Date: Sat, 6 Apr 2013 11:22:24 -0700 (PDT) From: Craig Leres <leres@ee.lbl.gov> To: FreeBSD-gnats-submit@freebsd.org Cc: leres@ee.lbl.gov Subject: ports/177668: [PATCH] security/shibboleth2-sp: create cert on first use; other fixes Message-ID: <201304061822.r36IMOJ1017778@fun.ee.lbl.gov> Resent-Message-ID: <201304061830.r36IU0or051229@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 177668 >Category: ports >Synopsis: [PATCH] security/shibboleth2-sp: create cert on first use; other fixes >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 06 18:30:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Craig Leres >Release: FreeBSD 9.1-RELEASE amd64 >Organization: Lawrence Berkeley National Laboratory >Environment: System: FreeBSD fun.ee.lbl.gov 9.1-RELEASE FreeBSD 9.1-RELEASE #4 r13: Fri Feb 1 19:03:16 PST 2013 leres@fun.ee.lbl.gov:/sys/amd64/compile/LBL amd64 >Description: An openssl certificate and private key are generated at build time and are stored in the package. This means when you install shibboleth2-sp from a package on another machine, the CN doesn't match its hostname. And anyone with access to the package has a copy of the private key. >How-To-Repeat: % openssl x509 -text -in /usr/local/etc/shibboleth/sp-cert.pem | \ fgrep 'Subject: CN' Subject: CN=fun.ee.lbl.gov >Fix: Create the certificate and key on first use from the rc.d script (just like sshd). Obey WWWOWN/WWWGRP when creating /var/run/shibboleth. Update Makefile headers. Remove obsolete WITH_APACHE_20 stuff. Add missing lib files to pkg-plist. Please see attached patches. --- patch.txt begins here --- --- Makefile.orig 2013-04-05 17:41:02.000000000 -0700 +++ Makefile 2013-04-06 10:53:44.000000000 -0700 @@ -1,13 +1,9 @@ -# New ports collection makefile for: security/shibboleth2-sp -# Date created: 17 Sept2008 -# Whom: Janos Mohacsi <janos.mohacsi@bsd.hu> -# +# Created by: Janos Mohacsi <janos.mohacsi@bsd.hu> # $FreeBSD: head/security/shibboleth2-sp/Makefile 302724 2012-08-18 14:29:08Z ohauer $ -# PORTNAME= shibboleth-sp PORTVERSION= 2.4.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security www MASTER_SITES= http://www.shibboleth.net/downloads/service-provider/${PORTVERSION}/ @@ -27,20 +23,16 @@ WRKSRC= ${WRKDIR}/shibboleth-${PORTVERSION} LATEST_LINK= shibboleth2-sp +SUB_LIST+= SH=${SH} +PLIST_SUB+= WWWOWN=${WWWOWN} WWWGRP=${WWWGRP} .include <bsd.port.pre.mk> .if defined(WITH_APACHE22) USE_APACHE= 22 -CONFIGURE_ARGS= --enable-apache-22 --with-apxs22=${APXS} -PLIST_SUB+= WITH_APACHE_22="" -PLIST_SUB+= WITH_APACHE_20="@comment " +CONFIGURE_ARGS+= --enable-apache-22 --with-apxs22=${APXS} .else IGNORE= apache20 is no longer available -#USE_APACHE= 20 -#CONFIGURE_ARGS= --enable-apache-20 --with-apxs2=${APXS} --with-apr=${PREFIX}/lib/apache2/apr-config --with-apu=${PREFIX}/lib/apache2/apu-config -PLIST_SUB+= WITH_APACHE_22="@comment " -PLIST_SUB+= WITH_APACHE_20="" .endif CONFIGURE_ARGS+= --localstatedir=/var --with-log4shib=${LOCALBASE} CONFIGURE_ARGS+= --with-openssl=${OPENSSLBASE} --with-xmltooling=${LOCALBASE} --- pkg-descr.orig 2013-04-06 10:39:48.000000000 -0700 +++ pkg-descr 2013-04-06 10:40:35.000000000 -0700 @@ -10,4 +10,4 @@ is based on assertions received by the service provider (SP) from an identity provider. -WWW: http://shibboleth.internet2.edu/ +WWW: http://shibboleth.internet2.edu/ --- pkg-plist.orig 2013-04-05 04:25:11.000000000 -0700 +++ pkg-plist 2013-04-06 10:48:25.000000000 -0700 @@ -67,8 +67,6 @@ etc/shibboleth/apache22.config etc/shibboleth/keygen.sh etc/shibboleth/upgrade.xsl -etc/shibboleth/sp-key.pem -etc/shibboleth/sp-cert.pem @unexec if cmp -s %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; then rm -f %D/etc/shibboleth/postTemplate.html; fi etc/shibboleth/postTemplate.html.dist @exec if [ ! -f %D/etc/shibboleth/postTemplate.html ] ; then cp -p %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; fi @@ -130,16 +128,16 @@ include/shibsp/util/SPConstants.h include/shibsp/util/TemplateParameters.h include/shibsp/version.h -lib/libshibsp.so.5 lib/libshibsp.so -lib/shibboleth/adfs.so -lib/shibboleth/adfs.la -lib/shibboleth/adfs-lite.so +lib/libshibsp.so.5 lib/shibboleth/adfs-lite.la -%%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so -%%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.la -%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.so -%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.la +lib/shibboleth/adfs-lite.so +lib/shibboleth/adfs.la +lib/shibboleth/adfs.so +lib/shibboleth/mod_shib_22.la +lib/shibboleth/mod_shib_22.so +lib/shibboleth/odbc-store.la +lib/shibboleth/odbc-store.so lib/libshibsp-lite.so.5 lib/libshibsp-lite.so sbin/shibd @@ -167,7 +165,7 @@ @exec mkdir -p %D/data @exec mkdir -p /var/log/shibboleth @exec mkdir -p /var/run/shibboleth -@exec chown www:www /var/run/shibboleth +@exec chown %%WWWOWN%%:%%WWWGRP%% /var/run/shibboleth @exec chmod -R ug=rwx,o= /var/run/shibboleth @unexec rm -rf /var/run/shibboleth 2>&1 >/dev/null || true @dirrmtry share/doc/shibboleth/api --- files/shibboleth-sp.in.orig 2013-04-05 17:23:50.000000000 -0700 +++ files/shibboleth-sp.in 2013-04-06 10:29:03.000000000 -0700 @@ -12,8 +12,27 @@ rcvar=shibboleth_sp_enable command=${shibboleth_sp_program:-%%PREFIX%%/sbin/shibd} +keygen_cmd="shibboleth_sp_keygen" +start_precmd="shibboleth_sp_precmd" + pidfile="${shibboleth_sp_pidfile:-/var/run/${name}.pid}" +confdir=%%PREFIX%%/etc/shibboleth +certfn=sp-cert.pem +keyfn=sp-key.pem command_args="-f -p ${pidfile}" +extra_commands="keygen" + +shibboleth_sp_keygen() +{ + %%SH%% ${confdir}/keygen.sh -o ${confdir} || exit 1 +} + +shibboleth_sp_precmd() +{ + if [ ! -s ${confdir}/${keyfn} -a ! -s ${confdir}/${keyfn} ]; then + run_rc_command keygen + fi +} load_rc_config $name run_rc_command "$1" --- /dev/null 2013-04-06 10:56:58.000000000 -0700 +++ files/patch-configs_Makefile.am 2013-04-05 18:07:50.000000000 -0700 @@ -0,0 +1,17 @@ +--- configs/Makefile.am.orig 2013-04-05 18:06:00.000000000 -0700 ++++ configs/Makefile.am 2013-04-05 18:07:26.000000000 -0700 +@@ -121,10 +121,10 @@ + install-data-hook: + chmod +x $(DESTDIR)$(pkgsysconfdir)/keygen.sh + chmod +x $(DESTDIR)$(pkgsysconfdir)/metagen.sh +- if test -z "$(NOKEYGEN)"; then \ +- cd $(DESTDIR)$(pkgsysconfdir); \ +- sh ./keygen.sh -b ; \ +- fi ++# if test -z "$(NOKEYGEN)"; then \ ++# cd $(DESTDIR)$(pkgsysconfdir); \ ++# sh ./keygen.sh -b ; \ ++# fi + + CLEANFILES = \ + apache.config \ --- /dev/null 2013-04-06 10:56:58.000000000 -0700 +++ files/patch-shibboleth.spec.in 2013-04-05 17:21:43.000000000 -0700 @@ -0,0 +1,13 @@ +--- shibboleth.spec.in.orig 2013-04-05 17:21:12.000000000 -0700 ++++ shibboleth.spec.in 2013-04-05 17:21:21.000000000 -0700 +@@ -147,8 +147,8 @@ + %endif + + # Key generation +-cd %{_sysconfdir}/%{name} +-sh ./keygen.sh -b ++##cd %{_sysconfdir}/%{name} ++##sh ./keygen.sh -b + + %if "%{_vendor}" == "redhat" + # This adds the proper /etc/rc*.d links for the script --- patch.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201304061822.r36IMOJ1017778>