summaryrefslogtreecommitdiff
path: root/shells
diff options
context:
space:
mode:
Diffstat (limited to 'shells')
-rw-r--r--shells/scponly/Makefile92
-rw-r--r--shells/scponly/files/patch-SECURITY32
-rw-r--r--shells/scponly/pkg-plist13
3 files changed, 56 insertions, 81 deletions
diff --git a/shells/scponly/Makefile b/shells/scponly/Makefile
index 953a4b190f5e..4b9a8a647ff4 100644
--- a/shells/scponly/Makefile
+++ b/shells/scponly/Makefile
@@ -5,76 +5,11 @@
# $FreeBSD$
#
-# There are many knobs to tune scponly towards your specific wishes
-# and preferences.
-# You can activate a knob by typing something like
-# "make -DKNOB" or "make KNOB=yes" instead of just "make"
-#
-# A description of the several possibilities is available here:
-#
-#
-# Core funcionality:
-#
-# SCPONLY_DEFAULT_CHDIR=DIR
-# default: undefined
-# example: public_html
-# define if you want to make users `cd' to this directory after authentication
-#
-# WITHOUT_SCPONLY_WILDCARDS
-# default: undefined
-# define if you want to disable wildcard processing.
-#
-# WITHOUT_SCPONLY_GFTP
-# default: undefined
-# define if you want to disable gftp compatibility.
-#
-# WITH_SCPONLY_CHROOT
-# default: undefined
-# define if you want to use chroot functionality (set UID to root).
-#
-# WITH_SCPONLY_RSYNC
-# default: undefined
-# define if you want to enable rsync compatibility.
-#
-# WITH_SCPONLY_SCP
-# default: undefined
-# define if you want to enable vanilla scp compatibility.
-#
-# WITH_SCPONLY_SFTP_LOGGING
-# default: undefined
-# define if you want to enable sftp logging compatibility.
-#
-# WITH_SCPONLY_SVN
-# default: undefined
-# define if you want to enable subversion compatibility.
-#
-# WITH_SCPONLY_SVNSERVE
-# default: undefined
-# define if you want to enable subversion compatibility with svn+ssh://
-#
-# WITH_SCPONLY_UNISON
-# default: undefined
-# define if you want to enable unison compatibility.
-#
-# WITH_SCPONLY_WINSCP
-# default: undefined
-# define if you want to enable WinSCP compatibility.
-#
-#
-# Additional knobs:
-#
-# NOPORTDOCS
-# default: undefined
-# This knob prevents the ports system from installing additional
-# documentation. If you define this, only the manpage is going
-# to be installed.
-
PORTNAME= scponly
PORTVERSION= 4.8
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= shells security
-MASTER_SITES= http://www.sublimation.org/scponly/ \
- SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}
+MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}
EXTRACT_SUFX= .tgz
MAINTAINER= rfarmer@predatorlabs.net
@@ -82,6 +17,8 @@ COMMENT= A tiny shell that only permits scp and sftp
MAN8= scponly.8
+PORTDOCS= BUILDING-JAILS.TXT INSTALL README SECURITY
+
GNU_CONFIGURE= yes
OPTIONS= SCPONLY_WILDCARDS "wildcards processing" on \
@@ -153,14 +90,10 @@ CONFIGURE_ARGS+=--enable-unison-compat
CONFIGURE_ARGS+=--enable-winscp-compat
.endif
-pre-everything::
- @${ECHO_MSG} "From scponly 4.2, scp & WinSCP compatibilities are not"
- @${ECHO_MSG} "enabled by default. To enable those compatibilities,"
- @${ECHO_MSG} "define WITH_SCPONLY_SCP and/or WITH_SCPONLY_WINSCP,"
- @${ECHO_MSG} "respectively."
- @${ECHO_MSG} ""
- @${ECHO_MSG} "You can enable chroot functionality by defining WITH_SCPONLY_CHROOT."
- @${ECHO_MSG} ""
+post-patch:
+ @${ECHO_MSG} "In addition to knobs available from the OPTIONS dialog,"
+ @${ECHO_MSG} "you may set SCPONLY_DEFAULT_CHDIR to make users 'cd' to"
+ @${ECHO_MSG} "this directory after authentication."
post-install:
@${ECHO_MSG} "Updating /etc/shells"
@@ -180,14 +113,19 @@ post-install:
@${ECHO_MSG} "To setup chroot cage, run the following commands:"
@${ECHO_MSG} " 1) cd ${EXAMPLESDIR}/ && ${SH} setup_chroot.sh"
@${ECHO_MSG} " 2) Set scponlyc_enable=\"YES\" in /etc/rc.conf"
- @${ECHO_MSG} " 3) Run ${LOCALBASE}/etc/rc.d/scponly start"
+ @${ECHO_MSG} " 3) Run ${PREFIX}/etc/rc.d/scponly start"
@${ECHO_MSG} ""
.endif
.if !defined(NOPORTDOCS)
@${MKDIR} ${DOCSDIR}
-.for i in README INSTALL TODO
+.for i in ${PORTDOCS}
@${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR}
.endfor
+ @${ECHO_MSG} ""
+ @${ECHO_MSG} "For information on several potential security concerns,"
+ @${ECHO_MSG} "please read:"
+ @${ECHO_MSG} "${DOCSDIR}/SECURITY"
+ @${ECHO_MSG} ""
.endif
.include <bsd.port.post.mk>
diff --git a/shells/scponly/files/patch-SECURITY b/shells/scponly/files/patch-SECURITY
new file mode 100644
index 000000000000..89da8df8e0ce
--- /dev/null
+++ b/shells/scponly/files/patch-SECURITY
@@ -0,0 +1,32 @@
+--- SECURITY.orig 2010-12-10 15:03:24.950162769 -0800
++++ SECURITY 2010-12-10 15:03:31.669374009 -0800
+@@ -28,6 +28,10 @@
+
+ svn, svnserve, rsync, and unison
+
++ Note specifically that rsync uses popt for parsing command line arguments
++ and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
++ users can likely bypass argument checking for rsync.
++
+ 4) Make sure that all files required for the chroot have the IMMUTABLE and
+ UNDELETABLE bits set. Other bits might also be prudent. See: man 1 chattr.
+
+@@ -39,13 +43,16 @@
+ ~/.ssh, ~/.unison, ~/.subversion
+
+ NOTE: depending on file permissions in the above, ssh, unison, and
+- subversion may not work correctly.
++ subversion may not work correctly. Also note that the location of the
++ above directories is sometimes system dependent, so please check the
++ documentation specific to your system.
+
+ 7) Make sure that every directory the users have write permissions to are
+ on a filesystem that is mounted NODEV, NOEXEC. Eg. Make sure that they
+ cannot execute files that they have permissions to upload. They should
+ also not need permissions to create any devices. If the user can't execute
+- any files that he has access to upload, then you need not worry about the
++ any files that he has access to upload and the executable files on the
++ system are not considered harmful, then you need not worry about the
+ security problems referencing svn/svnserve above!
+
+ 8) Monitor your logs! If you start to see something funny, odd, or strange in
diff --git a/shells/scponly/pkg-plist b/shells/scponly/pkg-plist
index 8a95a3ae36c5..cc6d791f6921 100644
--- a/shells/scponly/pkg-plist
+++ b/shells/scponly/pkg-plist
@@ -1,15 +1,20 @@
bin/scponly
@exec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak
@unexec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak
+%%SCPONLY_CHROOT%%@exec echo ""
+%%SCPONLY_CHROOT%%@exec echo "To setup chroot cage, run the following commands:"
+%%SCPONLY_CHROOT%%@exec echo " 1) cd %%PREFIX%%/%%EXAMPLESDIR%%/ && /bin/sh setup_chroot.sh"
+%%SCPONLY_CHROOT%%@exec echo " 2) Set scponlyc_enable=\"YES\" in /etc/rc.conf"
+%%SCPONLY_CHROOT%%@exec echo " 3) Run %%PREFIX%%/etc/rc.d/scponly start"
+%%PORTDOCS%%@exec echo ""
+%%PORTDOCS%%@exec echo "For information on several potential security concerns,"
+%%PORTDOCS%%@exec echo "please read:"
+%%PORTDOCS%%@exec echo "%%PREFIX%%/%%DOCSDIR%%/SECURITY"
%%SCPONLY_CHROOT%%sbin/scponlyc
%%SCPONLY_CHROOT%%@exec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak
%%SCPONLY_CHROOT%%@unexec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak
%%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/setup_chroot.sh
%%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/config.h
etc/scponly/debuglevel
-%%PORTDOCS%%%%DOCSDIR%%/README
-%%PORTDOCS%%%%DOCSDIR%%/INSTALL
-%%PORTDOCS%%%%DOCSDIR%%/TODO
@dirrm etc/scponly
-%%PORTDOCS%%@dirrm %%DOCSDIR%%
%%SCPONLY_CHROOT%%@dirrm %%EXAMPLESDIR%%