Accepting request 244146 from server:proxy:Test

some permission and redhat stuff

OBS-URL: https://build.opensuse.org/request/show/244146
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=59

squid-rpmlintrc

@@ -1,3 +1,5 @@
 addFilter("macro-in-comment")
 addFilter("no-manual-page-for-binary")
 addFilter("zero-length")
+# Temporary solution untill it is moved into factory
+setBadness('permissions-unauthorized-file', 333)

squid.changes

@@ -4,6 +4,29 @@ Thu Jul 31 14:01:54 UTC 2014 - dimstar@opensuse.org
 - Rename rpmlintrc to %{name}-rpmlintrc.
   Follow the packaging guidelines.
 
+-------------------------------------------------------------------
+Thu Apr 24 20:47:05 UTC 2014 - boris@steki.net
+
+- fix rhel/centos usermod parameter invocation order
+
+-------------------------------------------------------------------
+Wed Apr  9 15:42:06 UTC 2014 - boris@steki.net
+
+- setuid handling for opensuse using permissions updated 
+
+-------------------------------------------------------------------
+Mon Apr  7 12:06:41 UTC 2014 - boris@steki.net
+
+- enable build for centos/rhel
+  - add centos/rhel init script
+
+-------------------------------------------------------------------
+Sat Mar 29 16:47:44 UTC 2014 - chris@computersalat.de
+
+- add 'squid' as default group and added suid bit for /usr/sbin/pinger
+  # pinger needs 'root' privileges to be able to ping (cache peer)
+  * attr(4750,root,squid) /usr/sbin/pinger
+
 -------------------------------------------------------------------
 Fri Mar 28 18:46:44 UTC 2014 - chris@computersalat.de
 

squid.init.rh

@@ -0,0 +1,187 @@
+#!/bin/bash
+# chkconfig: - 90 25
+# pidfile: /var/run/squid.pid
+# config: /etc/squid/squid.conf
+#
+### BEGIN INIT INFO
+# Provides: squid
+# Short-Description: starting and stopping Squid Internet Object Cache
+# Description: Squid - Internet Object Cache. Internet object caching is \
+#       a way to store requested Internet objects (i.e., data available \
+#       via the HTTP, FTP, and gopher protocols) on a system closer to the \
+#       requesting site than to the source. Web browsers can then use the \
+#       local Squid cache as a proxy HTTP server, reducing access time as \
+#       well as bandwidth consumption.
+### END INIT INFO
+
+
+PATH=/usr/bin:/sbin:/bin:/usr/sbin
+export PATH
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+. /etc/sysconfig/network
+
+if [ -f /etc/sysconfig/squid ]; then
+	. /etc/sysconfig/squid
+fi
+
+# don't raise an error if the config file is incomplete
+# set defaults instead:
+SQUID_OPTS=${SQUID_OPTS:-""}
+SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
+SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
+SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
+SQUID_PIDFILE_DIR="/var/run/squid"
+SQUID_USER="squid"
+SQUID_DIR="squid"
+
+# determine the name of the squid binary
+[ -f /usr/sbin/squid ] && SQUID=squid
+
+prog="$SQUID"
+
+# determine which one is the cache_swap directory
+CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
+	grep cache_dir | awk '{ print $3 }'`
+
+RETVAL=0
+
+probe() {
+	# Check that networking is up.
+	[ ${NETWORKING} = "no" ] && exit 1
+
+	[ `id -u` -ne 0 ] && exit 4
+
+	# check if the squid conf file is present
+	[ -f $SQUID_CONF ] || exit 6
+}
+
+start() {
+	# Check if $SQUID_PIDFILE_DIR exists and if not, lets create it and give squid permissions.
+	if [ ! -d $SQUID_PIDFILE_DIR ] ; then mkdir $SQUID_PIDFILE_DIR ; chown -R $SQUID_USER.$SQUID_DIR $SQUID_PIDFILE_DIR; fi
+	probe
+
+	parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
+	RETVAL=$?
+	if [ $RETVAL -ne 0 ]; then
+		echo -n $"Starting $prog: "
+		echo_failure
+		echo
+		echo "$parse"
+		return 1
+	fi
+	for adir in $CACHE_SWAP; do
+		if [ ! -d $adir/00 ]; then
+			echo -n "init_cache_dir $adir... "
+			$SQUID -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+		fi
+	done
+	echo -n $"Starting $prog: "
+	$SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+	RETVAL=$?
+	if [ $RETVAL -eq 0 ]; then
+		timeout=0;
+		while : ; do
+			[ ! -f /var/run/squid.pid ] || break
+			if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
+				RETVAL=1
+				break
+			fi
+			sleep 1 && echo -n "."
+			timeout=$((timeout+1))
+		done
+	fi
+	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
+	[ $RETVAL -eq 0 ] && echo_success
+	[ $RETVAL -ne 0 ] && echo_failure
+	echo
+	return $RETVAL
+}
+
+stop() {
+	echo -n $"Stopping $prog: "
+	$SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+	RETVAL=$?
+	if [ $RETVAL -eq 0 ] ; then
+		$SQUID -k shutdown -f $SQUID_CONF &
+		rm -f /var/lock/subsys/$SQUID
+		timeout=0
+		while : ; do
+			[ -f /var/run/squid.pid ] || break
+			if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
+				echo
+				return 1
+			fi
+			sleep 2 && echo -n "."
+			timeout=$((timeout+2))
+		done
+		echo_success
+		echo
+	else
+		echo_failure
+		if [ ! -e /var/lock/subsys/$SQUID ]; then
+			RETVAL=0
+		fi
+		echo
+	fi
+	rm -rf $SQUID_PIDFILE_DIR/*
+	return $RETVAL
+}
+
+reload() {
+	$SQUID $SQUID_OPTS -k reconfigure -f $SQUID_CONF
+}
+
+restart() {
+	stop
+	rm -rf $SQUID_PIDFILE_DIR/*
+	start
+}
+
+condrestart() {
+	[ -e /var/lock/subsys/squid ] && restart || :
+}
+
+rhstatus() {
+	status $SQUID && $SQUID -k check -f $SQUID_CONF
+}
+
+
+case "$1" in
+start)
+	start
+	;;
+
+stop)
+	stop
+	;;
+
+reload|force-reload)
+	reload
+	;;
+
+restart)
+	restart
+	;;
+
+condrestart|try-restart)
+	condrestart
+	;;
+
+status)
+	rhstatus
+	;;
+
+probe)
+	probe
+	;;
+
+*)
+	echo $"Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart|probe}"
+	exit 2
+esac
+
+exit $?

squid.permissions

@@ -1,2 +0,0 @@
-/var/cache/squid/		squid:root	750
-/var/log/squid/			squid:root	750

squid.permissions.easy

@@ -0,0 +1,4 @@
+/var/cache/squid/		squid:root	750
+/var/log/squid/			squid:root	750
+/usr/sbin/pinger		root:squid	4750
+/usr/sbin/basic_pam_auth	root:shadow	2750

squid.permissions.paranoid

@@ -0,0 +1,4 @@
+/var/cache/squid/		squid:root	750
+/var/log/squid/			squid:root	750
+/usr/sbin/pinger		root:root	755
+/usr/sbin/basic_pam_auth	root:root	755

squid.spec

@@ -36,10 +36,13 @@ Source4:        squid.sysconfig
 Source5:        pam.squid
 Source6:        unsquid.pl
 Source7:        %{name}.logrotate
-Source9:        %{name}.permissions
+Source9:        %{name}.permissions.easy
 Source10:       README.kerberos
 Source11:       %{name}.service
 Source13:       %{name}.keyring
+Source14:       squid.init.rh
+Source15:       %{name}.permissions.paranoid
+
 #
 # the following patches are downloaded directly from the webserver
 # don't change the names for easier identification
@@ -63,19 +66,30 @@ Patch102:       %{name}-compiled_without_RPM_OPT_FLAGS.patch
 # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
 Patch103:       squid-brokenad.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+%if 0%{?suse_version}
 PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
 PreReq:         /usr/bin/getent
 PreReq:         permissions
 PreReq:         pwdutils
+%else
+Requires(pre): shadow-utils
+Requires(post): /sbin/chkconfig
+Requires(preun): /sbin/service /sbin/chkconfig
+Requires(postun): /sbin/service
+%endif
 BuildRequires:  db-devel
 # needed by bootstrap.sh
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  ed
 BuildRequires:  expat
+%if 0%{?suse_version} || 0%{?fedora_version} > 8
 BuildRequires:  fdupes
+%endif
 BuildRequires:  gcc-c++
+%if 0%{?suse_version}
 BuildRequires:  gpg-offline
+%endif
 BuildRequires:  krb5-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libexpat-devel
@@ -127,7 +141,9 @@ Most user-facing changes are reflected in squid.conf (see below).
 
 %prep
 #setup -q -n %{name}-%{version}%{snap}
+%if 0%{?suse_version}
 %gpg_verify %{S:1}
+%endif
 %setup -q -n %{name}-%{version}
 cp %{S:10} .
 # upstream patches after RELEASE
@@ -199,8 +215,9 @@ fi
 make SAMBAPREFIX=/usr %{?_smp_mflags}
 
 %install
-/usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \
+%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
-	-d /var/cache/%{name} %{name} 2> /dev/null || :
+%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
+  -g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
 install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
 chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
 install -d %{buildroot}%{_prefix}/sbin
@@ -208,10 +225,17 @@ make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
 mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
 ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
 install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
-install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
+install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
+# pinger should be secure "enough" anyway paranoid will strip everything :)
+install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
+install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
 install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
 install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+%if 0%{?suse_version}
 install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
+%else # lets just assume other are rh based ones...
+install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
+%endif
 ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
 install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
 
@@ -250,6 +274,10 @@ install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
 %endif
 
 %pre
+# we need this group for /usr/sbin/pinger
+if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then
+  %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null
+fi
 # we need this group for squid (ntlmauth)
 # read access to /var/lib/samba/winbindd_privileged
 if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
@@ -257,12 +285,12 @@ if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
 fi
 if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then
   %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
-    -G winbind -g nogroup -o -u 31 -r -s /bin/false \
+    -G winbind -g %{name} -o -u 31 -r -s /bin/false \
     %{name} 2>/dev/null
 fi
 # if squid is not member of winbind, add him
 if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then
-  %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null
+  %{_sbindir}/usermod -G winbind %{name} 2>/dev/null
 fi
 
 %if 0%{?has_systemd}
@@ -271,8 +299,11 @@ fi
 
 %post
 %if 0%{?suse_version} >= 1140
-%set_permissions %{_localstatedir}/cache/%{name}
+%if 0%{?set_permissions:1}
-%set_permissions %{_localstatedir}/log/%{name}
+    %set_permissions %name
+%else
+    %run_permissions
+%endif
 %endif
 # update mode?
 if [ "$1" -gt "1" ]; then
@@ -280,15 +311,29 @@ if [ "$1" -gt "1" ]; then
     echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf"
     mv etc/%{name}.conf etc/%{name}/%{name}.conf
   fi
+  # default group changed from nogroup to squid
+  %{_sbindir}/usermod -g %{name} %{name}
 fi
+%if 0%{?suse_version}
 %{fillup_and_insserv -n "squid"}
+%else
+/sbin/chkconfig --add squid
+%endif
 
 %if 0%{?has_systemd}
 %service_add_post squid.service
 %endif
 
 %preun
+%if 0%{?suse_version}
 %stop_on_removal squid
+%else
+if [ $1 = 0 ] ; then
+        service squid stop >/dev/null 2>&1
+        rm -f /var/log/squid/*
+        /sbin/chkconfig --del squid
+fi
+%endif
 
 %if 0%{?has_systemd}
 %service_del_preun squid.service
@@ -300,10 +345,20 @@ fi
 %service_del_postun squid.service
 %endif
 
+%if 0%{?suse_version}
 %restart_on_update squid
 %insserv_cleanup
 %verifyscript
-%verify_permissions -e /usr/sbin/pam_auth
+%verify_permissions -e /usr/sbin/basic_pam_auth
+%verify_permissions -e /usr/sbin/pinger
+%verify_permissions -e /var/cache/squid/
+%verify_permissions -e /var/log/squid/
+
+%else
+if [ "$1" -ge "1" ] ; then
+        service squid condrestart >/dev/null 2>&1
+fi
+%endif
 
 %files
 %defattr(-,root,root)
@@ -316,8 +371,8 @@ fi
 %if 0%{?has_systemd}
 %{_unitdir}/%{name}.service
 %endif
-%attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
+%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
-%attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
+%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
 %dir %{squidconfdir}
 %config(noreplace) %{squidconfdir}/cachemgr.conf
 %config(noreplace) %{squidconfdir}/errorpage.css
@@ -333,7 +388,9 @@ fi
 %config %{squidconfdir}/%{name}.conf.documented
 %config %{_sysconfdir}/pam.d/%{name}
 %config %{_sysconfdir}/init.d/%{name}
-%config %{_sysconfdir}/permissions.d/%{name}
+%config %{_sysconfdir}/permissions.d/%{name}.easy
+%config %{_sysconfdir}/permissions.d/%{name}.secure
+%config %{_sysconfdir}/permissions.d/%{name}.paranoid
 %dir %{_datadir}/%{name}
 %{_datadir}/%{name}/errors
 %{_datadir}/%{name}/icons
@@ -350,8 +407,8 @@ fi
 %{_sbindir}/basic_msnt_multi_domain_auth
 %{_sbindir}/basic_ncsa_auth
 %{_sbindir}/basic_nis_auth
-#verify(not mode) %attr(4755,root,shadow) %{_sbindir}/basic_pam_auth
+%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
-%{_sbindir}/basic_pam_auth
+#%%{_sbindir}/basic_pam_auth
 %{_sbindir}/basic_pop3_auth
 %{_sbindir}/basic_radius_auth
 %{_sbindir}/basic_sasl_auth
@@ -378,7 +435,7 @@ fi
 %{_sbindir}/negotiate_wrapper_auth
 %{_sbindir}/ntlm_fake_auth
 %{_sbindir}/ntlm_smb_lm_auth
-%{_sbindir}/pinger
+%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
 %{_sbindir}/rc%{name}
 %{_sbindir}/%{name}
 %{_sbindir}/ssl_crtd