Date: Tue, 30 Jan 2007 22:29:43 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Pav Lucistnik <pav@FreeBSD.org> Cc: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/108502: [maintainer] textproc/sphinxsearch -- run as unprivileged user Message-ID: <20070130222943.GA52351@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <200701302047.l0UKlmtS005404@freefall.freebsd.org> References: <200701302047.l0UKlmtS005404@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 30, 2007 at 08:47:48PM +0000, Pav Lucistnik wrote: > Synopsis: [maintainer] textproc/sphinxsearch -- run as unprivileged user >=20 > State-Changed-From-To: open->feedback > State-Changed-By: pav > State-Changed-When: Tue Jan 30 20:40:10 UTC 2007 > State-Changed-Why:=20 > Looks great, but, would you mind selecting a fixed UID and GID, modifying= the > pkg-install script to always use them, and prepare a patch to record them= in > /usr/ports/UIDs,GIDs files? >=20 >=20 > Responsible-Changed-From-To: freebsd-ports-bugs->pav > Responsible-Changed-By: pav > Responsible-Changed-When: Tue Jan 30 20:40:10 UTC 2007 > Responsible-Changed-Why:=20 > Take >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D108502 No problem. I chose uid/gid 312 because searchd default to listening on port 3312, and I changed the user/group name to _sphinx. --- /usr/ports/UIDs Sun Jan 28 05:01:59 2007 +++ UIDs Tue Jan 30 22:26:49 2007 @@ -88,6 +88,7 @@ smx:*:264:264:Sendmail X other:/nonexistent:/sbin/nologin hacluster:*:275:275:Heartbeat cluster user:/nonexistent:/sbin/nologin mrtg:*:279:279:MRTG daemon:/nonexistent:/sbin/nologin +_sphinx:*:312:312::0:0:Sphinxsearch Owner:/nonexistent:/sbin/nologin dkfilter:*:325:325:DK Filter Owner:/nonexistent:/sbin/nologin wildfire:*:340:340::0:0:Wildfire Daemon:/nonexistent:/sbin/nologin ldap:*:389:389:OpenLDAP Server:/nonexistent:/sbin/nologin --- /usr/ports/GIDs Sun Jan 28 05:01:59 2007 +++ GIDs Tue Jan 30 22:27:01 2007 @@ -77,6 +77,7 @@ smx:*:264: haclient:*:275: mrtg:*:279: +_sphinx:*:312: dkfilter:*:325: wildfire:*:340: ldap:*:389: diff -Nur /usr/ports/textproc/sphinxsearch/Makefile sphinxsearch/Makefile --- /usr/ports/textproc/sphinxsearch/Makefile Sat Dec 16 17:37:51 2006 +++ sphinxsearch/Makefile Tue Jan 30 22:16:10 2007 @@ -5,10 +5,11 @@ # $FreeBSD: ports/textproc/sphinxsearch/Makefile,v 1.2 2006/12/16 12:06:14= miwi Exp $ # # Note: the Sphinx Storage Engine MySQL plugin is not supported by -# this port at the moment. Maybe later. +# this port. You need a patched version of mysql server for that. =20 PORTNAME=3D sphinxsearch PORTVERSION=3D 0.9.7.r2 +PORTREVISION=3D 1 CATEGORIES=3D textproc databases MASTER_SITES=3D http://www.sphinxsearch.com/downloads/ DISTNAME=3D sphinx-${PORTVERSION:C@\.r([0-9]+)$@-rc\1@} @@ -20,6 +21,14 @@ PGSQL "PostgreSQL support" off \ OPTIMIZED_CFLAGS "Use compiler optimization (-O3)" off =20 +SPHINX_USR?=3D _sphinx +SPHINX_UID?=3D 312 +SPHINX_GRP?=3D _sphinx +SPHINX_GID?=3D 312 +SPHINX_DIR?=3D /var/db/${PORTNAME} +SPHINX_RUN?=3D /var/run/${PORTNAME} +SPHINX_LOG?=3D /var/log/${PORTNAME} + # Yes, the conflation of CPPFLAGS and CXXFLAGS is deliberate. No, # don't ask. =20 @@ -28,8 +37,17 @@ CONFIGURE_ENV+=3D CC=3D${CC} CPPFLAGS=3D"${CXXFLAGS}" CFGFILE=3D ${PREFIX}/etc/sphinx.conf USE_RC_SUBR=3D sphinxsearch.sh -SUB_LIST+=3D PORTNAME=3D${PORTNAME} \ - CFGFILE=3D${CFGFILE} +SUB_LIST+=3D PORTNAME=3D${PORTNAME} \ + CFGFILE=3D${CFGFILE} \ + SPHINX_USR=3D${SPHINX_USR} \ + SPHINX_UID=3D${SPHINX_UID} \ + SPHINX_GRP=3D${SPHINX_GRP} \ + SPHINX_GID=3D${SPHINX_GID} \ + SPHINX_DIR=3D${SPHINX_DIR} \ + SPHINX_RUN=3D${SPHINX_RUN} \ + SPHINX_LOG=3D${SPHINX_LOG} +SUB_FILES+=3D pkg-install pkg-deinstall + .if !defined(NOPORTDOCS) EXAMPLES=3D example.sql api/sphinxapi.php api/test.php api/test2.php DOCS=3D doc/sphinx.css doc/sphinx.html doc/sphinx.txt doc/sphinx.xml @@ -62,12 +80,15 @@ =20 post-patch: ${REINPLACE_CMD} \ - -e 's!@CONFDIR@/log/searchd.pid!/var/run/searchd.pid!' \ - -e 's!@CONFDIR@/log/query.log!/var/log/sphinx-query.log!' \ - -e 's!@CONFDIR@/log/searchd.log!/var/log/searchd.log!' \ - -e 's!@CONFDIR@!/var/db/sphinxsearch!' \ + -e "s!@CONFDIR@/log/searchd.pid!${SPHINX_RUN}/searchd.pid!" \ + -e "s!@CONFDIR@/log/query.log!${SPHINX_LOG}/sphinx-query.log!" \ + -e "s!@CONFDIR@/log/searchd.log!${SPHINX_LOG}/searchd.log!" \ + -e "s!@CONFDIR@!${SPHINX_DIR}!" \ ${WRKSRC}/sphinx.conf.in =20 +pre-install: + @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL + do-install: install-bin install-docs install-examples =20 install-bin: @@ -92,7 +113,10 @@ .endfor .endif =20 -post-install: +post-install: post-install-cfg + @${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL + +post-install-cfg: @if [ ! -f ${CFGFILE} ]; then \ ${CP} -p ${CFGFILE}.sample ${CFGFILE} ; \ fi diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in sphinxsea= rch/files/pkg-deinstall.in --- /usr/ports/textproc/sphinxsearch/files/pkg-deinstall.in Thu Jan 1 01:0= 0:00 1970 +++ sphinxsearch/files/pkg-deinstall.in Sun Jan 28 23:21:02 2007 @@ -0,0 +1,32 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +sphinx_usr=3D%%SPHINX_USR%% +sphinx_grp=3D%%SPHINX_GRP%% +sphinx_dir=3D%%SPHINX_DIR%% +sphinx_name=3D%%PORTNAME%% + +case $2 in + POST-DEINSTALL) + + cat <<EOMSG + +The $sphinx_name port has been deleted. If you are not +upgrading and don't intend to use $sphinx_name any more +then you may wish to delete the $sphinx_usr account, +and the $sphinx_grp group together with the working +directory $sphinx_dir; which can be done with the +following commands: + + # pw userdel -n $sphinx_usr + # rm -rf $sphinx_dir +EOMSG + echo + ;; +esac + +# +# That's All Folks! +# diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-install.in sphinxsearc= h/files/pkg-install.in --- /usr/ports/textproc/sphinxsearch/files/pkg-install.in Thu Jan 1 01:00:= 00 1970 +++ sphinxsearch/files/pkg-install.in Tue Jan 30 22:18:31 2007 @@ -0,0 +1,123 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +PATH=3D/usr/sbin:/usr/bin:/bin ; export PATH + +sphinx_dir=3D%%SPHINX_DIR%% +sphinx_usr=3D%%SPHINX_USR%% +sphinx_uid=3D%%SPHINX_UID%% +sphinx_grp=3D%%SPHINX_GRP%% +sphinx_gid=3D%%SPHINX_GID%% +sphinx_run=3D%%SPHINX_RUN%% +sphinx_log=3D%%SPHINX_LOG%% +sphinx_name=3D%%PORTNAME%% + +sphinx_gcos=3D"Sphinxsearch Owner" +sphinx_home=3D/nonexistent +sphinx_shell=3D/sbin/nologin + +create_group() { + local user uid group gid gcos home shell + + user=3D$1 + uid=3D$2 + group=3D$3 + gid=3D$4 + gcos=3D$5 + home=3D$6 + shell=3D$7 + + if pw groupadd -n $group -g $gid ; then + echo "=3D=3D=3D> Group $group created" + else + cat <<-EOERRORMSG + *** Failed to create the $group group. + + Please add the $user user and $group group + manually with the commands: + + pw groupadd -n $group -g $gid + pw useradd -n $user -u $uid -g $group -c "$gcos" \\ + -d $home -s $shell -h - + + and retry installing this package. + EOERRORMSG + exit 1 + fi +} + + +create_user() { + local user uid group gid gcos home shell + + user=3D$1 + uid=3D$2 + group=3D$3 + gid=3D$4 + gcos=3D$5 + home=3D$6 + shell=3D$7 + + if pw useradd -n $user -u $uid -g $group -c "$gcos" -d $home \\ + -s $shell -h - ; then + echo "=3D=3D=3D> Created $user user" + else + cat <<-EOERRORMSG + *** Failed to create the $user user. + + Please add the $user user manually with the command: + + pw useradd -n $user -u $uid -g $group -c "$gcos" \\ + -d $home -s $shell -h - + + and retry installing this package. + EOERRORMSG + exit 1 + fi +} + + +case $2 in + PRE-INSTALL) + + # Create the sphinx user and group if they do not already exist + + if pw user show -n $sphinx_usr >/dev/null 2>&1 ; then + echo "=3D=3D=3D> Using pre-existing user $sphinx_usr" + else + if ! pw group show -n $sphinx_grp >/dev/null 2>&1 ; then + create_group $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \ + "$sphinx_gcos" $sphinx_home $sphinx_shell + fi + create_user $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \ + "$sphinx_gcos" $sphinx_home $sphinx_shell + fi + ;; + POST-INSTALL) + + # Create and set ownership of the Sphinx working directory + if [ -d $sphinx_dir ]; then + echo "=3D=3D> Using pre-existing directory $sphinx_dir" + else + echo "=3D=3D> Creating the Sphinx working directory: $sphinx_dir" + mkdir -m 755 $sphinx_dir || exit 1 + fi + + # Create and set ownership of the Sphinx data directory + if [ -d $sphinx_dir/data ]; then + echo "=3D=3D> Using pre-existing directory $sphinx_dir/data" + else + echo "=3D=3D> Creating the Sphinx data directory: $sphinx_dir/data" + mkdir -m 755 $sphinx_dir/data || exit 1 + fi + + echo "=3D=3D=3D> Adjusting file ownership in $sphinx_dir" + chown -R $sphinx_usr:$sphinx_grp $sphinx_dir || exit 1 + ;; +esac + +# +# That's All Folks! +# diff -Nur /usr/ports/textproc/sphinxsearch/files/pkg-install.in~ sphinxsear= ch/files/pkg-install.in~ --- /usr/ports/textproc/sphinxsearch/files/pkg-install.in~ Thu Jan 1 01:00= :00 1970 +++ sphinxsearch/files/pkg-install.in~ Tue Jan 30 22:13:46 2007 @@ -0,0 +1,123 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +PATH=3D/usr/sbin:/usr/bin:/bin ; export PATH + +sphinx_dir=3D%%SPHINX_DIR%% +sphinx_usr=3D%%SPHINX_USR%% +sphinx_uid=3D%%SPHINX_UID%% +sphinx_grp=3D%%SPHINX_GRP%% +sphinx_gid=3D%%SPHINX_GID%% +sphinx_run=3D%%SPHINX_RUN%% +sphinx_log=3D%%SPHINX_LOG%% +sphinx_name=3D%%PORTNAME%% + +sphinx_gcos=3D"Sphinxsearch Owner" +sphinx_home=3D/nonexistent +sphinx_shell=3D/sbin/nologin + +create_group() { + local user uid group gid gcos home shell + + user=3D$1 + uid=3D$2 + group=3D$3 + gid=3D$4 + gcos=3D$5 + home=3D$6 + shell=3D$7 + + if pw groupadd -n $group -g $gid ; then + echo "=3D=3D=3D> Group $group created" + else + cat <<-EOERRORMSG + *** Failed to create the $group group. + + Please add the $user user and $group group + manually with the commands: + + pw groupadd -n $group -g $gid + pw useradd -n $user -u $uid -g $group -c "$gcos" \\ + -d $home -s $shell -h - + + and retry installing this package. + EOERRORMSG + exit 1 + fi +} + + +create_user() { + local user uid group gid gcos home shell + + user=3D$1 + uid=3D$2 + group=3D$3 + gid=3D$4 + gcos=3D$5 + home=3D$6 + shell=3D$7 + + if pw useradd -n $user -u $uid -g $group -c "$gcos" -d $home \\ + -s $shell -h - ; then + echo "=3D=3D=3D> Created $user user" + else + cat <<-EOERRORMSG + *** Failed to create the $user user. + + Please add the $user user manually with the command: + + pw useradd -n $user -u $uid -g $group -c "$gcos" \\ + -d $home -s $shell -h - + + and retry installing this package. + EOERRORMSG + exit 1 + fi +} + + +case $2 in + PRE-INSTALL) + + # Create the sphinx user and group if they do not already exist + + if pw user show -n $sphinx_usr >/dev/null 2>&1 ; then + echo "=3D=3D=3D> Using pre-existing user $sphinx_usr" + else + if ! pw group show -n $sphinx_grp >/dev/null 2>&1 ; then + create_group $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \ + "$sphinx_gcos" $sphinx_home $sphinx_shell + fi + create_user $sphinx_usr $sphinx_uid $sphinx_grp $sphinx_gid \ + "$sphinx_gcos" $sphinx_home $sphinx_shel + fi + ;; + POST-INSTALL) + + # Create and set ownership of the Sphinx working directory + if [ -d $sphinx_dir ]; then + echo "=3D=3D> Using pre-existing directory $sphinx_dir" + else + echo "=3D=3D> Creating the Sphinx working directory: $sphinx_dir" + mkdir -m 755 $sphinx_dir || exit 1 + fi + + # Create and set ownership of the Sphinx data directory + if [ -d $sphinx_dir/data ]; then + echo "=3D=3D> Using pre-existing directory $sphinx_dir/data" + else + echo "=3D=3D> Creating the Sphinx data directory: $sphinx_dir/data" + mkdir -m 755 $sphinx_dir/data || exit 1 + fi + + echo "=3D=3D=3D> Adjusting file ownership in $sphinx_dir" + chown -R $sphinx_usr:$sphinx_grp $sphinx_dir || exit 1 + ;; +esac + +# +# That's All Folks! +# diff -Nur /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in sphinxs= earch/files/sphinxsearch.sh.in --- /usr/ports/textproc/sphinxsearch/files/sphinxsearch.sh.in Sat Nov 18 22= :54:07 2006 +++ sphinxsearch/files/sphinxsearch.sh.in Sun Jan 28 23:45:56 2007 @@ -15,11 +15,16 @@ # # %%PORTNAME%%_conffile=3D"%%CFGFILE%%" # -- path to config file -# %%PORTNAME%%_pidfile=3D"/var/run/searchd.pid" +# %%PORTNAME%%_pidfile=3D"%%SPHINX_RUN%%/searchd.pid" # -- location of pidfile: must match setting # in ${%%PORTNAME%%_conffile} +# %%PORTNAME%%_user=3D"%%SPHINX_USR%%" +# -- user to run searchd as +# %%PORTNAME%%_group=3D"%%SPHINX_GRP%%" +# -- group to run searchd as +# %%PORTNAME%%_logdir=3D"%%SPHINX_LOG%%" +# -- directory searchd writes logs to # - . /etc/rc.subr =20 name=3D%%PORTNAME%% @@ -27,12 +32,31 @@ =20 %%PORTNAME%%_enable=3D${%%PORTNAME%%_enable-"NO"} %%PORTNAME%%_conffile=3D${%%PORTNAME%%_conffile-"%%CFGFILE%%"} -%%PORTNAME%%_pidfile=3D${%%PORTNAME%%_pidfile-"/var/run/searchd.pid"} +%%PORTNAME%%_pidfile=3D${%%PORTNAME%%_pidfile-"%%SPHINX_RUN%%/searchd.pid"} +%%PORTNAME%%_user=3D${%%PORTNAME%%_user-"%%SPHINX_USR%%"} +%%PORTNAME%%_group=3D${%%PORTNAME%%_group-"%%SPHINX_GRP%%"} +%%PORTNAME%%_logdir=3D${%%PORTNAME%%_logdir-"%%SPHINX_LOG%%"} + +start_precmd=3D"create_dirs" =20 command=3D%%PREFIX%%/sbin/searchd pidfile=3D${%%PORTNAME%%_pidfile} required_files=3D${%%PORTNAME%%_conffile} %%PORTNAME%%_flags=3D"--config ${%%PORTNAME%%_conffile}" + +create_dirs () +{ + piddir=3D$(dirname ${%%PORTNAME%%_pidfile}) + if [ ! -d ${piddir} ]; then + mkdir -m 755 -p ${piddir} + chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} ${piddir} + fi + if [ ! -d ${%%PORTNAME%%_logdir} ]; then + mkdir -m 755 -p ${%%PORTNAME%%_logdir} + chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} \ + ${%%PORTNAME%%_logdir} + fi +} =20 load_rc_config ${name} run_rc_command "$1" --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070130222943.GA52351>