diff --git a/RELEASENOTES.html b/RELEASENOTES.html deleted file mode 100644 index 57b9b85..0000000 --- a/RELEASENOTES.html +++ /dev/null @@ -1,594 +0,0 @@ - - - - - Squid 3.4.4 release notes - - -

Squid 3.4.4 release notes

- -

Squid Developers

-
-This document contains the release notes for version 3.4 of Squid. -Squid is a WWW Cache application developed by the National Laboratory -for Applied Network Research and members of the Web Caching community. -
-

-

1. Notice

- - -

-

2. Major new features since Squid-3.3

- - -

-

3. Changes to squid.conf since Squid-3.3

- - -

-

4. Changes to ./configure options since Squid-3.3

- - -

-

5. Regressions since Squid-2.7

- - - -
-

1. Notice

- -

The Squid Team are pleased to announce the release of Squid-3.4.4 for testing.

-

This new release is available for download from -http://www.squid-cache.org/Versions/v3/3.4/ or the -mirrors.

-

While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.

-

We welcome feedback and bug reports. If you find a bug, please see -http://wiki.squid-cache.org/SquidFaq/BugReporting -for how to submit a report with a stack trace.

- -

1.1 Known issues -

- -

Although this release is deemed good enough for use in many setups, please note the existence of -open bugs against Squid-3.4.

- -

1.2 Changes since earlier releases of Squid-3.4 -

- -

The 3.4 change history can be -viewed here.

- - -

2. Major new features since Squid-3.3

- -

Squid 3.4 represents a new feature release above 3.3.

- -

The most important of these new features are: -

-

-

Most user-facing changes are reflected in squid.conf (see below).

- - -

2.1 Helper protocol extensions -

- -

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -

The Squid helper protocol used to communicate with authenticators, -URL-rewriters, Redirectors, and External ACL helpers has been updated -and extended.

- -

BH status code is now accepted from all helpers to report -internal error events separate from ERR rejection code. -Permitting Squid to perform recovery operations specific to -helper failure instead of a blanket client rejection.

- -

Arbitrary key-value pairs can be returned from any helper. -Allowing future helpers to be forward- and backward- compatible -with this and future versions of Squid.

- - -

2.2 SSL Server Certificate Validator -

- -

Details at -http://wiki.squid-cache.org/Features/SslServerCertValidator.

- -

The helper consulted after the internal OpenSSL validation, regardless of the -validation results. The helper will receive:

-

-

-

- -

If the helper decides to honor an OpenSSL error or report another validation -error(s), the helper will return:

-

-

-

- -

The returned information mimics what the internal OpenSSL-based validation code -collects now. Returned errors, if any, are fed to sslproxy_cert_error, -triggering the existing SSL error processing code.

- -

The helper invocation controlled by the sslcrtvalidator_program and -sslcrtvalidator_children configurations options which are similar to the -ssl_crtd related options.

- - -

2.3 Store-ID -

- -

Details at -http://wiki.squid-cache.org/Features/StoreID.

- -

This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.

- -

Notice that this is not a direct portage of the Squid-2.7 feature so behaviour -differences do exist. Although the new feature works in similar enough ways that the old -helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.

- -

Squid traditionally uses the requested URL as an index key ID to locate objects in cache. -It is not the only key possible and the Store-ID feature exposes an API for external -helpers to provide Squid with an alternative key name for any URL.

- -

When any client request is received which requires a cache lookup the URL is passed to -a helper specified with the store_id_program directive to check for an alternative -Store ID. This allows the helper to identify URLs which refer to duplicate resources and -de-duplicate the cache content. store_id_access is provided to allow ACL-based -tuning of which traffic gets sent to the helper and reduce overheads.

- -

One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by -this feature is that refresh_pattern applies its regex argument against the Store -ID key and not the transaction URL. So using the Store-ID feature to alter the value -affects which refresh_pattern directive will be matched.

- -

Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers -option which is added in this version. Currently there is a file helper -provided.

- - -

2.4 TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+ -

- -

Details at -http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf.

- -

The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception -using several very simple methods. One of which is the divert-to rule type -which acts as a simple routing diversion instead of performing NAT packet alterations.

- -

The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.

- -

This version of Squid adds support for these features through the ./configure -options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on -systems with the required support. No special extras are required to enable -http_port ... tproxy configuration to work.

- -

NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind -./configure --enable-pf-transparent has been altered and is expected to -break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD -which do not yet support the getsockname() API. -These systems require --with-nat-devpf to enable /dev/pf support when using PF firewall.

- - -

2.5 Transaction Annotations -

- -

Previously the only annotation methods available were ICAP/eCAP HTTP header insertions -or external ACL tag= result code. Each of which had only limited possibilities -for use and little or no correlation.

- -

It is now possible to add annotations to a client transaction from several sources: -

-

- -

Annotations on the transaction can be passed to ICAP services or eCAP modules using the -adaptation_meta directive to send them as headers. -They can also be logged using the %note log format code in custom logs. With -the new helper response syntax changes this means all helper response key=value details -such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.

- -

Annotations which are already assigned to a transaction can be checked using an ACL test -of the new note ACL type. This can match a particular note by name and value, -of for any notes with a given name.

- -

NOTE: not all helper interfaces are yet enabled to convert key=value into annotations -and the external ACL interface does not yet send annotations to the helper.

- - -

2.6 Multicast DNS -

- -

The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in -accordance with RFC 6762.

- -

The dns_multicast_local directive must be set to on to enable this -feature.

- -

The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set -of available DNS resolvers and used automatically for domain names ending in .local -and reverse-DNS lookups before attempting a secondary resolution on the configured -resolvers. Domains without .local are resolved using only the configured resolvers.

- -

Statistics for multicast DNS resolution can be found on the idns cache manager -report.

- -

NOTE that the external DNS helper interface is now deprecated and has been -removed from future Squid versions. Any installations still using it for local hostname -resolution need to upgrade to mDNS resolution with this Squid version.

- - -

3. Changes to squid.conf since Squid-3.3

- -

There have been changes to Squid's configuration file since Squid-3.3.

- -

Squid supports reading configuration option parameters from external -files using the syntax parameters("/path/filename"). For example: -

-    acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
-
-

- -

There have also been changes to individual directives in the config file.

-

This section gives a thorough account of those changes in three categories:

-

-

-

- - -

3.1 New tags -

- -

-

-
configuration_includes_quoted_values
-

Whether Squid supports directive parameters with spaces, quotes, and other -special characters. Surround such parameters with "double quotes" and -also set this directive on/off around the relevant squid.conf line(s) -making use of such quoting.

- -
dns_multicast_local
-

Use multicast DNS for .local domains and reverse-DNS resolution.

- -
note
-

Use ACLs to annotate a transaction with customized annotations -which can be logged in access.log

- -
spoof_client_ip
-

Access control to determine whether to disable the TPROXY spoofing on upstream traffic.

- -
sslcrtvalidator_children
-

Specifies the settings for how many SSL server certificate -validator helpers are run and when they are started.

- -
sslcrtvalidator_program
-

Specifies the location of a SSL server certificate validator helper.

- -
store_id_access
-

Whether the URL for a given request is passed to the Store-ID helper process. -Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.

-

Ported equivalent to storeurl_access from 2.7

- -
store_id_bypass
-

Whether the StoreID helper may be bypassed when overloaded.

- -
store_id_children
-

Controls the number of StoreID helper processes.

-

Options startup=N, idle=N, concurrency=N -

-

- -
store_id_rewrite_program
-

A helper program to provide cache storage internal key ID value for a request.

-

Ported equivalent to storeurl_rewrite_program from 2.7

- -
-

- -

3.2 Changes to existing tags -

- -

-

-
access_log
-

Configuration syntax extended to support name=value options. -New Syntax: access_log module:place [option ...] [acl ...]

-

New option logformat= to specify the logging format name.

-

New option buffer-size= to specify how large the log buffer -for this log is to be when buffered_logs is enabled.

-

New option on-error= to specify what handling is to be done -if the logging module encounters a non-recoverable error writing logs. -With the value die (the default) Squid halts operation. -With the value drop Squid drops log lines and continue running.

- -
acl
-

New test type server_cert_fingerprint to match against -server SSL certificate fingerprint.

-

New test type note to match against transaction annotations -by name and value, or just by name.

-

New test type any-of to match if any one of a set of named ACLs.

-

New test type all-of to match against all of a set of named ACLs.

- -
auth_param
-

New result code BH to signal helper internal errors -available in all authentication schemes.

-

New key message= for error message details in all authentication schemes.

-

New result code OK and key ha1= in Digest authentication.

-

New result codes OK, ERR replace result codes AF, -and NA in NTLM and Negotiate authentication.

-

New key token= for NTLM and Negotiate authentication OK responses.

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
external_acl_type
-

Deprecated protocol=3.0 option. No longer necessary.

-

New result code BH to signal helper internal errors

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
http_port
-

Support IPv6 for intercept mode. Requires ip6tables support on Linux, -PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain -about misconfiguration if IPv6 support is missing, we now rely on the firewall -tools reporting misconfiguration when the NAT rules are created.

-

Support tproxy mode traffic on BSD systems with BINDANY support -(OpenBSD 5+, FreeBSD 9+ so far).

-

Changed build options behind intercept traffic mode handling on BSD. -see --enable-pf-transparent for more details.

- -
logformat
-

New format code %note to log a transaction annotation linked to the -transaction by ICAP, eCAP, a helper, or the note squid.conf directive.

-

New format code %>qos to log client connection TOS/DSCP value set by Squid.

-

New format code %<qos to log server connection TOS/DSCP value set by Squid.

-

New format code %>nfmark to log client connection netfilter mark set by Squid.

-

New format code %<nfmark to log server connection netfilter mark set by Squid.

- -
pipeline_prefetch
-

Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.

- -
refresh_pattern
-

NOTE: the regular expression pattern operates on the cache Store-ID value. -Which by default is identical to the requested URL, but may differ for some -objects if the Store-ID feature is in use.

- -
unlinkd_program
-

New helper response format utilizing result codes OK and BH, -to signal helper lookup results. Also, key-value response values to return -multiple values to Squid.

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
url_rewrite_program
-

New helper response format utilizing result codes OK, ERR, -and BH to signal helper lookup results. Also, key-value response -values to return multiple values to Squid.

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
-

- -

3.3 Removed tags -

- -

-

-
storeurl_access
-

Replaced by store_id_access.

- -
storeurl_rewrite_children
-

Replaced by store_id_children.

- -
storeurl_rewrite_concurrency
-

Replaced by store_id_children with concurrency=N option.

- -
storeurl_rewrite_program
-

Replaced by store_id_program.

- -
-

- - -

4. Changes to ./configure options since Squid-3.3

- -

There have been some changes to Squid's build configuration since Squid-3.3.

-

This section gives an account of those changes in three categories:

-

-

-

- - -

4.1 New options -

- -

-

-
--enable-storeid-rewrite-helpers
-

New option to control which Store-ID helpers are built. As with other -helper options use --disable-* to prevent any helpers building and -omit to get all helper auto-detected.

-

Currenly only a helper using file for backend is provided.

- -
--disable-arch-native
-

New option to disable use of -march=native compiler flag.

-

The new flag auto-enables CPU-specific optimizations in GCC and is -required by Clang++ v3.2 for correct 64-bit environment detection. -It does not always work well however, so this build option is provided -to remove it when necessary.

- -
--with-nat-devpf
-

New option to alter the behaviour of http_port ... intercept option -in squid.conf.

-

When this option is used Squid performs the /dev/pf lookups required to -support PF rdr-to rules. Otherwise Squid will perform perform the -getsockname() API calls to support PF divert-to rules.

-

NOTE: systems such as NetBSD and FreeBSD which do not yet support -the getsockname() API in recent PF versions require this option.

- -
-

- -

4.2 Changes to existing options -

- -

-

-
--enable-pf-transparent
-

NAT table support updated to use the getsockname() API provided by the -latest PF versions divert-to. This allows http_port -in squid.conf to support both intercept and tproxy traffic -and to silence NAT lookup failure messages on recent BSD.

-

NOTE: systems such as NetBSD and FreeBSD which do not yet support -the getsockname() API in recent PF versions require --with-nat-devpf -to re-enable /dev/pf support when using PF firewall.

- -
--disable-translation
-

Default changed to prevent translating error page templates during build. -Use --enable-translation to explicitly build and install the templates.

-

The latest pre-translated templates can be downloaded from -http://www.squid-cache.org/Versions/langpack/

- -
-

-

4.3 Removed options -

- -

-

-

There are no removed ./configure options in Squid-3.4.

- -
-

- - -

5. Regressions since Squid-2.7

- -

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4

- -

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

- -

5.1 Missing squid.conf options available in Squid-2.7 -

- -

-

-
broken_vary_encoding
-

Not yet ported from 2.6

- -
cache_dir
-

COSS storage type is lacking stability fixes from 2.6

-

COSS overwrite-percent= option not yet ported from 2.6

-

COSS max-stripe-waste= option not yet ported from 2.6

-

COSS membufs= option not yet ported from 2.6

-

COSS maxfullbufs= option not yet ported from 2.6

- -
cache_peer
-

idle= not yet ported from 2.7

-

monitorinterval= not yet ported from 2.6

-

monitorsize= not yet ported from 2.6

-

monitortimeout= not yet ported from 2.6

-

monitorurl= not yet ported from 2.6

- -
cache_vary
-

Not yet ported from 2.6

- -
collapsed_forwarding
-

Not yet ported from 2.6

- -
error_map
-

Not yet ported from 2.6

- -
external_refresh_check
-

Not yet ported from 2.7

- -
location_rewrite_access
-

Not yet ported from 2.6

- -
location_rewrite_children
-

Not yet ported from 2.6

- -
location_rewrite_concurrency
-

Not yet ported from 2.6

- -
location_rewrite_program
-

Not yet ported from 2.6

- -
refresh_pattern
-

stale-while-revalidate= not yet ported from 2.7

-

ignore-stale-while-revalidate= not yet ported from 2.7

-

negative-ttl= not yet ported from 2.7

- -
refresh_stale_hit
-

Not yet ported from 2.7

- -
update_headers
-

Not yet ported from 2.7

- -
-

- - - diff --git a/rpmlintrc b/rpmlintrc deleted file mode 100644 index 3e9ebd3..0000000 --- a/rpmlintrc +++ /dev/null @@ -1,3 +0,0 @@ -addFilter("macro-in-comment") -addFilter("no-manual-page-for-binary") -addFilter("zero-length") diff --git a/squid-3.4.10.tar.bz2 b/squid-3.4.10.tar.bz2 new file mode 100644 index 0000000..6a1503e --- /dev/null +++ b/squid-3.4.10.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a971c4f5404113bd0264d13137cd5f326b58ef20c17beae836036668aeabc97 +size 3043193 diff --git a/squid-3.4.10.tar.bz2.asc b/squid-3.4.10.tar.bz2.asc new file mode 100644 index 0000000..2dcf177 --- /dev/null +++ b/squid-3.4.10.tar.bz2.asc @@ -0,0 +1,20 @@ +File: squid-3.4.10.tar.bz2 +Date: Tue Dec 9 17:23:33 UTC 2014 +Size: 3043193 +MD5 : 326283b0c37e7dc9b2f90dc0ecd9a8a4 +SHA1: a04ab50971e1a446fe82514fff830898661c6fad +Key : 0xFF5CF463 + fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 + keyring = http://www.squid-cache.org/pgp.asc + keyserver = subkeys.pgp.net +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAABAgAGBQJUhzBbAAoJELJo5wb/XPRjUCIH/3hfJgMi/iKRZpedeFjQhstf +twbTxrtW1x+Er6J3pswPUIbLcYARHhsTpfYHAatleE1Ccl9b16FXSMSXobHpmrab +YR1q/N/W3QwgqH3D2a2m8eUNJTWxTeZ1xYeGzHJK7sgKfaBbt/JlYfs8nh7ekdkV +GjHzHa3IDuq5VX4Pra6riCW9NjAvUo8oaesU3ZRjV9fECbZ2XMqvrxHq7V7bGOgx +sU1gsRjlgsAZeFDiEXz+Dww2RBh46/gUwJZwO/uTYmJjPzr4hFb1PLwEVL4+auv2 +uS8lta6K9ZpIXPXaKj0zntG1Z+5X77SoLoTQMq06PpLlGpDjYMDzcs25mCyU1R0= +=Ooir +-----END PGP SIGNATURE----- diff --git a/squid-3.4.4.tar.bz2 b/squid-3.4.4.tar.bz2 deleted file mode 100644 index 1c3999e..0000000 --- a/squid-3.4.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d15e7cc8b1cb25b1b552d938e622819a9cbf5c5bbb517875709a6088bbd3d1e5 -size 2812380 diff --git a/squid-3.4.4.tar.bz2.asc b/squid-3.4.4.tar.bz2.asc deleted file mode 100644 index fbd8fd8..0000000 --- a/squid-3.4.4.tar.bz2.asc +++ /dev/null @@ -1,20 +0,0 @@ -File: squid-3.4.4.tar.bz2 -Date: Sun Mar 9 10:06:07 UTC 2014 -Size: 2812380 -MD5 : f9c7dd495e45042cc162d89cfbb97cc0 -SHA1: 1d5db3970d4a8bd460315d90253c5c20d96abdad -Key : 0xFF5CF463 - fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 - keyring = http://www.squid-cache.org/pgp.asc - keyserver = subkeys.pgp.net ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJTHD43AAoJELJo5wb/XPRjD/QH/3GMK+VPmnP5QiMgr995Zp+o -ZHfQoVXO679Mq55Yv53ZSCE8xUGtqwaabm/3pP+U1URrs2kTJV+392fN43RmZ7R+ -11zvIXJD3/dGAHAKQlxELMskWNNAdQWCpXGhKaJFU0ghvqlGpq1hLx2M5DqOgJBU -DoFLFUQdKLPU8n1PwnY3SKdT3q3VxpSVbaUx+doQnsNW2Fj2NBj/kb2TQy/1UmyF -FWVpn6Gr3BMCrl4uiw1yiCdHty61Tt6BH6swjA7sQjcenMLWQjNzRzGgM4TfhlvR -czHrrJDbpNZ7Z8NBGvyAYBQmsFRxNm51yIFmpRst+PJBZuNJFW4RB9lek1hWsuk= -=zJQN ------END PGP SIGNATURE----- diff --git a/squid-compiled_without_RPM_OPT_FLAGS.patch b/squid-compiled_without_RPM_OPT_FLAGS.patch index d7c8b08..d020e79 100644 --- a/squid-compiled_without_RPM_OPT_FLAGS.patch +++ b/squid-compiled_without_RPM_OPT_FLAGS.patch @@ -2,7 +2,7 @@ Index: src/Makefile.am =================================================================== --- src/Makefile.am.orig +++ src/Makefile.am -@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci +@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci @@ -15,7 +15,7 @@ Index: src/Makefile.in =================================================================== --- src/Makefile.in.orig +++ src/Makefile.in -@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci +@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci diff --git a/squid-config.patch b/squid-config.patch index ea08e85..0454fc9 100644 --- a/squid-config.patch +++ b/squid-config.patch @@ -2,7 +2,7 @@ Index: src/cf.data.pre =================================================================== --- src/cf.data.pre.orig +++ src/cf.data.pre -@@ -1350,6 +1350,8 @@ http_access deny manager +@@ -1361,6 +1361,8 @@ http_access deny manager # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet @@ -11,7 +11,7 @@ Index: src/cf.data.pre http_access allow localhost # And finally deny all other access to this proxy -@@ -3361,6 +3363,10 @@ DOC_START +@@ -3414,6 +3416,10 @@ DOC_START Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value. @@ -22,7 +22,7 @@ Index: src/cf.data.pre 'L1' is the number of first-level subdirectories which will be created under the 'Directory'. The default is 16. -@@ -3494,7 +3500,7 @@ DOC_START +@@ -3547,7 +3553,7 @@ DOC_START NOCOMMENT_START # Uncomment and adjust the following to add a disk cache directory. @@ -31,7 +31,7 @@ Index: src/cf.data.pre NOCOMMENT_END DOC_END -@@ -4147,7 +4153,7 @@ DOC_END +@@ -4178,7 +4184,7 @@ DOC_END NAME: logfile_rotate TYPE: int diff --git a/squid-nobuilddates.patch b/squid-nobuilddates.patch index 816e2cb..7ed4f24 100644 --- a/squid-nobuilddates.patch +++ b/squid-nobuilddates.patch @@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("External ACL win32 group helper build starting up...\n"); - if (use_global) + if (use_global) { debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); - if (use_case_insensitive_compare) + } Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc =================================================================== --- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig +++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc -@@ -272,7 +272,7 @@ main(int argc, char *argv[]) +@@ -274,7 +274,7 @@ main(int argc, char *argv[]) process_options(argc, argv); @@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc =================================================================== --- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig +++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc -@@ -609,7 +609,7 @@ main(int argc, char *argv[]) +@@ -611,7 +611,7 @@ main(int argc, char *argv[]) process_options(argc, argv); diff --git a/squid-rpmlintrc b/squid-rpmlintrc new file mode 100644 index 0000000..1b1ec08 --- /dev/null +++ b/squid-rpmlintrc @@ -0,0 +1,5 @@ +addFilter("no-manual-page-for-binary") +addFilter("zero-length") +addFilter("incorrect-fsf-address") +# Temporary solution untill it is moved into factory +#setBadness('permissions-unauthorized-file', 333) diff --git a/squid.changes b/squid.changes index ee18588..5d99c67 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,200 @@ +------------------------------------------------------------------- +Fri Jan 9 10:19:10 UTC 2015 - tchvatal@suse.com + +- Cleanup with spec-cleaner +- Version bump to 3.4.10: + * Fix bootstrap.sh dependency on SPONSORS.list + * HTTP/2: Support 421 (Misdirected Request) status code + * Alternate-Protocol is a hop-by-hop header + * Bug #4148: external_acl_type header format does not accept the new libformat syntax + * Bug #4033: Rebuild corrupted ssl_db/size file + * Bug #3902: Docs: external_acl_type cache hash key + * Bug #4145: squid_endian.h compile errors with OpenBSD 5.6 + * Fix segmentation fault in ACLUrlPathStrategy::match +- Remove support for other distros as we build for opensuse anyway + +------------------------------------------------------------------- +Fri Jan 2 16:07:38 UTC 2015 - boris@steki.net + +- remove permissions.easy and permissions.paranoid files from package + as they are not used any more + +------------------------------------------------------------------- +Tue Dec 9 12:42:48 UTC 2014 - boris@steki.net + +- remove setBadness in rpmlintrc as it should be already in Factory + permissions package handled + +------------------------------------------------------------------- +Mon Dec 8 15:28:42 UTC 2014 - meissner@suse.com + +- %verifyscript is its own section, move out of the %postun section + +------------------------------------------------------------------- +Tue Dec 2 10:27:49 UTC 2014 - dimstar@opensuse.org + +- Use URLs to paths that the source validator actually understands + and make this acceptable for Tumbleweed. + +------------------------------------------------------------------- +Thu Nov 27 21:18:35 UTC 2014 - chris@computersalat.de + +- fix for boo#894636 (squid's logrotate snippet runs init script) + * modify squid.logrotate to work on both systemd and SysVinit + +------------------------------------------------------------------- +Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com + +- Changes to 3.4.9 (31 Oct 2014): + + Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update + + Bug 4102: sslbump cert contains only a dot character in key usage extension + + Bug 4093: source-maintenance.sh errors and warnings due to wrong + tools/options + + Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0 + + Bug 4024: Bad host/IP ::1 when using IPv4-only environment + + Bug 3803: ident leaks memory on failure + + kerberos_ldap_group/cert_tool: Remove ksh dependency; + obsoletes squid-cert_tool_use_bash_not_ksh.patch + + ... and some automated code style updates + + ... and some documentation updates +- Changes to 3.4.8 (15 Sep 2014): + + Fix off by one in SNMP subsystem + + pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142; + http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268 + obsoletes squid-icmp-DoS.patch + +------------------------------------------------------------------- +Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com + +- Remove dependency on gpg-offline as signature checking is implemented in the + source validator. + +------------------------------------------------------------------- +Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de + +- fix spec and changes file + +------------------------------------------------------------------- +Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net + +- update logrotate file + * postrotate now defaults to 'systemd' + +------------------------------------------------------------------- +Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net + +- fix for icmp pinger DOS bnc#891268 + +------------------------------------------------------------------- +Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de + +- some spec cleanup +- some systemd/SysVinit fixes +- fix sysconfig file for ! suse_version + +------------------------------------------------------------------- +Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net + +- replaced permissions handling using setuid bit with use of + linux capabilities (on supported systems) +- general cleanup of .spec file and systemd handling + +------------------------------------------------------------------- +Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de + +- Changes to 3.4.7 (28 Aug 2014): + * Regression Fix: Kerberos LDAP authorizing groups with principle subdomain + * Bug 4080: worker hangs when client identd is not responding + * Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC + * HTTP/1.1: Ignore Range headers with unidentifiable byte-range values + * SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension + * Enable compile-time override for MAXTCPLISTENPORTS + * ntlm_sspi_auth: Fix various build errors + * negotiate_wrapper: Fix build issues with non-portable vfork() + * negotiate_sspi_auth: Portability fixes for MinGW + * ext_lm_group_acl: Portability fixes for MinGW + * ... and several minor memory leaks +- fix for bnc#894636 + * fix postrotate for systemd +- rebase patches + * squid-cert_tool_use_bash_not_ksh.patch + * squid-compiled_without_RPM_OPT_FLAGS.patch + * squid-nobuilddates.patch + * squid-config.patch + +------------------------------------------------------------------- +Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de + +- fix for bnc#894840 + * fix logrotate file (sharedscripts) + +------------------------------------------------------------------- +Sun Aug 31 09:32:01 UTC 2014 - boris@steki.net + +- add --disable-arch-native configure param as vmware does not + emulate all instruction set and squid fails with + "Illegal instruction" more info at + http://wiki.squid-cache.org/KnowledgeBase/IllegalInstructionError + +------------------------------------------------------------------- +Thu Aug 14 16:42:17 CEST 2014 - draht@suse.de + +- squid-cert_tool_use_bash_not_ksh.patch: + /usr/sbin/cert_tool should use bash, not ksh. [bnc#891313] + +------------------------------------------------------------------- +Sun Aug 10 21:16:29 UTC 2014 - chris@computersalat.de + +- Changes to squid-3.4.6 (25 Jun 2014): + * Regression: segmentation fault logging with %tg format specifier + * Bug 4065: round-robin neighbor selection with unequal weights + * Bug 4056: assertion MemPools[type] from netdbExchangeStart() + * Bug 4050: segmentation fault in CommSelectEngine::checkEvents on helper response + * Fix segmentation fault setting up server SSL connnection + * Fix hanging Non-HTTPS connections on SSL-bump enabled port + * Fix Cache Manager actions listed more than once + * ... and many minor memory leaks + * ... and several portability build issues + * ... and some documentation updates +- Changes to squid-3.4.5 (02 May 2014): + * Regression Bug 4051: inverted test on CONNECT payload existence + * Regression Fix: order dependency between cache_dir and maximum_object_size + * Fix logformat %note display + * Resolve 'dying from an unhandled exception: c' + * Copyright: Update CONTRIBUTORS list of copyright holders +- fix deps + * libtool >= 2.4 + * older libtool needs --with-included-ltd + +------------------------------------------------------------------- +Thu Jul 31 14:01:54 UTC 2014 - dimstar@opensuse.org + +- Rename rpmlintrc to %{name}-rpmlintrc. + Follow the packaging guidelines. + +------------------------------------------------------------------- +Thu Apr 24 20:47:05 UTC 2014 - boris@steki.net + +- fix rhel/centos usermod parameter invocation order + +------------------------------------------------------------------- +Wed Apr 9 15:42:06 UTC 2014 - boris@steki.net + +- setuid handling for opensuse using permissions updated + +------------------------------------------------------------------- +Mon Apr 7 12:06:41 UTC 2014 - boris@steki.net + +- enable build for centos/rhel + - add centos/rhel init script + +------------------------------------------------------------------- +Sat Mar 29 16:47:44 UTC 2014 - chris@computersalat.de + +- add 'squid' as default group and added suid bit for /usr/sbin/pinger + # pinger needs 'root' privileges to be able to ping (cache peer) + * attr(4750,root,squid) /usr/sbin/pinger + ------------------------------------------------------------------- Fri Mar 28 18:46:44 UTC 2014 - chris@computersalat.de diff --git a/squid.init b/squid.init deleted file mode 100644 index cb400db..0000000 --- a/squid.init +++ /dev/null @@ -1,201 +0,0 @@ -#!/bin/sh -# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH -# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH -# Copyright (c) 2002 SuSE Linux AG -# -# Author: Frank Bodammer, Peter Poeml, Klaus Singvogel -# -# /etc/init.d/squid -# and its symbolic link -# /(usr/)sbin/rcsquid -# -### BEGIN INIT INFO -# Provides: squid -# Required-Start: $local_fs $remote_fs $network $time -# Should-Start: apache $named winbind -# Required-Stop: $local_fs $remote_fs $network $time -# Should-Stop: apache $named winbind -# Default-Start: 3 5 -# Default-Stop: 0 1 2 6 -# Short-Description: Squid web cache -# Description: Start the Squid web cache, providing -# HTTP, FTP and other proxy services -### END INIT INFO -# -# Note on runlevels: -# 0 - halt/poweroff 6 - reboot -# 1 - single user 2 - multiuser without network exported -# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) - - -# Check for missing binaries (stale symlinks should not happen) -# Note: Special treatment of stop for LSB conformance -SQUID_BIN=/usr/sbin/squid -test -x $SQUID_BIN || { echo "$SQUID_BIN not installed"; - if [ "$1" = "stop" ]; then exit 0; - else exit 5; fi; } - -# Check for existence of needed config file and read it -SQUID_SYSCONFIG=/etc/sysconfig/squid -test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing"; - if [ "$1" = "stop" ]; then exit 0; - else exit 6; fi; } - -# Read config -. $SQUID_SYSCONFIG - -SQUID_PID=/var/run/squid.pid -SQUID_CONF=/etc/squid/squid.conf -SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"} -SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"} -SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"} - -# determine which one is the cache_swap directory -SQUID_CACHE_DIR=$(perl -n -e \ - '/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF) - -ulimit -n "$SQUID_ULIMIT" - -#IN: $SQUID_CACHE_DIR -setup_squid_cache_dir(){ - for adir in "$1" ; do - if [ ! -d $adir/00 ]; then # create missing cache directories - umask 027 # prevent users reading any cache data - echo -n " ($adir)" - $SQUID_BIN -z -F > /dev/null 2>&1 - fi - if [ ! -d $adir/00 ]; then - echo " - failed while creating cache_dir ! " - rc_failed - rc_status -v - rc_exit - fi - done - sleep 2 -} - -# Shell functions sourced from /etc/rc.status: -# rc_check check and set local and overall rc status -# rc_status check and set local and overall rc status -# rc_status -v be verbose in local rc status and clear it afterwards -# rc_status -v -r ditto and clear both the local and overall rc status -# rc_status -s display "skipped" and exit with status 3 -# rc_status -u display "unused" and exit with status 3 -# rc_failed set local and overall rc status to failed -# rc_failed set local and overall rc status to -# rc_reset clear both the local and overall rc status -# rc_exit exit appropriate to overall rc status -# rc_active checks whether a service is activated by symlinks -. /etc/rc.status - -# Reset status of this service -rc_reset - - -case "$1" in - start) - echo -n "Starting WWW-proxy squid " - if /sbin/checkproc $SQUID_BIN ; then - echo -n "- Warning: squid already running ! " - rc_failed - else - [ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! " - if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then - setup_squid_cache_dir "$SQUID_CACHE_DIR" - fi - fi - startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS" - - # Remember status and be verbose - rc_status -v - ;; - stop) - echo -n "Shutting down WWW-proxy squid " - if /sbin/checkproc $SQUID_BIN ; then - $SQUID_BIN -k shutdown - sleep 2 - if [ -e $SQUID_PID ] ; then - echo -n "- wait a minute or two... " - i="$SQUID_S_T" - while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do - sleep 2 - i=$[$i-1] - echo -n "." - [ $i -eq 41 ] && echo - done - fi - if /sbin/checkproc $SQUID_BIN ; then - killproc -TERM $SQUID_BIN - echo -n " Warning: squid killed !" - fi - else - echo -n "- Warning: squid not running ! " - rc_failed 7 - fi - - # Remember status and be verbose - rc_status -v - ;; - try-restart) - $0 status >/dev/null && $0 restart - - # Remember status and be quiet - rc_status - ;; - restart) - $0 stop - $0 start - - # Remember status and be quiet - rc_status - ;; - force-reload) - $0 reload - - # Remember status and be quiet - rc_status - ;; - reload) - echo -n "Reloading WWW-proxy squid " - if /sbin/checkproc $SQUID_BIN ; then - $SQUID_BIN -k rotate - sleep 2 - $SQUID_BIN -k reconfigure - rc_status - else - echo -n "- Warning: squid not running ! " - rc_failed 7 - fi - - # Remember status and be verbose - rc_status -v - ;; - status) - echo -n "Checking for WWW-proxy squid " - ## Check status with checkproc(8), if process is running - ## checkproc will return with exit status 0. - - # Return value is slightly different for the status command: - # 0 - service up and running - # 1 - service dead, but /var/run/ pid file exists - # 2 - service dead, but /var/lock/ lock file exists - # 3 - service not running (unused) - # 4 - service status unknown :-( - # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) - - # NOTE: checkproc returns LSB compliant status values. - /sbin/checkproc $SQUID_BIN - - # Remember status and be verbose - rc_status -v - ;; - probe) - test $SQUID_CONF -nt $SQUID_PID && echo reload - ;; - *) - echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" - exit 1 - ;; -esac -rc_exit - diff --git a/squid.logrotate b/squid.logrotate index 1c32741..d432dc1 100644 --- a/squid.logrotate +++ b/squid.logrotate @@ -1,19 +1,5 @@ -/var/log/squid/cache.log { - compress - dateext - maxage 365 - rotate 99 - size=+1024k - notifempty - missingok - create 640 squid root - sharedscripts - postrotate - /etc/init.d/squid reload - endscript -} - -/var/log/squid/access.log { +/var/log/squid/access.log /var/log/squid/store.log /var/log/squid/cache.log { + su squid squid compress dateext maxage 365 @@ -24,21 +10,6 @@ create 640 squid root sharedscripts postrotate - /etc/init.d/squid reload - endscript -} - -/var/log/squid/store.log { - compress - dateext - maxage 365 - rotate 99 - size=+4096k - notifempty - missingok - create 640 squid root - sharedscripts - postrotate - /etc/init.d/squid reload + /usr/bin/systemctl -q is-active squid.service && /usr/sbin/squid -k rotate endscript } diff --git a/squid.permissions b/squid.permissions deleted file mode 100644 index 46b9acf..0000000 --- a/squid.permissions +++ /dev/null @@ -1,2 +0,0 @@ -/var/cache/squid/ squid:root 750 -/var/log/squid/ squid:root 750 diff --git a/squid.spec b/squid.spec index 3b5384b..3238f34 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ # # spec file for package squid # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,42 +17,25 @@ %define squidlibdir %{_libdir}/squid -%define squidconfdir /etc/squid -#define snap -20131225-r13064 - +%define squidconfdir %{_sysconfdir}/squid Name: squid -Summary: Squid Version 3.3 WWW Proxy Server +Version: 3.4.10 +Release: 0 +Summary: A fully featured HTTP/1.0 proxy License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy -Version: 3.4.4 -Release: 0 Url: http://www.squid-cache.org/Versions/v3/3.4 -#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2 Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2 -Source1: %{name}-%{version}.tar.bz2.asc -Source2: RELEASENOTES.html -Source3: squid.init +Source1: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2.asc Source4: squid.sysconfig Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate -Source9: %{name}.permissions Source10: README.kerberos Source11: %{name}.service Source13: %{name}.keyring -# -# the following patches are downloaded directly from the webserver -# don't change the names for easier identification -# -# please read every file if there is interest about what the patch changes -# or just visit: http://www.squid-cache.org/Versions/v3/3.2/changesets/ -# -# -# Upstream patch -# Patch0: - # do not show some rpmlint warnings -Source99: rpmlintrc +Source99: squid-rpmlintrc # some useful defaults for squid Patch100: %{name}-config.patch # make build compare happy - remove build dates @@ -62,79 +45,49 @@ Patch101: %{name}-nobuilddates.patch Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042) Patch103: squid-brokenad.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: %fillup_prereq -PreReq: %insserv_prereq -PreReq: /usr/bin/getent -PreReq: permissions -PreReq: pwdutils -BuildRequires: db-devel -# needed by bootstrap.sh BuildRequires: cyrus-sasl-devel +BuildRequires: db-devel BuildRequires: ed BuildRequires: expat BuildRequires: fdupes BuildRequires: gcc-c++ -BuildRequires: gpg-offline BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel -BuildRequires: libtool +BuildRequires: libtool >= 2.4 BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: sharutils -%if 0%{?suse_version} < 1220 -BuildRequires: libxml2-devel -%else -BuildRequires: pkgconfig(libxml-2.0) -%endif - -%if 0%{?suse_version} >= 1210 BuildRequires: systemd -%{?systemd_requires} -%define has_systemd 1 -%endif - +BuildRequires: pkgconfig(libxml-2.0) Requires: logrotate Requires: sed -Provides: http_proxy - -# due to package rename -# Wed Aug 15 17:40:30 UTC 2012 +Requires(post): %fillup_prereq +Requires(pre): %insserv_prereq +Requires(pre): %{_bindir}/getent +Requires(pre): permissions +Requires(pre): pwdutils Provides: %{name}3 = %{version} +Provides: http_proxy Obsoletes: %{name}3 < %{version} +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%{?systemd_requires} %description -Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. - -Squid 3.4 represents a new feature release above 3.3. - -The most important of these new features are: - - * Helper protocol extensions - * SSL Server Certificate Validator - * Store-ID - * TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+ - * Transaction Annotations - * Multicast DNS - -Most user-facing changes are reflected in squid.conf (see below). - - First STABLE release Date: 08 Dec 2013 +Squid is a fully-featured HTTP/1.0 proxy which is almost a fully-featured +HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging +environment to develop web proxy and content serving applications. +Squid offers a rich set of traffic optimization options, most of which are +enabled by default for simpler installation and high performance. %prep -#setup -q -n %{name}-%{version}%{snap} -%gpg_verify %{S:1} -%setup -q -n %{name}-%{version} -cp %{S:10} . -# upstream patches after RELEASE -# -##### other patches +%setup -q +cp %{SOURCE10} . %patch100 -perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"` +perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` chmod a-x CREDITS %patch101 %patch102 @@ -147,15 +100,11 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie' %configure \ --disable-strict-error-checking \ --sysconfdir=%{squidconfdir} \ - --libexecdir=/usr/sbin \ - --datadir=/usr/share/squid \ - --sharedstatedir=/var/squid \ - --with-logdir=/var/log/squid \ -%if 0%{?has_systemd} + --libexecdir=%{_sbindir} \ + --datadir=%{_datadir}/squid \ + --sharedstatedir=%{_localstatedir}/squid \ + --with-logdir=%{_localstatedir}/log/squid \ --with-pidfile=/run/squid.pid \ -%else - --with-pidfile=/var/run/squid.pid \ -%endif --with-dl \ --enable-disk-io \ --enable-storeio \ @@ -186,7 +135,8 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie' --enable-x-accelerator-vary \ --with-default-user=%{name} \ --disable-ident-lookups \ - --enable-follow-x-forwarded-for + --enable-follow-x-forwarded-for \ + --disable-arch-native # overwrite the number of open filedescriptors of configure to 4096 # to be backward compatible, but numbers above should not be overwritten @@ -199,21 +149,21 @@ fi make SAMBAPREFIX=/usr %{?_smp_mflags} %install -/usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \ - -d /var/cache/%{name} %{name} 2> /dev/null || : -install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name} -chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} +%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || : +%{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \ + -g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || : + +install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} install -d %{buildroot}%{_prefix}/sbin + +# make_install make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr -mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default -ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible -install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d -install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name} -install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d -install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} -install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} -ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid -install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} + +mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default +ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible + +# install logrotate file +install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -d -m 755 doc/scripts install scripts/*.pl doc/scripts @@ -235,75 +185,65 @@ for i in errors/*; do install -m 644 $i/* %{buildroot}%{_datadir}/%{name}/$i fi done -ln -sf /usr/share/%{name}/errors/de %{buildroot}%{squidconfdir}/errors +ln -sf %{_datadir}/%{name}/errors/de %{buildroot}%{squidconfdir}/errors + +# systemd service +install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service +ln -sf service %{buildroot}%{_sbindir}/rc%{name} +install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} # fix file duplicates -%if 0%{?suse_version} > 1030 %fdupes -s %{buildroot}%{_prefix} -%endif -%if 0%{?fedora_version} > 8 -fdupes -q -n -r %{buildroot}%{_prefix} -%endif - -%if 0%{?has_systemd} -install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service -%endif %pre +# we need this group for /usr/sbin/pinger +if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then + %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null +fi # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then - %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ - -G winbind -g nogroup -o -u 31 -r -s /bin/false \ + %{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \ + -G winbind -g %{name} -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then - %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null + %{_sbindir}/usermod -G winbind %{name} 2>/dev/null fi - -%if 0%{?has_systemd} %service_add_pre %{name}.service -%endif %post -%if 0%{?suse_version} >= 1140 -%set_permissions %{_localstatedir}/cache/%{name} -%set_permissions %{_localstatedir}/log/%{name} -%endif +%set_permissions %{_sbindir}/pinger +%set_permissions %{_sbindir}/basic_pam_auth +%set_permissions %{_localstatedir}/cache/squid/ +%set_permissions %{_localstatedir}/log/squid/ # update mode? if [ "$1" -gt "1" ]; then if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then - echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf" + echo "moving %{_sysconfdir}/%{name}.conf to %{_sysconfdir}/%{name}/%{name}.conf" mv etc/%{name}.conf etc/%{name}/%{name}.conf fi + # default group changed from nogroup to squid + %{_sbindir}/usermod -g %{name} %{name} fi -%{fillup_and_insserv -n "squid"} - -%if 0%{?has_systemd} +%fillup_only %service_add_post squid.service -%endif %preun -%stop_on_removal squid - -%if 0%{?has_systemd} %service_del_preun squid.service -%endif + +%verifyscript +%verify_permissions -e %{_sbindir}/basic_pam_auth +%verify_permissions -e %{_sbindir}/pinger +%verify_permissions -e %{_localstatedir}/cache/squid/ +%verify_permissions -e %{_localstatedir}/log/squid/ %postun - -%if 0%{?has_systemd} %service_del_postun squid.service -%endif - -%restart_on_update squid -%insserv_cleanup -%verifyscript -%verify_permissions -e /usr/sbin/pam_auth %files %defattr(-,root,root) @@ -313,11 +253,9 @@ fi %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/%{name}.conf.default %doc %{_mandir}/man?/* -%if 0%{?has_systemd} %{_unitdir}/%{name}.service -%endif -%attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ -%attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ +%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ +%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ %dir %{squidconfdir} %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css @@ -332,8 +270,6 @@ fi %config %{squidconfdir}/%{name}.conf.default %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} -%config %{_sysconfdir}/init.d/%{name} -%config %{_sysconfdir}/permissions.d/%{name} %dir %{_datadir}/%{name} %{_datadir}/%{name}/errors %{_datadir}/%{name}/icons @@ -350,8 +286,7 @@ fi %{_sbindir}/basic_msnt_multi_domain_auth %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth -#verify(not mode) %attr(4755,root,shadow) %{_sbindir}/basic_pam_auth -%{_sbindir}/basic_pam_auth +%verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth @@ -359,7 +294,6 @@ fi %{_sbindir}/basic_smb_auth.sh %{_sbindir}/cert_tool %{_sbindir}/cert_valid.pl -#{_sbindir}/digest_edirectory_auth %{_sbindir}/digest_file_auth %{_sbindir}/digest_ldap_auth %{_sbindir}/diskd @@ -378,14 +312,14 @@ fi %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth -%{_sbindir}/pinger -%{_sbindir}/rc%{name} +%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger %{_sbindir}/%{name} %{_sbindir}/ssl_crtd %{_sbindir}/storeid_file_rewrite %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh +%{_sbindir}/rc%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %dir %{_libdir}/%{name} %{_libdir}/%{name}/cachemgr.cgi