- Update documentation.

- Sanitize install script.
- Bump PORTREVISION.

Submitted by:		MAINTAINER

10 files changed, 294 insertions, 111 deletions

diff --git a/security/sfs/Makefile b/security/sfs/Makefile
index 6912dd4a81a5..79bc65b8ed78 100644
--- a/security/sfs/Makefile
+++ b/security/sfs/Makefile
@@ -1,5 +1,5 @@
 # Ports collection makefile for:	sfs
-# Date created:				Thu Jul  4 2002
+# Date created:				2002-07-11
 # Whom:					Michael Handler <handler@grendel.net>
 #					Matthew Dodd <winter@jurai.net>
 #
@@ -8,7 +8,7 @@
 
 PORTNAME=	sfs
 PORTVERSION=	0.6
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	security net
 MASTER_SITES=	http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/dist/
 
@@ -65,8 +65,9 @@ post-install:
 	${MKDIR} ${PREFIX}/etc/sfs
 	${INSTALL_DATA} ${FILESDIR}/etc-sfsrwsd_config.sample ${PREFIX}/etc/sfs/sfsrwsd_config.sample
 	${MKDIR} ${PREFIX}/share/doc/sfs
-	${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sfs/
-	${INSTALL_DATA} ${FILESDIR}/share-doc-README.config ${PREFIX}/share/doc/sfs/README.config
+	${INSTALL_DATA} ${FILESDIR}/share-doc-WELCOME ${PREFIX}/share/doc/sfs/WELCOME
+	${INSTALL_DATA} ${FILESDIR}/share-doc-README ${PREFIX}/share/doc/sfs/README
+	${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sfs/README.packageblurb
 	PKG_PREFIX=${PREFIX} ${SH} pkg-install ${PKGNAME} POST-INSTALL
 
 .include <bsd.port.post.mk>
diff --git a/security/sfs/files/etc-sfsrwsd_config.sample b/security/sfs/files/etc-sfsrwsd_config.sample
index d60f032a305d..25845949cb34 100644
--- a/security/sfs/files/etc-sfsrwsd_config.sample
+++ b/security/sfs/files/etc-sfsrwsd_config.sample
@@ -1,25 +1,8 @@
-# To set up your own SFS server, copy this file (sfsrwsd_config.sample)
-# to sfsrwsd_config, and add any necessary lines. For most installations,
-# you only need to add Export lines for any directories you want to
-# export; the hostname should be picked up automatically from your
-# system unless you're doing something complex, and the keyfile path is
-# already set correctly from the port.
+# To configure sfsrwsd (part of the SFS server subsystem), copy this file
+# (sfsrwsd_config.sample) to sfsrwsd_config and edit as necessary.
 #
-# N.B.: any directories exported in an Export statement must also be
-# exported to localhost via NFS, and must follow all NFS export rules,
-# i.e. no symlinks in the exported directory pathname, the exported
-# path must be absolute to the physical mount point. If you want to
-# export /usr/ports via SFS, and /usr/ports is really a symlink to
-# /vol/h0/ports, you have to use:
-#
-#    Export /vol/h0/ports /ports
-#
-# not:
-#
-#    Export /usr/ports /ports
-#
-# And then /vol/h0/ports must be added to /etc/export, rather than
-# /usr/ports.
+# Normally, it should not be necessary for you to specify Hostname
+# or Keyfile options, only Export statements.
 #
 # Configuration reference:
 #
@@ -39,7 +22,7 @@
 # to an export directive gives anonymous users read-only access to
 # the file system (under user ID -2 and group ID -2). Appending W
 # gives anonymous users both read and write access. See Quick server
-# setup, for an example of the Export directive.  There is almost no
+# setup, for an example of the Export directive. There is almost no
 # reason to use the W flag. The R flag lets anyone on the Internet
 # issue NFS calls to your kernel as user -2. SFS filters these calls;
 # it makes sure that they operate on files covered by the export
diff --git a/security/sfs/files/share-doc-README b/security/sfs/files/share-doc-README
new file mode 100644
index 000000000000..0feff27b0f75
--- /dev/null
+++ b/security/sfs/files/share-doc-README
@@ -0,0 +1,195 @@
+*** Notes on SFS configuration:
+
+SFS is a complex system to configure, and cannot be adequately
+described in these limited files. It is strongly suggested that you
+read the SFS documentation on <URL://www.fs.net/> before configuring
+any of the various programs. A limited roadmap is provided for
+reference here, but that is no substitute for a reading of the full
+documentation. GNU info documentation ("info sfs") and manual pages
+are installed as well.
+
+The various programs in the SFS package are configured via files
+in two directories: /usr/local/share/sfs/ (henceforth "share/sfs")
+and /usr/local/etc/sfs (henceforth "etc/sfs"). The port installs
+various configuration files into share/sfs directly from the
+compilation of the SFS package. These files should never be edited
+directly; they can be overridden by the creation of new files in
+etc/sfs, as detailed below.
+
+*** IMPORTANT SECURITY NOTE:
+
+SFS operates by interfacing with NFS processes on localhost
+(127.0.0.1). While every effort is taken to insure security, NFS
+is a large subsystem with a long history of security problems.
+Utilizing SFS thus may expose you to NFS-related problems and
+attacks. It is strongly suggested that you read and ponder the
+security considerations section of the SFS documentation before
+setting up an SFS client or server. Additionally, it is STRONGLY
+suggested that you set up a software firewall on any SFS client or
+server machine to block unauthorized traffic to NFS-related programs
+from other machines to the non-localhost IP addresses of your
+machine. Discussions of how best to do this are outside the scope
+of this document; consult your local guru, users group, mailing
+list, or search engine.
+
+*** Starting the SFS daemons (client and server):
+
+There are sample startup files for sfscd and sfssd in /usr/local/etc/rc.d,
+under the name sfscd.sh.sample and sfssd.sh.sample respectively.
+These startup files are not enabled by default. Copy the files to
+sfscd.sh or sfssd.sh to enable sfscd or sfssd (respectively) on
+system boot.
+
+sfscd and sfssd also run nicely under Daniel Bernstein's daemontools
+package (/usr/ports/sysutils/daemontools or
+<URL:http://cr.yp.to/daemontools.html>); the -d flag makes the main
+process stay in the foreground, and sends logs to stderr for easy
+processing by multilog.
+
+*** Setting up an SFS client
+
+1) Set up sfscd to start on boot, via /usr/local/etc/rc.d/sfscd.sh or
+   some other method of your preference.
+
+2) Put the following line into /etc/rc.conf:
+
+nfs_client_enable="YES"
+
+3) Set up a firewall to prevent NFS traffic from outside the machine from
+   contacting your NFS processes.
+
+4) Reboot. You should now have a working SFS client, which you can test
+   via the following command:
+
+$ cat /sfs/sfs.fs.net:eu4cvv6wcnzscer98yn4qjpjnn9iv6pi/CONGRATULATIONS
+You have set up a working SFS client.
+
+*** Setting up an SFS server
+
+(You do not need to set up an SFS host key on the server machine;
+the port installation does this for you in
+/usr/local/etc/sfs/sfs_host_key.)
+
+1) Set up sfssd to start on boot, via /usr/local/etc/rc.d/sfssd.sh or
+   some other method of your preference.
+
+2) Put the following lines into /etc/rc.conf:
+
+mountd_flags=""
+nfs_reserved_port_only="YES"
+nfs_server_enable="YES"
+portmap_enable="YES"
+
+   If the following line occurs in /etc/rc.conf, remove it:
+
+weak_mountd_authentication="YES"
+
+3) Set up a firewall to prevent NFS traffic from outside the machine from
+   contacting your NFS processes.
+
+4) Create a suitable /usr/local/etc/sfs/sfsrwsd_config file, e.g.:
+
+Export /root/sfsroot / R
+Export /usr/src /src R
+Export /usr/ports /ports R
+Export /local/baz /local/baz
+
+5) Add any local filesystems that are being exported to /etc/exports, and
+   export them to localhost, e.g.:
+
+/root/sfsroot 127.0.0.1
+/usr/src /usr/ports 127.0.0.1
+/local/baz 127.0.0.1
+
+   NOTA BENE: any directories exported via SFS must follow all NFS
+   export rules, i.e. no symlinks in the exported directory pathname,
+   the exported path must be absolute to the physical mount point. If
+   you want to export /usr/ports via SFS, and /usr/ports is really a
+   symlink to /vol/h0/ports, you have to use:
+
+Export /vol/h0/ports /ports
+
+   not:
+
+Export /usr/ports /ports
+
+   Similarly, /etc/exports must reference /vol/h0/ports rather than
+   /usr/ports.
+
+6) Make an empty directory structure mirroring your SFS namespace, e.g.:
+
+# mkdir /root/sfsroot
+# mkdir /root/sfsroot/src
+# mkdir /root/sfsroot/ports
+# mkdir /root/sfsroot/local
+# mkdir /root/sfsroot/local/baz
+
+7) Reboot. You should now have a working SFS server. sfssd will emit a
+   message into /var/log/messages like the following:
+
+sfsrwsd: serving <hostname>:<SFS key>
+
+   From a DIFFERENT machine with an SFS client already installed
+   and running, attempt to access /sfs/<hostname>:<SFS key>. Note
+   that the SFS client machine will have to be able to connect to
+   TCP port 4 on the SFS server machine. Note also that you must
+   test your SFS server from a separate SFS client machine to avoid
+   deadlock issues; see the SFS documentation for more details.
+
+   If your server setup has been successful, the client machine
+   should be able to see src, ports, and local/baz in the root
+   directory of the SFS mount.
+
+8) Consider using your machine's firewall to restrict who has access
+   to your SFS server by restricting access to TCP port 4.
+
+Advanced SFS server configurations, such as user authentication,
+is outside the scope of this document. Read the full SFS documentation
+for details.
+
+*** SFS configuration files:
+
+[ The following section is taken nearly verbatim from
+<URL:http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/sfs.html#SFS%20configuration>. ]
+
+SFS comprises a number of programs, many of which have configuration
+files. All programs look for configuration files in two directories--first
+/usr/local/etc/sfs, then, if they don't find the file there, in
+/usr/local/share/sfs.
+
+This port installs reasonable defaults in /usr/local/share/sfs
+for all configuration files except sfsrwsd_config. On particular
+hosts where you wish to change the default behavior, you can override
+the default configuration file by creating a new file of the same
+name in /usr/local/etc/sfs.
+
+The sfs_config file contains system-wide configuration parameters
+for most of the programs comprising SFS. Note that
+/usr/local/share/sfs/sfs_config is always parsed, even if
+/usr/local/etc/sfs/sfs_config exists. Options in
+/usr/local/etc/sfs/sfs_config simply override the defaults in
+/usr/local/share/sfs/sfs_config. For the other configuration files,
+a file in /usr/local/etc/sfs/ entirely overrides the version in
+/usr/local/share/sfs/.
+
+If you are running a server, you will need to create an sfsrwsd_config
+file to tell SFS what directories to export, and possibly an
+sfsauthd_config if you wish to share the database of user public
+keys across several file servers.
+
+The sfssd_config file contains information about which protocols
+and services to route to which daemons on an SFS server, including
+support for backwards compatibility across several versions of SFS.
+You probably don't need to change this file.
+
+sfs_srp_params contains some cryptographic parameters for retrieving
+keys securely over the network with a passphrase (as with the sfskey
+add usr@server command).
+
+sfscd_config contains information about extensions to the SFS
+protocol and which kinds of file servers to route to which daemons.
+You almost certainly should not touch this file unless you are
+developing new versions of the SFS software.
+
+Note that configuration command names are case-insensitive in all
+configuration files (though the arguments are not).
diff --git a/security/sfs/files/share-doc-README.config b/security/sfs/files/share-doc-README.config
deleted file mode 100644
index 4114ccde6bb8..000000000000
--- a/security/sfs/files/share-doc-README.config
+++ /dev/null
@@ -1,64 +0,0 @@
-Notes on SFS configuration:
-
-SFS is a complex system to configure, and cannot be adequately
-described in these limited files. It is strongly suggested that you
-read the SFS documentation on <URL://www.fs.net/> before configuring
-any of the various programs. A limited roadmap is provided for
-reference here, but that is no substitute for a reading of the full
-documentation. Also see /usr/local/share/sfs/doc/README and the
-manual page for sfsrwsd_config(5).
-
-The various programs in the SFS package are configured via files
-in two directories: /usr/local/share/sfs/ (henceforth "share/sfs")
-and /usr/local/etc/sfs (henceforth "etc/sfs"). The port installs
-various configuration files into share/sfs directly from the
-compilation of the SFS package. These files should never be edited
-directly; they can be overridden by the creation of new files in
-etc/sfs, as detailed below.
-
-[ The following section is taken nearly verbatim from
-<URL:http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/sfs.html#SFS%20configuration>. ]
-
-SFS configuration files:
-
-SFS comprises a number of programs, many of which have configuration
-files. All programs look for configuration files in two directories--first
-/usr/local/etc/sfs, then, if they don't find the file there, in
-/usr/local/share/sfs.
-
-This port installs reasonable defaults in /usr/local/share/sfs
-for all configuration files except sfsrwsd_config. On particular
-hosts where you wish to change the default behavior, you can override
-the default configuration file by creating a new file of the same
-name in /usr/local/etc/sfs.
-
-The sfs_config file contains system-wide configuration parameters
-for most of the programs comprising SFS. Note that
-/usr/local/share/sfs/sfs_config is always parsed, even if
-/usr/local/etc/sfs/sfs_config exists. Options in
-/usr/local/etc/sfs/sfs_config simply override the defaults in
-/usr/local/share/sfs/sfs_config. For the other configuration files,
-a file in /usr/local/etc/sfs/ entirely overrides the version in
-/usr/local/share/sfs/.
-
-If you are running a server, you will need to create an sfsrwsd_config
-file to tell SFS what directories to export, and possibly an
-sfsauthd_config if you wish to share the database of user public
-keys across several file servers.
-
-The sfssd_config file contains information about which protocols
-and services to route to which daemons on an SFS server, including
-support for backwards compatibility across several versions of SFS.
-You probably don't need to change this file.
-
-sfs_srp_params contains some cryptographic parameters for retrieving
-keys securely over the network with a passphrase (as with the sfskey
-add usr@server command).
-
-sfscd_config contains information about extensions to the SFS
-protocol and which kinds of file servers to route to which daemons.
-You almost certainly should not touch this file unless you are
-developing new versions of the SFS software.
-
-Note that configuration command names are case-insensitive in all
-configuration files (though the arguments are not).
diff --git a/security/sfs/files/share-doc-WELCOME b/security/sfs/files/share-doc-WELCOME
new file mode 100644
index 000000000000..dda96686d6bb
--- /dev/null
+++ b/security/sfs/files/share-doc-WELCOME
@@ -0,0 +1,23 @@
+SFS is now installed. To test your installation, try this (as root):
+
+# /usr/local/sbin/sfscd
+# cat /sfs/sfs.fs.net:eu4cvv6wcnzscer98yn4qjpjnn9iv6pi/CONGRATULATIONS
+
+If it worked, you will see:
+
+You have set up a working SFS client.
+
+Afterwards, kill sfscd:
+
+# kill -TERM `cat /var/run/sfscd.pid`
+
+SFS is a complex and potentially security-affecting set of programs,
+and if you wish to do more with it, e.g. setting up an SFS server
+of your own, it is strongly recommended that you read the documentation
+fully before proceeding. Start with the documentation link on
+<URL:http://www.fs.net>, and see any supplemental documentation in
+/usr/local/share/doc/sfs/.
+
+There are sample startup files for sfscd and sfssd in /usr/local/etc/rc.d,
+under the name sfscd.sh.sample and sfssd.sh.sample respectively.
+These startup files are not enabled by default.
diff --git a/security/sfs/pkg-comment b/security/sfs/pkg-comment
index 2c8b2b9c5f06..4215eff0beef 100644
--- a/security/sfs/pkg-comment
+++ b/security/sfs/pkg-comment
@@ -1 +1 @@
-A secure global network file system. (Self-certifying File System)
+Self-Certifying File System: A secure global network file system.
diff --git a/security/sfs/pkg-deinstall b/security/sfs/pkg-deinstall
index cf61b7097f18..0f4324c2ca45 100644
--- a/security/sfs/pkg-deinstall
+++ b/security/sfs/pkg-deinstall
@@ -1,19 +1,24 @@
 #!/bin/sh
 
+if [ -n "${PACKAGE_BUILDING}" ]; then
+	exit 0
+fi
+
 if [ "$2" != "POST-DEINSTALL" ]; then
 	exit 0
 fi
 
 USER=sfs
 GROUP=sfs
+PW=/usr/sbin/pw
 
 SFSDIR=/var/spool/sfs
 
-if pw groupshow "${GROUP}" >/dev/null 2>&1; then
+if ${PW} groupshow "${GROUP}" >/dev/null 2>&1; then
 	echo "If you're done with SFS permanently, delete the sfs group manually: pw groupdel ${GROUP}" | fmt
 fi
 
-if pw usershow "${USER}" >/dev/null 2>&1; then
+if ${PW} usershow "${USER}" >/dev/null 2>&1; then
 	echo
 	echo "If you're done with SFS permanently, delete the sfs user manually: pw userdel ${USER}" | fmt
 fi
diff --git a/security/sfs/pkg-descr b/security/sfs/pkg-descr
index 90f77a967a0d..931d73043207 100644
--- a/security/sfs/pkg-descr
+++ b/security/sfs/pkg-descr
@@ -1,12 +1,18 @@
 WWW: http://www.fs.net/
 
-SFS (Self-certifying File System) is a secure, global network file
-system. SFS names file systems by public keys. Every remote file
-server is mounted on a self-certifying pathname--a directory of the
-form /sfs/LOCATION:HOSTID, where LOCATION is a DNS hostname and
-HOSTID is a cryptographic hash of a public key. This naming scheme
-allows for completely decentralized control--anyone can create a
-file server, and any user can access any file server from any client.
+SFS (Self-Certifying File System) is a secure, global file system
+with completely decentralized control. SFS lets you access your
+files from anywhere and share them with anyone, anywhere. Anyone
+can set up an SFS server, and any user can access any server from
+any client. SFS lets you share files across administrative realms
+without involving administrators or certification authorities.
+
+SFS names file systems by public keys. Every remote file server is
+mounted on a self-certifying pathname -- a directory of the form
+/sfs/LOCATION:HOSTID, where LOCATION is a DNS hostname and HOSTID
+is a cryptographic hash of a public key. This naming scheme allows
+for completely decentralized control -- anyone can create a file
+server, and any user can access any file server from any client.
 Various key management schemes can be built on top of SFS using
 symbolic links to map human-readable names to self-certifying
 pathnames.
diff --git a/security/sfs/pkg-install b/security/sfs/pkg-install
index 468cdef3e4cc..631e08839f20 100644
--- a/security/sfs/pkg-install
+++ b/security/sfs/pkg-install
@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ -n "${PACKAGE_BUILDING}" ]; then
+	exit 0
+fi
+
 if [ "$2" != "POST-INSTALL" ]; then
 	exit 0
 fi
@@ -8,23 +12,36 @@ KEYFILE="$PKG_PREFIX/etc/sfs/sfs_host_key"
 
 USER=sfs
 GROUP=sfs
+UID=71
+GID=71
+PW=/usr/sbin/pw
 
 SFSDIR=/var/spool/sfs
 
 echo -n "Checking for group '$GROUP'... "
 
-if ! pw groupshow $GROUP >/dev/null 2>&1; then
-	echo "doesn't exist, adding."
-	pw groupadd $GROUP -g 71
+if ! ${PW} groupshow $GROUP >/dev/null 2>&1; then
+	echo -n "doesn't exist, adding... "
+	if ${PW} groupadd $GROUP -g ${GID}; then
+		echo "success."
+	else
+		echo "FAILED!"
+		exit 1
+	fi
 else
 	echo "exists."
 fi
 
 echo -n "Checking for user '$USER'... "
 
-if ! pw usershow $USER >/dev/null 2>&1; then
-	echo "doesn't exist, adding."
-	pw useradd $USER -u 71 -c 'Self-Certifying File System' -d /nonexistent -g $GROUP -s /sbin/nologin -h -
+if ! ${PW} usershow $USER >/dev/null 2>&1; then
+	echo -n "doesn't exist, adding... "
+	if ${PW} useradd $USER -u ${UID} -c 'Self-Certifying File System' -d /nonexistent -g $GROUP -s /sbin/nologin -h -; then
+		echo "success."
+	else
+		echo "FAILED!"
+		exit 1
+	fi
 else
 	echo "exists."
 fi
@@ -34,12 +51,24 @@ echo -n "Checking for SFS directory ($SFSDIR)... "
 if [ -d "$SFSDIR" ]; then
 	echo "already exists."
 else
-	echo "creating."
-	mkdir $SFSDIR
+	echo -n "creating... "
+	if mkdir $SFSDIR; then
+		echo "success."
+	else
+		echo "FAILED!"
+		exit 1
+	fi
+fi
+
+if ! chmod 750 $SFSDIR; then
+	echo "chmod 750 $SFSDIR FAILED!"
+	exit 1
 fi
 
-chmod 750 $SFSDIR
-chown $USER:$GROUP $SFSDIR
+if ! chown $USER:$GROUP $SFSDIR; then
+	echo "chown $USER:$GROUP $SFSDIR FAILED!"
+	exit 1
+fi
 
 echo -n "Checking for SFS host key ($KEYFILE)... "
 
@@ -57,3 +86,7 @@ else
 	kill -TERM `cat /var/run/sfscd.pid`
 	echo "done."
 fi
+
+cat $PKG_PREFIX/share/doc/sfs/WELCOME
+
+exit 0
diff --git a/security/sfs/pkg-plist b/security/sfs/pkg-plist
index 7ef59ff7a53e..e054bbaf0a7f 100644
--- a/security/sfs/pkg-plist
+++ b/security/sfs/pkg-plist
@@ -162,8 +162,9 @@ lib/sfs-0.6/xfer
 sbin/funmount
 sbin/sfscd
 sbin/sfssd
+share/doc/sfs/WELCOME
 share/doc/sfs/README
-share/doc/sfs/README.config
+share/doc/sfs/README.packageblurb
 @dirrm share/doc/sfs
 share/sfs/sfs_config
 share/sfs/sfs_srp_parms