1 |
commit: 0cfdb10442be996e94f64bfaca9ba08317ac0e39 |
2 |
Author: Hank Leininger <hlein <AT> korelogic <DOT> com> |
3 |
AuthorDate: Tue Feb 18 19:51:48 2020 +0000 |
4 |
Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Feb 19 20:25:35 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0cfdb104 |
7 |
|
8 |
net-misc/scponly: GLEP-81, fix sftp-server path, add maintainer |
9 |
|
10 |
Redone to address feedback in https://github.com/gentoo/gentoo/pull/14286 |
11 |
|
12 |
scponly's sftp support has been broken since profile 17.1's move |
13 |
from /usr/lib/ to /usr/lib64/; this includes the fix for that. |
14 |
|
15 |
Also moved scponly's creation of a chroot user behind a |
16 |
USE=chroot flag, as it's entirely usable if you are setting up |
17 |
your own chroots and do not need it to create one. |
18 |
|
19 |
Added myself as proxy maintainer. |
20 |
|
21 |
Signed-off-by: Hank Leininger <hlein <AT> korelogic.com> |
22 |
Closes: https://bugs.gentoo.org/701368 |
23 |
Package-Manager: Portage-2.3.84, Repoman-2.3.20 |
24 |
Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org> |
25 |
|
26 |
.../files/scponly-4.8-sftp-server-path.patch | 42 ++++ |
27 |
net-misc/scponly/metadata.xml | 10 +- |
28 |
net-misc/scponly/scponly-4.8-r7.ebuild | 245 +++++++++++++++++++++ |
29 |
3 files changed, 296 insertions(+), 1 deletion(-) |
30 |
|
31 |
diff --git a/net-misc/scponly/files/scponly-4.8-sftp-server-path.patch b/net-misc/scponly/files/scponly-4.8-sftp-server-path.patch |
32 |
new file mode 100644 |
33 |
index 00000000000..c191de87751 |
34 |
--- /dev/null |
35 |
+++ b/net-misc/scponly/files/scponly-4.8-sftp-server-path.patch |
36 |
@@ -0,0 +1,42 @@ |
37 |
+diff -urNp scponly-4.8-orig/configure scponly-4.8-dwok/configure |
38 |
+--- scponly-4.8-orig/configure 2019-11-26 16:34:19.028544577 +0100 |
39 |
++++ scponly-4.8-dwok/configure 2019-11-26 16:33:24.571763528 +0100 |
40 |
+@@ -3244,7 +3244,7 @@ else |
41 |
+ ;; |
42 |
+ *) |
43 |
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR |
44 |
+-as_dummy="`echo "$PATH:/usr/lib:/usr/lib64:/usr/libexec:/usr/libexec/openssh:/usr/lib/ssh:/usr/lib64/ssh:/usr/local/libexec:/usr/lib/misc:/usr/lib/openssh" | sed -e 's/:/ /'`" |
45 |
++as_dummy="`echo "$PATH:/usr/lib:/usr/lib64:/usr/lib64/misc:/usr/libexec:/usr/libexec/openssh:/usr/lib/ssh:/usr/lib64/ssh:/usr/local/libexec:/usr/lib/misc:/usr/lib/openssh" | sed -e 's/:/ /'`" |
46 |
+ for as_dir in $as_dummy |
47 |
+ do |
48 |
+ IFS=$as_save_IFS |
49 |
+@@ -4240,7 +4240,7 @@ else |
50 |
+ ;; |
51 |
+ *) |
52 |
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR |
53 |
+-as_dummy="`echo "$PATH:/usr/lib:/usr/lib/ssh:/usr/libexec/openssh:/usr/libexec:/usr/local/libexec" | sed -e 's/:/ /'`" |
54 |
++as_dummy="`echo "$PATH:/usr/lib:/usr/lib64:/usr/lib64/misc:/usr/lib/ssh:/usr/libexec/openssh:/usr/libexec:/usr/local/libexec" | sed -e 's/:/ /'`" |
55 |
+ for as_dir in $as_dummy |
56 |
+ do |
57 |
+ IFS=$as_save_IFS |
58 |
+diff -urNp scponly-4.8-orig/configure.in scponly-4.8-dwok/configure.in |
59 |
+--- scponly-4.8-orig/configure.in 2019-11-26 16:34:19.028544577 +0100 |
60 |
++++ scponly-4.8-dwok/configure.in 2019-11-26 16:33:28.491819749 +0100 |
61 |
+@@ -231,7 +231,7 @@ AC_ARG_ENABLE([quota-compat], |
62 |
+ |
63 |
+ if test "x$scponly_scp_compat" != "x"; then |
64 |
+ AC_MSG_NOTICE([enabling core WinSCP and Vanilla SCP binaries...]) |
65 |
+- SCPONLY_PATH_PROG_DEFINE([PROG_SFTP_SERVER], [sftp-server],[/usr/lib:/usr/lib64:/usr/libexec:/usr/libexec/openssh:/usr/lib/ssh:/usr/lib64/ssh:/usr/local/libexec:/usr/lib/misc:/usr/lib/openssh]) |
66 |
++ SCPONLY_PATH_PROG_DEFINE([PROG_SFTP_SERVER], [sftp-server],[/usr/lib:/usr/lib64:/usr/lib64/misc:/usr/libexec:/usr/libexec/openssh:/usr/lib/ssh:/usr/lib64/ssh:/usr/local/libexec:/usr/lib/misc:/usr/lib/openssh]) |
67 |
+ SCPONLY_PATH_PROG_DEFINE([PROG_LS], [ls], [/bin:/usr/bin:/sbin:/usr/sbin]) |
68 |
+ SCPONLY_PATH_PROG_DEFINE([PROG_SCP], [scp], [/bin:/usr/bin:/sbin:/usr/sbin]) |
69 |
+ SCPONLY_PATH_PROG_DEFINE([PROG_RM], [rm], [/bin:/usr/bin:/sbin:/usr/sbin]) |
70 |
+@@ -297,7 +297,7 @@ if test "x$scponly_sftp_compat" != "x"; |
71 |
+ if test "x$scponly_explicit_sftpserver_path" = "x"; then |
72 |
+ dnl Informed guess: |
73 |
+ SCPONLY_PATH_PROG_DEFINE([PROG_SFTP_SERVER], [sftp-server], |
74 |
+- [/usr/lib:/usr/lib/ssh:/usr/libexec/openssh:/usr/libexec:/usr/local/libexec]) |
75 |
++ [/usr/lib:/usr/lib64:/usr/lib64/misc:/usr/lib/ssh:/usr/libexec/openssh:/usr/libexec:/usr/local/libexec]) |
76 |
+ dnl Debian uses /usr/lib |
77 |
+ dnl Red Hat uses /usr/libexec/openssh |
78 |
+ dnl Many a *BSD uses $PATH itself (which is implicit + checked 1st) |
79 |
|
80 |
diff --git a/net-misc/scponly/metadata.xml b/net-misc/scponly/metadata.xml |
81 |
index cc5fae365f3..38864027ac1 100644 |
82 |
--- a/net-misc/scponly/metadata.xml |
83 |
+++ b/net-misc/scponly/metadata.xml |
84 |
@@ -1,7 +1,14 @@ |
85 |
<?xml version="1.0" encoding="UTF-8"?> |
86 |
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
87 |
<pkgmetadata> |
88 |
- <!-- maintainer-needed --> |
89 |
+ <maintainer type="person"> |
90 |
+ <email>hlein@×××××××××.com</email> |
91 |
+ <name>Hank Leininger</name> |
92 |
+ </maintainer> |
93 |
+ <maintainer type="project"> |
94 |
+ <email>proxy-maint@g.o</email> |
95 |
+ <name>Proxy Maintainers</name> |
96 |
+ </maintainer> |
97 |
<longdescription lang="en"> |
98 |
scponly is an alternative 'shell' (of sorts) for system administrators |
99 |
who would like to provide access to remote users to both read and write |
100 |
@@ -10,6 +17,7 @@ |
101 |
ssh suite of applications. |
102 |
</longdescription> |
103 |
<use> |
104 |
+ <flag name="chroot">Enables adding and configuring an 'scponlyc' chrooted user</flag> |
105 |
<flag name="rsync">Enables rsync compatibility with potential security risks</flag> |
106 |
<flag name="unison">Enables Unison compatibility with potential security risks</flag> |
107 |
<flag name="subversion">Enables Subversion compatibility with potential security risks</flag> |
108 |
|
109 |
diff --git a/net-misc/scponly/scponly-4.8-r7.ebuild b/net-misc/scponly/scponly-4.8-r7.ebuild |
110 |
new file mode 100644 |
111 |
index 00000000000..8128ad5d15a |
112 |
--- /dev/null |
113 |
+++ b/net-misc/scponly/scponly-4.8-r7.ebuild |
114 |
@@ -0,0 +1,245 @@ |
115 |
+# Copyright 1999-2020 Gentoo Authors |
116 |
+# Distributed under the terms of the GNU General Public License v2 |
117 |
+ |
118 |
+EAPI=7 |
119 |
+ |
120 |
+inherit multilib readme.gentoo-r1 toolchain-funcs |
121 |
+ |
122 |
+DESCRIPTION="A tiny pseudoshell which only permits scp and sftp" |
123 |
+HOMEPAGE="https://github.com/scponly/scponly" |
124 |
+SRC_URI="mirror://sourceforge/scponly/${P}.tgz" |
125 |
+ |
126 |
+LICENSE="BSD-2" |
127 |
+SLOT="0" |
128 |
+KEYWORDS="~amd64 ~ppc ~sparc ~x86" |
129 |
+IUSE="chroot +sftp scp winscp gftp rsync unison subversion wildcards quota passwd logging" |
130 |
+REQUIRED_USE=" |
131 |
+ || ( sftp scp winscp rsync unison subversion ) |
132 |
+" |
133 |
+ |
134 |
+RDEPEND=" |
135 |
+ sys-apps/sed |
136 |
+ net-misc/openssh |
137 |
+ chroot? ( acct-user/scponly acct-group/scponly ) |
138 |
+ quota? ( sys-fs/quota ) |
139 |
+ rsync? ( net-misc/rsync ) |
140 |
+ subversion? ( dev-vcs/subversion ) |
141 |
+ unison? ( net-misc/unison:= ) |
142 |
+" |
143 |
+DEPEND="${RDEPEND}" |
144 |
+ |
145 |
+PATCHES=( |
146 |
+ "${FILESDIR}/${P}-rsync.patch" |
147 |
+ "${FILESDIR}/${P}-gcc4.4.0.patch" |
148 |
+ "${FILESDIR}/${P}-sftp-server-path.patch" |
149 |
+) |
150 |
+ |
151 |
+src_configure() { |
152 |
+ CFLAGS="${CFLAGS} ${LDFLAGS}" econf \ |
153 |
+ --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \ |
154 |
+ --disable-restrictive-names \ |
155 |
+ $(use_enable chroot chrooted-binary) \ |
156 |
+ $(use_enable chroot chrooted-checkdir) \ |
157 |
+ $(use_enable winscp winscp-compat) \ |
158 |
+ $(use_enable gftp gftp-compat) \ |
159 |
+ $(use_enable scp scp-compat) \ |
160 |
+ $(use_enable sftp sftp) \ |
161 |
+ $(use_enable quota quota-compat) \ |
162 |
+ $(use_enable passwd passwd-compat) \ |
163 |
+ $(use_enable rsync rsync-compat) \ |
164 |
+ $(use_enable unison unison-compat) \ |
165 |
+ $(use_enable subversion svn-compat) \ |
166 |
+ $(use_enable subversion svnserv-compat) \ |
167 |
+ $(use_enable logging sftp-logging-compat) \ |
168 |
+ $(use_enable wildcards wildcards) |
169 |
+} |
170 |
+ |
171 |
+src_compile() { |
172 |
+ emake CC=$(tc-getCC) |
173 |
+} |
174 |
+ |
175 |
+src_install() { |
176 |
+ emake DESTDIR="${D}" install |
177 |
+ |
178 |
+ dodoc AUTHOR BUILDING-JAILS.TXT CHANGELOG CONTRIB README SECURITY TODO |
179 |
+ |
180 |
+ if use chroot ; then |
181 |
+ local DOC_CONTENTS="You might want to run\n |
182 |
+ emerge --config =${CATEGORY}/${PF}\n |
183 |
+ \nto setup the chroot. Otherwise you will have to setup chroot |
184 |
+ manually. Please read the docs in /usr/share/doc/${PF} for more |
185 |
+ informations, also the SECURITY file." |
186 |
+ ( docinto chroot; dodoc setup_chroot.sh config.h ) |
187 |
+ # don't compress setup-script, so it is usable if necessary |
188 |
+ docompress -x /usr/share/doc/${PF}/chroot |
189 |
+ readme.gentoo_create_doc |
190 |
+ fi |
191 |
+} |
192 |
+ |
193 |
+pkg_config() { |
194 |
+ if ! use chroot ; then |
195 |
+ einfo "USE=chroot not enabled, nothing to configure." |
196 |
+ return |
197 |
+ fi |
198 |
+ |
199 |
+ myuser="scponly" |
200 |
+ myhome="/var/chroot/${myuser}" |
201 |
+ mysubdir="/pub" |
202 |
+ |
203 |
+ # pkg_postinst is based on ${S}/setup_chroot.sh. |
204 |
+ |
205 |
+ einfo "Collecting binaries and libraries..." |
206 |
+ |
207 |
+ # Binaries launched in sftp compat mode |
208 |
+ if has_version "=${CATEGORY}/${PF}[sftp]" ; then |
209 |
+ BINARIES="/usr/$(get_libdir)/misc/sftp-server" |
210 |
+ fi |
211 |
+ |
212 |
+ # Binaries launched by vanilla- and WinSCP modes |
213 |
+ if has_version "=${CATEGORY}/${PF}[scp]" || \ |
214 |
+ has_version "=${CATEGORY}/${PF}[winscp]" ; then |
215 |
+ BINARIES="${BINARIES} /usr/bin/scp /bin/ls /bin/rm /bin/ln /bin/mv" |
216 |
+ BINARIES="${BINARIES} /bin/chmod /bin/chown /bin/chgrp /bin/mkdir /bin/rmdir" |
217 |
+ fi |
218 |
+ |
219 |
+ # Binaries launched in WinSCP compatibility mode |
220 |
+ if has_version "=${CATEGORY}/${PF}[winscp]" ; then |
221 |
+ BINARIES="${BINARIES} /bin/pwd /bin/groups /usr/bin/id /bin/echo" |
222 |
+ fi |
223 |
+ |
224 |
+ # Rsync compatability mode |
225 |
+ if has_version "=${CATEGORY}/${PF}[rsync]" ; then |
226 |
+ BINARIES="${BINARIES} /usr/bin/rsync" |
227 |
+ fi |
228 |
+ |
229 |
+ # Unison compatability mode |
230 |
+ if has_version "=${CATEGORY}/${PF}[unison]" ; then |
231 |
+ BINARIES="${BINARIES} /usr/bin/unison" |
232 |
+ fi |
233 |
+ |
234 |
+ # subversion cli/svnserv compatibility |
235 |
+ if has_version "=${CATEGORY}/${PF}[subversion]" ; then |
236 |
+ BINARIES="${BINARIES} /usr/bin/svn /usr/bin/svnserve" |
237 |
+ fi |
238 |
+ |
239 |
+ # passwd compatibility |
240 |
+ if has_version "=${CATEGORY}/${PF}[passwd]" ; then |
241 |
+ BINARIES="${BINARIES} /usr/bin/passwd" |
242 |
+ fi |
243 |
+ |
244 |
+ # quota compatibility |
245 |
+ if has_version "=${CATEGORY}/${PF}[quota]" ; then |
246 |
+ BINARIES="${BINARIES} /usr/bin/quota" |
247 |
+ fi |
248 |
+ |
249 |
+ # build lib dependencies |
250 |
+ LIB_LIST=$(ldd ${BINARIES} | sed -n 's:.* => \(/[^ ]\+\).*:\1:p' | sort -u) |
251 |
+ |
252 |
+ # search and add ld*.so |
253 |
+ for LIB in /$(get_libdir)/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 \ |
254 |
+ /usr/libexec/ld.so /$(get_libdir)/ld-linux*.so.2 /usr/libexec/ld-elf.so.1; do |
255 |
+ [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" |
256 |
+ done |
257 |
+ |
258 |
+ # search and add libnss_*.so |
259 |
+ for LIB in /$(get_libdir)/libnss_{compat,files}*.so.*; do |
260 |
+ [ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}" |
261 |
+ done |
262 |
+ |
263 |
+ # create base dirs |
264 |
+ if [ ! -d "${myhome}" ]; then |
265 |
+ die "Home '${myhome}' should have been created by acct-user but does not exist." |
266 |
+ else |
267 |
+ einfo "Setting owner for ${myhome}" |
268 |
+ chown 0:0 "${myhome}" |
269 |
+ fi |
270 |
+ |
271 |
+ if [ ! -d "${myhome}/etc" ]; then |
272 |
+ einfo "Creating ${myhome}/etc" |
273 |
+ install -o0 -g0 -m0755 -d "${myhome}/etc" |
274 |
+ fi |
275 |
+ |
276 |
+ if [ ! -d "${myhome}/$(get_libdir)" ]; then |
277 |
+ einfo "Creating ${myhome}/$(get_libdir)" |
278 |
+ install -o0 -g0 -m0755 -d "${myhome}/$(get_libdir)" |
279 |
+ fi |
280 |
+ |
281 |
+ if [ ! -e "${myhome}/lib" ]; then |
282 |
+ einfo "Creating ${myhome}/lib" |
283 |
+ ln -snf $(get_libdir) "${myhome}/lib" |
284 |
+ fi |
285 |
+ |
286 |
+ if [ ! -d "${myhome}/usr/$(get_libdir)" ]; then |
287 |
+ einfo "Creating ${myhome}/usr/$(get_libdir)" |
288 |
+ install -o0 -g0 -m0755 -d "${myhome}/usr/$(get_libdir)" |
289 |
+ fi |
290 |
+ |
291 |
+ if [ ! -e "${myhome}/usr/lib" ]; then |
292 |
+ einfo "Creating ${myhome}/usr/lib" |
293 |
+ ln -snf $(get_libdir) "${myhome}/usr/lib" |
294 |
+ fi |
295 |
+ |
296 |
+ if [ ! -d "${myhome}${mysubdir}" ]; then |
297 |
+ einfo "Creating ${myhome}${mysubdir} directory for uploading files" |
298 |
+ install -o${myuser} -g${myuser} -m0755 -d "${myhome}${mysubdir}" |
299 |
+ fi |
300 |
+ |
301 |
+ # create /dev/null (Bug 135505) |
302 |
+ if [ ! -e "${myhome}/dev/null" ]; then |
303 |
+ install -o0 -g0 -m0755 -d "${myhome}/dev" |
304 |
+ mknod -m0777 "${myhome}/dev/null" c 1 3 |
305 |
+ fi |
306 |
+ |
307 |
+ # install binaries |
308 |
+ for BIN in ${BINARIES}; do |
309 |
+ einfo "Install ${BIN}" |
310 |
+ install -o0 -g0 -m0755 -d "${myhome}$(dirname ${BIN})" |
311 |
+ if [ "${BIN}" = "/usr/bin/passwd" ]; then # needs suid |
312 |
+ install -p -o0 -g0 -m04711 "${BIN}" "${myhome}/${BIN}" |
313 |
+ else |
314 |
+ install -p -o0 -g0 -m0755 "${BIN}" "${myhome}/${BIN}" |
315 |
+ fi |
316 |
+ done |
317 |
+ |
318 |
+ # install libs |
319 |
+ for LIB in ${LIB_LIST}; do |
320 |
+ einfo "Install ${LIB}" |
321 |
+ install -o0 -g0 -m0755 -d "${myhome}$(dirname ${LIB})" |
322 |
+ install -p -o0 -g0 -m0755 "${LIB}" "${myhome}/${LIB}" |
323 |
+ done |
324 |
+ |
325 |
+ # create ld.so.conf |
326 |
+ einfo "Creating /etc/ld.so.conf" |
327 |
+ for LIB in ${LIB_LIST}; do |
328 |
+ dirname ${LIB} |
329 |
+ done | sort -u | while read DIR; do |
330 |
+ if ! grep 2>/dev/null -q "^${DIR}$" "${myhome}/etc/ld.so.conf"; then |
331 |
+ echo "${DIR}" >> "${myhome}/etc/ld.so.conf" |
332 |
+ fi |
333 |
+ done |
334 |
+ ldconfig -r "${myhome}" |
335 |
+ |
336 |
+ # update shells |
337 |
+ einfo "Updating /etc/shells" |
338 |
+ grep 2>/dev/null -q "^/usr/bin/scponly$" /etc/shells \ |
339 |
+ || echo "/usr/bin/scponly" >> /etc/shells |
340 |
+ |
341 |
+ grep 2>/dev/null -q "^/usr/sbin/scponlyc$" /etc/shells \ |
342 |
+ || echo "/usr/sbin/scponlyc" >> /etc/shells |
343 |
+ |
344 |
+ # create /etc/passwd |
345 |
+ if [ ! -e "${myhome}/etc/passwd" ]; then |
346 |
+ ( |
347 |
+ echo "root:x:0:0:root:/:/bin/sh" |
348 |
+ sed -n "s|^\(${myuser}:[^:]*:[^:]*:[^:]*:[^:]*:\).*|\1${mysubdir}:/bin/sh|p" /etc/passwd |
349 |
+ ) > "${myhome}/etc/passwd" |
350 |
+ fi |
351 |
+ |
352 |
+ # create /etc/group |
353 |
+ if [ ! -e "${myhome}/etc/group" ]; then |
354 |
+ ( |
355 |
+ echo "root:x:0:" |
356 |
+ sed -n "s|^\(${myuser}:[^:]*:[^:]*:\).*|\1|p" /etc/group |
357 |
+ ) > "${myhome}/etc/group" |
358 |
+ fi |
359 |
+} |