diff options
Diffstat (limited to 'shells')
-rw-r--r-- | shells/scponly/Makefile | 92 | ||||
-rw-r--r-- | shells/scponly/files/patch-SECURITY | 32 | ||||
-rw-r--r-- | shells/scponly/pkg-plist | 13 |
3 files changed, 56 insertions, 81 deletions
diff --git a/shells/scponly/Makefile b/shells/scponly/Makefile index 953a4b190f5e..4b9a8a647ff4 100644 --- a/shells/scponly/Makefile +++ b/shells/scponly/Makefile @@ -5,76 +5,11 @@ # $FreeBSD$ # -# There are many knobs to tune scponly towards your specific wishes -# and preferences. -# You can activate a knob by typing something like -# "make -DKNOB" or "make KNOB=yes" instead of just "make" -# -# A description of the several possibilities is available here: -# -# -# Core funcionality: -# -# SCPONLY_DEFAULT_CHDIR=DIR -# default: undefined -# example: public_html -# define if you want to make users `cd' to this directory after authentication -# -# WITHOUT_SCPONLY_WILDCARDS -# default: undefined -# define if you want to disable wildcard processing. -# -# WITHOUT_SCPONLY_GFTP -# default: undefined -# define if you want to disable gftp compatibility. -# -# WITH_SCPONLY_CHROOT -# default: undefined -# define if you want to use chroot functionality (set UID to root). -# -# WITH_SCPONLY_RSYNC -# default: undefined -# define if you want to enable rsync compatibility. -# -# WITH_SCPONLY_SCP -# default: undefined -# define if you want to enable vanilla scp compatibility. -# -# WITH_SCPONLY_SFTP_LOGGING -# default: undefined -# define if you want to enable sftp logging compatibility. -# -# WITH_SCPONLY_SVN -# default: undefined -# define if you want to enable subversion compatibility. -# -# WITH_SCPONLY_SVNSERVE -# default: undefined -# define if you want to enable subversion compatibility with svn+ssh:// -# -# WITH_SCPONLY_UNISON -# default: undefined -# define if you want to enable unison compatibility. -# -# WITH_SCPONLY_WINSCP -# default: undefined -# define if you want to enable WinSCP compatibility. -# -# -# Additional knobs: -# -# NOPORTDOCS -# default: undefined -# This knob prevents the ports system from installing additional -# documentation. If you define this, only the manpage is going -# to be installed. - PORTNAME= scponly PORTVERSION= 4.8 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= shells security -MASTER_SITES= http://www.sublimation.org/scponly/ \ - SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION} +MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION} EXTRACT_SUFX= .tgz MAINTAINER= rfarmer@predatorlabs.net @@ -82,6 +17,8 @@ COMMENT= A tiny shell that only permits scp and sftp MAN8= scponly.8 +PORTDOCS= BUILDING-JAILS.TXT INSTALL README SECURITY + GNU_CONFIGURE= yes OPTIONS= SCPONLY_WILDCARDS "wildcards processing" on \ @@ -153,14 +90,10 @@ CONFIGURE_ARGS+=--enable-unison-compat CONFIGURE_ARGS+=--enable-winscp-compat .endif -pre-everything:: - @${ECHO_MSG} "From scponly 4.2, scp & WinSCP compatibilities are not" - @${ECHO_MSG} "enabled by default. To enable those compatibilities," - @${ECHO_MSG} "define WITH_SCPONLY_SCP and/or WITH_SCPONLY_WINSCP," - @${ECHO_MSG} "respectively." - @${ECHO_MSG} "" - @${ECHO_MSG} "You can enable chroot functionality by defining WITH_SCPONLY_CHROOT." - @${ECHO_MSG} "" +post-patch: + @${ECHO_MSG} "In addition to knobs available from the OPTIONS dialog," + @${ECHO_MSG} "you may set SCPONLY_DEFAULT_CHDIR to make users 'cd' to" + @${ECHO_MSG} "this directory after authentication." post-install: @${ECHO_MSG} "Updating /etc/shells" @@ -180,14 +113,19 @@ post-install: @${ECHO_MSG} "To setup chroot cage, run the following commands:" @${ECHO_MSG} " 1) cd ${EXAMPLESDIR}/ && ${SH} setup_chroot.sh" @${ECHO_MSG} " 2) Set scponlyc_enable=\"YES\" in /etc/rc.conf" - @${ECHO_MSG} " 3) Run ${LOCALBASE}/etc/rc.d/scponly start" + @${ECHO_MSG} " 3) Run ${PREFIX}/etc/rc.d/scponly start" @${ECHO_MSG} "" .endif .if !defined(NOPORTDOCS) @${MKDIR} ${DOCSDIR} -.for i in README INSTALL TODO +.for i in ${PORTDOCS} @${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR} .endfor + @${ECHO_MSG} "" + @${ECHO_MSG} "For information on several potential security concerns," + @${ECHO_MSG} "please read:" + @${ECHO_MSG} "${DOCSDIR}/SECURITY" + @${ECHO_MSG} "" .endif .include <bsd.port.post.mk> diff --git a/shells/scponly/files/patch-SECURITY b/shells/scponly/files/patch-SECURITY new file mode 100644 index 000000000000..89da8df8e0ce --- /dev/null +++ b/shells/scponly/files/patch-SECURITY @@ -0,0 +1,32 @@ +--- SECURITY.orig 2010-12-10 15:03:24.950162769 -0800 ++++ SECURITY 2010-12-10 15:03:31.669374009 -0800 +@@ -28,6 +28,10 @@ + + svn, svnserve, rsync, and unison + ++ Note specifically that rsync uses popt for parsing command line arguments ++ and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus, ++ users can likely bypass argument checking for rsync. ++ + 4) Make sure that all files required for the chroot have the IMMUTABLE and + UNDELETABLE bits set. Other bits might also be prudent. See: man 1 chattr. + +@@ -39,13 +43,16 @@ + ~/.ssh, ~/.unison, ~/.subversion + + NOTE: depending on file permissions in the above, ssh, unison, and +- subversion may not work correctly. ++ subversion may not work correctly. Also note that the location of the ++ above directories is sometimes system dependent, so please check the ++ documentation specific to your system. + + 7) Make sure that every directory the users have write permissions to are + on a filesystem that is mounted NODEV, NOEXEC. Eg. Make sure that they + cannot execute files that they have permissions to upload. They should + also not need permissions to create any devices. If the user can't execute +- any files that he has access to upload, then you need not worry about the ++ any files that he has access to upload and the executable files on the ++ system are not considered harmful, then you need not worry about the + security problems referencing svn/svnserve above! + + 8) Monitor your logs! If you start to see something funny, odd, or strange in diff --git a/shells/scponly/pkg-plist b/shells/scponly/pkg-plist index 8a95a3ae36c5..cc6d791f6921 100644 --- a/shells/scponly/pkg-plist +++ b/shells/scponly/pkg-plist @@ -1,15 +1,20 @@ bin/scponly @exec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak @unexec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak +%%SCPONLY_CHROOT%%@exec echo "" +%%SCPONLY_CHROOT%%@exec echo "To setup chroot cage, run the following commands:" +%%SCPONLY_CHROOT%%@exec echo " 1) cd %%PREFIX%%/%%EXAMPLESDIR%%/ && /bin/sh setup_chroot.sh" +%%SCPONLY_CHROOT%%@exec echo " 2) Set scponlyc_enable=\"YES\" in /etc/rc.conf" +%%SCPONLY_CHROOT%%@exec echo " 3) Run %%PREFIX%%/etc/rc.d/scponly start" +%%PORTDOCS%%@exec echo "" +%%PORTDOCS%%@exec echo "For information on several potential security concerns," +%%PORTDOCS%%@exec echo "please read:" +%%PORTDOCS%%@exec echo "%%PREFIX%%/%%DOCSDIR%%/SECURITY" %%SCPONLY_CHROOT%%sbin/scponlyc %%SCPONLY_CHROOT%%@exec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak %%SCPONLY_CHROOT%%@unexec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak %%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/setup_chroot.sh %%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/config.h etc/scponly/debuglevel -%%PORTDOCS%%%%DOCSDIR%%/README -%%PORTDOCS%%%%DOCSDIR%%/INSTALL -%%PORTDOCS%%%%DOCSDIR%%/TODO @dirrm etc/scponly -%%PORTDOCS%%@dirrm %%DOCSDIR%% %%SCPONLY_CHROOT%%@dirrm %%EXAMPLESDIR%% |