Accepting request 244146 from server:proxy:Test

some permission and redhat stuff

OBS-URL: https://build.opensuse.org/request/show/244146
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=59
This commit is contained in:
Christian Wittmer 2014-08-10 17:56:45 +00:00 committed by Git OBS Bridge
parent f645c10624
commit 5a2a646e40
7 changed files with 292 additions and 17 deletions

View File

@ -1,3 +1,5 @@
addFilter("macro-in-comment")
addFilter("no-manual-page-for-binary")
addFilter("zero-length")
# Temporary solution untill it is moved into factory
setBadness('permissions-unauthorized-file', 333)

View File

@ -4,6 +4,29 @@ Thu Jul 31 14:01:54 UTC 2014 - dimstar@opensuse.org
- Rename rpmlintrc to %{name}-rpmlintrc.
Follow the packaging guidelines.
-------------------------------------------------------------------
Thu Apr 24 20:47:05 UTC 2014 - boris@steki.net
- fix rhel/centos usermod parameter invocation order
-------------------------------------------------------------------
Wed Apr 9 15:42:06 UTC 2014 - boris@steki.net
- setuid handling for opensuse using permissions updated
-------------------------------------------------------------------
Mon Apr 7 12:06:41 UTC 2014 - boris@steki.net
- enable build for centos/rhel
- add centos/rhel init script
-------------------------------------------------------------------
Sat Mar 29 16:47:44 UTC 2014 - chris@computersalat.de
- add 'squid' as default group and added suid bit for /usr/sbin/pinger
# pinger needs 'root' privileges to be able to ping (cache peer)
* attr(4750,root,squid) /usr/sbin/pinger
-------------------------------------------------------------------
Fri Mar 28 18:46:44 UTC 2014 - chris@computersalat.de

187
squid.init.rh Normal file
View File

@ -0,0 +1,187 @@
#!/bin/bash
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
#
### BEGIN INIT INFO
# Provides: squid
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
### END INIT INFO
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-""}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
SQUID_PIDFILE_DIR="/var/run/squid"
SQUID_USER="squid"
SQUID_DIR="squid"
# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid
prog="$SQUID"
# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
grep cache_dir | awk '{ print $3 }'`
RETVAL=0
probe() {
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1
[ `id -u` -ne 0 ] && exit 4
# check if the squid conf file is present
[ -f $SQUID_CONF ] || exit 6
}
start() {
# Check if $SQUID_PIDFILE_DIR exists and if not, lets create it and give squid permissions.
if [ ! -d $SQUID_PIDFILE_DIR ] ; then mkdir $SQUID_PIDFILE_DIR ; chown -R $SQUID_USER.$SQUID_DIR $SQUID_PIDFILE_DIR; fi
probe
parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -n $"Starting $prog: "
echo_failure
echo
echo "$parse"
return 1
fi
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
$SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
$SQUID -k shutdown -f $SQUID_CONF &
rm -f /var/lock/subsys/$SQUID
timeout=0
while : ; do
[ -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
if [ ! -e /var/lock/subsys/$SQUID ]; then
RETVAL=0
fi
echo
fi
rm -rf $SQUID_PIDFILE_DIR/*
return $RETVAL
}
reload() {
$SQUID $SQUID_OPTS -k reconfigure -f $SQUID_CONF
}
restart() {
stop
rm -rf $SQUID_PIDFILE_DIR/*
start
}
condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}
rhstatus() {
status $SQUID && $SQUID -k check -f $SQUID_CONF
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload|force-reload)
reload
;;
restart)
restart
;;
condrestart|try-restart)
condrestart
;;
status)
rhstatus
;;
probe)
probe
;;
*)
echo $"Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart|probe}"
exit 2
esac
exit $?

View File

@ -1,2 +0,0 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750

4
squid.permissions.easy Normal file
View File

@ -0,0 +1,4 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
/usr/sbin/pinger root:squid 4750
/usr/sbin/basic_pam_auth root:shadow 2750

View File

@ -0,0 +1,4 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
/usr/sbin/pinger root:root 755
/usr/sbin/basic_pam_auth root:root 755

View File

@ -36,10 +36,13 @@ Source4: squid.sysconfig
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
Source9: %{name}.permissions
Source9: %{name}.permissions.easy
Source10: README.kerberos
Source11: %{name}.service
Source13: %{name}.keyring
Source14: squid.init.rh
Source15: %{name}.permissions.paranoid
#
# the following patches are downloaded directly from the webserver
# don't change the names for easier identification
@ -63,19 +66,30 @@ Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
Patch103: squid-brokenad.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version}
PreReq: %fillup_prereq
PreReq: %insserv_prereq
PreReq: /usr/bin/getent
PreReq: permissions
PreReq: pwdutils
%else
Requires(pre): shadow-utils
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/service /sbin/chkconfig
Requires(postun): /sbin/service
%endif
BuildRequires: db-devel
# needed by bootstrap.sh
BuildRequires: cyrus-sasl-devel
BuildRequires: ed
BuildRequires: expat
%if 0%{?suse_version} || 0%{?fedora_version} > 8
BuildRequires: fdupes
%endif
BuildRequires: gcc-c++
%if 0%{?suse_version}
BuildRequires: gpg-offline
%endif
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libexpat-devel
@ -127,7 +141,9 @@ Most user-facing changes are reflected in squid.conf (see below).
%prep
#setup -q -n %{name}-%{version}%{snap}
%if 0%{?suse_version}
%gpg_verify %{S:1}
%endif
%setup -q -n %{name}-%{version}
cp %{S:10} .
# upstream patches after RELEASE
@ -199,8 +215,9 @@ fi
make SAMBAPREFIX=/usr %{?_smp_mflags}
%install
/usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \
-d /var/cache/%{name} %{name} 2> /dev/null || :
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
install -d %{buildroot}%{_prefix}/sbin
@ -208,10 +225,17 @@ make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
# pinger should be secure "enough" anyway paranoid will strip everything :)
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%if 0%{?suse_version}
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
%else # lets just assume other are rh based ones...
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
%endif
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
@ -250,6 +274,10 @@ install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
%endif
%pre
# we need this group for /usr/sbin/pinger
if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null
fi
# we need this group for squid (ntlmauth)
# read access to /var/lib/samba/winbindd_privileged
if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
@ -257,12 +285,12 @@ if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
fi
if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
-G winbind -g nogroup -o -u 31 -r -s /bin/false \
-G winbind -g %{name} -o -u 31 -r -s /bin/false \
%{name} 2>/dev/null
fi
# if squid is not member of winbind, add him
if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then
%{_sbindir}/groupmod -A %{name} winbind 2>/dev/null
%{_sbindir}/usermod -G winbind %{name} 2>/dev/null
fi
%if 0%{?has_systemd}
@ -271,8 +299,11 @@ fi
%post
%if 0%{?suse_version} >= 1140
%set_permissions %{_localstatedir}/cache/%{name}
%set_permissions %{_localstatedir}/log/%{name}
%if 0%{?set_permissions:1}
%set_permissions %name
%else
%run_permissions
%endif
%endif
# update mode?
if [ "$1" -gt "1" ]; then
@ -280,15 +311,29 @@ if [ "$1" -gt "1" ]; then
echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf"
mv etc/%{name}.conf etc/%{name}/%{name}.conf
fi
# default group changed from nogroup to squid
%{_sbindir}/usermod -g %{name} %{name}
fi
%if 0%{?suse_version}
%{fillup_and_insserv -n "squid"}
%else
/sbin/chkconfig --add squid
%endif
%if 0%{?has_systemd}
%service_add_post squid.service
%endif
%preun
%if 0%{?suse_version}
%stop_on_removal squid
%else
if [ $1 = 0 ] ; then
service squid stop >/dev/null 2>&1
rm -f /var/log/squid/*
/sbin/chkconfig --del squid
fi
%endif
%if 0%{?has_systemd}
%service_del_preun squid.service
@ -300,10 +345,20 @@ fi
%service_del_postun squid.service
%endif
%if 0%{?suse_version}
%restart_on_update squid
%insserv_cleanup
%verifyscript
%verify_permissions -e /usr/sbin/pam_auth
%verify_permissions -e /usr/sbin/basic_pam_auth
%verify_permissions -e /usr/sbin/pinger
%verify_permissions -e /var/cache/squid/
%verify_permissions -e /var/log/squid/
%else
if [ "$1" -ge "1" ] ; then
service squid condrestart >/dev/null 2>&1
fi
%endif
%files
%defattr(-,root,root)
@ -316,8 +371,8 @@ fi
%if 0%{?has_systemd}
%{_unitdir}/%{name}.service
%endif
%attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%dir %{squidconfdir}
%config(noreplace) %{squidconfdir}/cachemgr.conf
%config(noreplace) %{squidconfdir}/errorpage.css
@ -333,7 +388,9 @@ fi
%config %{squidconfdir}/%{name}.conf.documented
%config %{_sysconfdir}/pam.d/%{name}
%config %{_sysconfdir}/init.d/%{name}
%config %{_sysconfdir}/permissions.d/%{name}
%config %{_sysconfdir}/permissions.d/%{name}.easy
%config %{_sysconfdir}/permissions.d/%{name}.secure
%config %{_sysconfdir}/permissions.d/%{name}.paranoid
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/errors
%{_datadir}/%{name}/icons
@ -350,8 +407,8 @@ fi
%{_sbindir}/basic_msnt_multi_domain_auth
%{_sbindir}/basic_ncsa_auth
%{_sbindir}/basic_nis_auth
#verify(not mode) %attr(4755,root,shadow) %{_sbindir}/basic_pam_auth
%{_sbindir}/basic_pam_auth
%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
#%%{_sbindir}/basic_pam_auth
%{_sbindir}/basic_pop3_auth
%{_sbindir}/basic_radius_auth
%{_sbindir}/basic_sasl_auth
@ -378,7 +435,7 @@ fi
%{_sbindir}/negotiate_wrapper_auth
%{_sbindir}/ntlm_fake_auth
%{_sbindir}/ntlm_smb_lm_auth
%{_sbindir}/pinger
%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
%{_sbindir}/rc%{name}
%{_sbindir}/%{name}
%{_sbindir}/ssl_crtd