-install --- cyrus-sasl.orig/pkg-install Mon Sep 18 21:59:28 2000 +++ cyrus-sasl/pkg-install Tue Oct 31 21:44:31 2000 @@ -3,7 +3,7 @@ # $FreeBSD: ports/security/cyrus-sasl/pkg-install,v 1.2 2000/09/19 02:59:28 ade Exp $ # # Created by: stb@FreeBSD.org for the cyrus imap server -# Added to the cyrus-sasl port by hetzel@westbend.net +# Added to the cyrus-sasl port by hetzels@westbend.net #set -vx diff -ruN cyrus-sasl.orig/pkg-plist cyrus-sasl/pkg-plist --- cyrus-sasl.orig/pkg-plist Mon Sep 18 21:59:28 2000 +++ cyrus-sasl/pkg-plist Tue Oct 31 21:33:45 2000 @@ -1,7 +1,5 @@ -@unexec %D/etc/rc.d/pwcheck.sh stop ; echo "pwcheck stopped." +@unexec [ -r /var/run/pwcheck.pid ] && %D/etc/rc.d/pwcheck.sh stop && echo " stopped." etc/rc.d/pwcheck.sh -@comment remove ../etc/sasldb.db only if it exists and has a zero size. -@unexec [ -f %D/etc/sasldb.db -a ! -s %D/etc/sasldb.db ] && rm %D/etc/sasldb.db include/sasl/hmac-md5.h include/sasl/md5.h include/sasl/md5global.h @@ -33,10 +31,6 @@ lib/sasl/libplain.a lib/sasl/libplain.so lib/sasl/libplain.so.1 -@comment Sendmail.conf should be installed/uninstalled by Sendmail 8.11. -@comment We install it here because Sendmail 8.11 is in the base system. -@unexec echo "pwcheck_method: pwcheck" > %B/Sendmail.conf.tmp -@unexec if cmp -s %B/Sendmail.conf %B/Sendmail.conf.tmp; then rm -f %B/Sendmail.conf %B/Sendmail.conf.tmp; else rm -f %B/Sendmail.conf.tmp fi sbin/sasldblistusers sbin/saslpasswd sbin/pwcheck @@ -62,11 +56,11 @@ %%NOPORTDOCS%%@dirrm share/doc/SASL/html %%NOPORTDOCS%%@dirrm share/doc/SASL @dirrm lib/sasl -@mode u=rwx,go= +@mode u=rwx,g=rw,o= @cwd /var @exec mkdir pwcheck @exec chown cyrus:cyrus pwcheck -@exec chmod go= pwcheck +@exec chmod o= pwcheck @comment This file gets created by the pwcheck program @unexec rm -f /var/pwcheck/pwcheck @dirrm pwcheck diff -ruN cyrus-sasl.orig/scripts/configure.sasl cyrus-sasl/scripts/configure.sasl --- cyrus-sasl.orig/scripts/configure.sasl Mon Oct 23 21:03:09 2000 +++ cyrus-sasl/scripts/configure.sasl Tue Oct 31 19:34:51 2000 @@ -20,12 +20,12 @@ fi else - if [ "x${ENABLE_DB3}" = "xYES" -o -f ${PREFIX}/lib/libdb3.so ] ; then + if [ "x${ENABLE_DB3}" = "xYES" -o -f ${PREFIX}/lib/libdb3.so.1 ] ; then SET_DB3="ON" else SET_DB3="OFF" fi - if [ "x${ENABLE_MYSQL}" = "xYES" -o -f ${PREFIX}/lib/libmysqlclient.so ] ; then + if [ "x${ENABLE_MYSQL}" = "xYES" -o -f ${PREFIX}/lib/mysql/libmysqlclient.so ] ; then SET_MYSQL="ON" else SET_MYSQL="OFF" @@ -71,10 +71,7 @@ while [ "$1" ]; do case $1 in \"DB3\") - #Can't use LIB_DEPENDS - no libdb3.so.1 in db3 port - #echo "LIB_DEPENDS+= db3.1:\${PORTSDIR}/databases/db3" - echo "BUILD_DEPENDS+= \${LOCALBASE}/lib/libdb3.1.so:\${PORTSDIR}/databases/db3" - echo "RUN_DEPENDS+= \${LOCALBASE}/lib/libdb3.1.so:\${PORTSDIR}/databases/db3" + echo "LIB_DEPENDS+= db3.1:\${PORTSDIR}/databases/db3" echo "CONFIGURE_ARGS+=--with-dblib=berkeley" ;; \"MySQL\") >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message