diff --git a/squid-rpmlintrc b/squid-rpmlintrc index 3e9ebd3..30ffcdb 100644 --- a/squid-rpmlintrc +++ b/squid-rpmlintrc @@ -1,3 +1,5 @@ addFilter("macro-in-comment") addFilter("no-manual-page-for-binary") addFilter("zero-length") +# Temporary solution untill it is moved into factory +setBadness('permissions-unauthorized-file', 333) diff --git a/squid.changes b/squid.changes index da55d18..58853bf 100644 --- a/squid.changes +++ b/squid.changes @@ -4,6 +4,29 @@ Thu Jul 31 14:01:54 UTC 2014 - dimstar@opensuse.org - Rename rpmlintrc to %{name}-rpmlintrc. Follow the packaging guidelines. +------------------------------------------------------------------- +Thu Apr 24 20:47:05 UTC 2014 - boris@steki.net + +- fix rhel/centos usermod parameter invocation order + +------------------------------------------------------------------- +Wed Apr 9 15:42:06 UTC 2014 - boris@steki.net + +- setuid handling for opensuse using permissions updated + +------------------------------------------------------------------- +Mon Apr 7 12:06:41 UTC 2014 - boris@steki.net + +- enable build for centos/rhel + - add centos/rhel init script + +------------------------------------------------------------------- +Sat Mar 29 16:47:44 UTC 2014 - chris@computersalat.de + +- add 'squid' as default group and added suid bit for /usr/sbin/pinger + # pinger needs 'root' privileges to be able to ping (cache peer) + * attr(4750,root,squid) /usr/sbin/pinger + ------------------------------------------------------------------- Fri Mar 28 18:46:44 UTC 2014 - chris@computersalat.de diff --git a/squid.init.rh b/squid.init.rh new file mode 100644 index 0000000..15cb5b9 --- /dev/null +++ b/squid.init.rh @@ -0,0 +1,187 @@ +#!/bin/bash +# chkconfig: - 90 25 +# pidfile: /var/run/squid.pid +# config: /etc/squid/squid.conf +# +### BEGIN INIT INFO +# Provides: squid +# Short-Description: starting and stopping Squid Internet Object Cache +# Description: Squid - Internet Object Cache. Internet object caching is \ +# a way to store requested Internet objects (i.e., data available \ +# via the HTTP, FTP, and gopher protocols) on a system closer to the \ +# requesting site than to the source. Web browsers can then use the \ +# local Squid cache as a proxy HTTP server, reducing access time as \ +# well as bandwidth consumption. +### END INIT INFO + + +PATH=/usr/bin:/sbin:/bin:/usr/sbin +export PATH + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +if [ -f /etc/sysconfig/squid ]; then + . /etc/sysconfig/squid +fi + +# don't raise an error if the config file is incomplete +# set defaults instead: +SQUID_OPTS=${SQUID_OPTS:-""} +SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20} +SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} +SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} +SQUID_PIDFILE_DIR="/var/run/squid" +SQUID_USER="squid" +SQUID_DIR="squid" + +# determine the name of the squid binary +[ -f /usr/sbin/squid ] && SQUID=squid + +prog="$SQUID" + +# determine which one is the cache_swap directory +CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ + grep cache_dir | awk '{ print $3 }'` + +RETVAL=0 + +probe() { + # Check that networking is up. + [ ${NETWORKING} = "no" ] && exit 1 + + [ `id -u` -ne 0 ] && exit 4 + + # check if the squid conf file is present + [ -f $SQUID_CONF ] || exit 6 +} + +start() { + # Check if $SQUID_PIDFILE_DIR exists and if not, lets create it and give squid permissions. + if [ ! -d $SQUID_PIDFILE_DIR ] ; then mkdir $SQUID_PIDFILE_DIR ; chown -R $SQUID_USER.$SQUID_DIR $SQUID_PIDFILE_DIR; fi + probe + + parse=`$SQUID -k parse -f $SQUID_CONF 2>&1` + RETVAL=$? + if [ $RETVAL -ne 0 ]; then + echo -n $"Starting $prog: " + echo_failure + echo + echo "$parse" + return 1 + fi + for adir in $CACHE_SWAP; do + if [ ! -d $adir/00 ]; then + echo -n "init_cache_dir $adir... " + $SQUID -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + fi + done + echo -n $"Starting $prog: " + $SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + RETVAL=$? + if [ $RETVAL -eq 0 ]; then + timeout=0; + while : ; do + [ ! -f /var/run/squid.pid ] || break + if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then + RETVAL=1 + break + fi + sleep 1 && echo -n "." + timeout=$((timeout+1)) + done + fi + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID + [ $RETVAL -eq 0 ] && echo_success + [ $RETVAL -ne 0 ] && echo_failure + echo + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + $SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + RETVAL=$? + if [ $RETVAL -eq 0 ] ; then + $SQUID -k shutdown -f $SQUID_CONF & + rm -f /var/lock/subsys/$SQUID + timeout=0 + while : ; do + [ -f /var/run/squid.pid ] || break + if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then + echo + return 1 + fi + sleep 2 && echo -n "." + timeout=$((timeout+2)) + done + echo_success + echo + else + echo_failure + if [ ! -e /var/lock/subsys/$SQUID ]; then + RETVAL=0 + fi + echo + fi + rm -rf $SQUID_PIDFILE_DIR/* + return $RETVAL +} + +reload() { + $SQUID $SQUID_OPTS -k reconfigure -f $SQUID_CONF +} + +restart() { + stop + rm -rf $SQUID_PIDFILE_DIR/* + start +} + +condrestart() { + [ -e /var/lock/subsys/squid ] && restart || : +} + +rhstatus() { + status $SQUID && $SQUID -k check -f $SQUID_CONF +} + + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +reload|force-reload) + reload + ;; + +restart) + restart + ;; + +condrestart|try-restart) + condrestart + ;; + +status) + rhstatus + ;; + +probe) + probe + ;; + +*) + echo $"Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart|probe}" + exit 2 +esac + +exit $? diff --git a/squid.permissions b/squid.permissions deleted file mode 100644 index 46b9acf..0000000 --- a/squid.permissions +++ /dev/null @@ -1,2 +0,0 @@ -/var/cache/squid/ squid:root 750 -/var/log/squid/ squid:root 750 diff --git a/squid.permissions.easy b/squid.permissions.easy new file mode 100644 index 0000000..c059e6c --- /dev/null +++ b/squid.permissions.easy @@ -0,0 +1,4 @@ +/var/cache/squid/ squid:root 750 +/var/log/squid/ squid:root 750 +/usr/sbin/pinger root:squid 4750 +/usr/sbin/basic_pam_auth root:shadow 2750 diff --git a/squid.permissions.paranoid b/squid.permissions.paranoid new file mode 100644 index 0000000..15c7a04 --- /dev/null +++ b/squid.permissions.paranoid @@ -0,0 +1,4 @@ +/var/cache/squid/ squid:root 750 +/var/log/squid/ squid:root 750 +/usr/sbin/pinger root:root 755 +/usr/sbin/basic_pam_auth root:root 755 diff --git a/squid.spec b/squid.spec index e1a1918..2065f74 100644 --- a/squid.spec +++ b/squid.spec @@ -36,10 +36,13 @@ Source4: squid.sysconfig Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate -Source9: %{name}.permissions +Source9: %{name}.permissions.easy Source10: README.kerberos Source11: %{name}.service Source13: %{name}.keyring +Source14: squid.init.rh +Source15: %{name}.permissions.paranoid + # # the following patches are downloaded directly from the webserver # don't change the names for easier identification @@ -63,19 +66,30 @@ Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042) Patch103: squid-brokenad.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if 0%{?suse_version} PreReq: %fillup_prereq PreReq: %insserv_prereq PreReq: /usr/bin/getent PreReq: permissions PreReq: pwdutils +%else +Requires(pre): shadow-utils +Requires(post): /sbin/chkconfig +Requires(preun): /sbin/service /sbin/chkconfig +Requires(postun): /sbin/service +%endif BuildRequires: db-devel # needed by bootstrap.sh BuildRequires: cyrus-sasl-devel BuildRequires: ed BuildRequires: expat +%if 0%{?suse_version} || 0%{?fedora_version} > 8 BuildRequires: fdupes +%endif BuildRequires: gcc-c++ +%if 0%{?suse_version} BuildRequires: gpg-offline +%endif BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel @@ -127,7 +141,9 @@ Most user-facing changes are reflected in squid.conf (see below). %prep #setup -q -n %{name}-%{version}%{snap} +%if 0%{?suse_version} %gpg_verify %{S:1} +%endif %setup -q -n %{name}-%{version} cp %{S:10} . # upstream patches after RELEASE @@ -199,8 +215,9 @@ fi make SAMBAPREFIX=/usr %{?_smp_mflags} %install -/usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \ - -d /var/cache/%{name} %{name} 2> /dev/null || : +%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || : +%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ + -g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || : install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name} chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} install -d %{buildroot}%{_prefix}/sbin @@ -208,10 +225,17 @@ make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d -install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name} +install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy +# pinger should be secure "enough" anyway paranoid will strip everything :) +install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +%if 0%{?suse_version} install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} +%else # lets just assume other are rh based ones... +install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name} +%endif ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} @@ -250,6 +274,10 @@ install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service %endif %pre +# we need this group for /usr/sbin/pinger +if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then + %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null +fi # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then @@ -257,12 +285,12 @@ if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ - -G winbind -g nogroup -o -u 31 -r -s /bin/false \ + -G winbind -g %{name} -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then - %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null + %{_sbindir}/usermod -G winbind %{name} 2>/dev/null fi %if 0%{?has_systemd} @@ -271,8 +299,11 @@ fi %post %if 0%{?suse_version} >= 1140 -%set_permissions %{_localstatedir}/cache/%{name} -%set_permissions %{_localstatedir}/log/%{name} +%if 0%{?set_permissions:1} + %set_permissions %name +%else + %run_permissions +%endif %endif # update mode? if [ "$1" -gt "1" ]; then @@ -280,15 +311,29 @@ if [ "$1" -gt "1" ]; then echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf" mv etc/%{name}.conf etc/%{name}/%{name}.conf fi + # default group changed from nogroup to squid + %{_sbindir}/usermod -g %{name} %{name} fi +%if 0%{?suse_version} %{fillup_and_insserv -n "squid"} +%else +/sbin/chkconfig --add squid +%endif %if 0%{?has_systemd} %service_add_post squid.service %endif %preun +%if 0%{?suse_version} %stop_on_removal squid +%else +if [ $1 = 0 ] ; then + service squid stop >/dev/null 2>&1 + rm -f /var/log/squid/* + /sbin/chkconfig --del squid +fi +%endif %if 0%{?has_systemd} %service_del_preun squid.service @@ -300,10 +345,20 @@ fi %service_del_postun squid.service %endif +%if 0%{?suse_version} %restart_on_update squid %insserv_cleanup %verifyscript -%verify_permissions -e /usr/sbin/pam_auth +%verify_permissions -e /usr/sbin/basic_pam_auth +%verify_permissions -e /usr/sbin/pinger +%verify_permissions -e /var/cache/squid/ +%verify_permissions -e /var/log/squid/ + +%else +if [ "$1" -ge "1" ] ; then + service squid condrestart >/dev/null 2>&1 +fi +%endif %files %defattr(-,root,root) @@ -316,8 +371,8 @@ fi %if 0%{?has_systemd} %{_unitdir}/%{name}.service %endif -%attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ -%attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ +%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ +%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ %dir %{squidconfdir} %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css @@ -333,7 +388,9 @@ fi %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} %config %{_sysconfdir}/init.d/%{name} -%config %{_sysconfdir}/permissions.d/%{name} +%config %{_sysconfdir}/permissions.d/%{name}.easy +%config %{_sysconfdir}/permissions.d/%{name}.secure +%config %{_sysconfdir}/permissions.d/%{name}.paranoid %dir %{_datadir}/%{name} %{_datadir}/%{name}/errors %{_datadir}/%{name}/icons @@ -350,8 +407,8 @@ fi %{_sbindir}/basic_msnt_multi_domain_auth %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth -#verify(not mode) %attr(4755,root,shadow) %{_sbindir}/basic_pam_auth -%{_sbindir}/basic_pam_auth +%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth +#%%{_sbindir}/basic_pam_auth %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth @@ -378,7 +435,7 @@ fi %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth -%{_sbindir}/pinger +%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger %{_sbindir}/rc%{name} %{_sbindir}/%{name} %{_sbindir}/ssl_crtd