diff --git a/RELEASENOTES.html b/RELEASENOTES.html index d9b3926..a751215 100644 --- a/RELEASENOTES.html +++ b/RELEASENOTES.html @@ -2,10 +2,10 @@ - Squid 3.4.5 release notes + Squid 3.4.7 release notes -

Squid 3.4.5 release notes

+

Squid 3.4.7 release notes

Squid Developers


@@ -57,7 +57,7 @@ for Applied Network Research and members of the Web Caching community.

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.

+

The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.4/ or the mirrors.

diff --git a/squid-3.4.6.tar.bz2 b/squid-3.4.6.tar.bz2 deleted file mode 100644 index f021a92..0000000 --- a/squid-3.4.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:37338218562a2c85e855b4fa472848ca8f8a0408f3e04d15636acdaace3811ca -size 3057715 diff --git a/squid-3.4.6.tar.bz2.asc b/squid-3.4.6.tar.bz2.asc deleted file mode 100644 index f224eff..0000000 --- a/squid-3.4.6.tar.bz2.asc +++ /dev/null @@ -1,20 +0,0 @@ -File: squid-3.4.6.tar.bz2 -Date: Wed Jun 25 15:31:30 UTC 2014 -Size: 3057715 -MD5 : d3ca4ce0a039bbba8258d6b67d6afaa1 -SHA1: 0b8850a0bf73d85797e441e589324da8309cd738 -Key : 0xFF5CF463 - fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 - keyring = http://www.squid-cache.org/pgp.asc - keyserver = subkeys.pgp.net ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJTqx1kAAoJELJo5wb/XPRjsjEIAOCdBy3rvR5fK5JluK2uUjkf -+EQbglgl10SoMMxS63mswFI5ZlpyHffPhpuL9RGOSeRxjUV7S9a8I9WuG+1ox6Of -P6VXZxnUpZNwSWht7MJL8gIUs8oafYsPPlwP9r67VxQeP8Nz42HwsYOaWhNVi72w -TU2axLEnIg89qg9heG7jN1gFBYOSTW4arW3+1Rzefo5sNvLXjbtE1i6woLYp+9E1 -v/ZXPo/LIW7WoV8/n/kr43PMGExPg40YZXVybdKBtHjybpLzxJSPv61cKqMtzN9C -b6RRjLNM8BuVGdi8wdEDJuwCcnIbT8Bsqi6SPYDDfkNRhh+CBp8/mA9Rdgg+QVE= -=OMF0 ------END PGP SIGNATURE----- diff --git a/squid-3.4.9.tar.bz2 b/squid-3.4.9.tar.bz2 new file mode 100644 index 0000000..8d8525b --- /dev/null +++ b/squid-3.4.9.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42f2ffbfed6679e1e4ba9a29088495c088ff76cc2517d22d5fb792e2b802ce66 +size 3043750 diff --git a/squid-3.4.9.tar.bz2.asc b/squid-3.4.9.tar.bz2.asc new file mode 100644 index 0000000..b65df61 --- /dev/null +++ b/squid-3.4.9.tar.bz2.asc @@ -0,0 +1,20 @@ +File: squid-3.4.9.tar.bz2 +Date: Fri Oct 31 10:20:30 UTC 2014 +Size: 3043750 +MD5 : bb8ecbee8fa9fa8659b4349a78696fe7 +SHA1: a356cadc324d91c41119f96a7d1a20330866c1ac +Key : 0xFF5CF463 + fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463 + keyring = http://www.squid-cache.org/pgp.asc + keyserver = subkeys.pgp.net +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAABAgAGBQJUU3UxAAoJELJo5wb/XPRjhKUH/0flnkcc6gTQzh7Vh/kusCFk +pC/sfpt0mrZeZZQxAYS/wJFIym5jo8PkiKrvC2ZgOHchpVlGC3hLn2ENqbzR6VEv +L5V7M1XGJdgC1ynjj+H9ML4PBmV1E/XfakkOgnhY+3of32DrmuCN8CFuB5iGNcdH +xHwzXGSeyJkDUjZObourtT2h64Rc12cARz/yXgsq2YKAhf0EM8+rld5Xm40kOWsX +Vci/kvw3RkXuhMMwrL9jzxv8z5/nrsDHbHmwXy3mw2k0G9AmzbKx8ykdoABG/MH5 +awuHT1MNFQp5IBr6LisM++2BILjb3UNiyp3lhDtXCHbTo6RCik7jUvEih57koqI= +=BI4b +-----END PGP SIGNATURE----- diff --git a/squid-cert_tool_use_bash_not_ksh.patch b/squid-cert_tool_use_bash_not_ksh.patch deleted file mode 100644 index dd8d74e..0000000 --- a/squid-cert_tool_use_bash_not_ksh.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff -rNU 60 ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool ./helpers/external_acl/kerberos_ldap_group/cert_tool ---- ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool 2014-06-25 16:41:39.000000000 +0200 -+++ ./helpers/external_acl/kerberos_ldap_group/cert_tool 2014-08-14 16:40:59.000000000 +0200 -@@ -1,61 +1,61 @@ --#!/bin/ksh -+#!/bin/bash - # - # ----------------------------------------------------------------------------- - # - # Author: Markus Moeller (markus_moeller at compuserve.com) - # - # Copyright (C) 2007 Markus Moeller. All rights reserved. - # - # This program is free software; you can redistribute it and/or modify - # it under the terms of the GNU General Public License as published by - # the Free Software Foundation; either version 2 of the License, or - # (at your option) any later version. - # - # This program is distributed in the hope that it will be useful, - # but WITHOUT ANY WARRANTY; without even the implied warranty of - # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - # GNU General Public License for more details. - # - # You should have received a copy of the GNU General Public License - # along with this program; if not, write to the Free Software - # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. - # - # ----------------------------------------------------------------------------- - # - # - # creates the following files: - # .cert - # secmod.db - # key3.db - # cert8.db - # - # - if [ -z "$1" ]; then - echo "Usage: `basename $0` ldap-server port" - exit 0 - fi - if [ -z "$2" ]; then - port=636 - else - port=$2 - fi - - server=$1 - - # - # Remove old files - # - rm ${server}_[0-9]*.cert 2>/dev/null - # - # Get certs and store in .cert file - # - ( openssl s_client -showcerts -connect $server:$port 2>/dev/null < ostart ) {print $0 >>"'$server'_"start".cert"}; - if ( $0 ~ /END CERTIFICATE/) { ostart=start } }' - - # - # from mozilla-nss-tools - # /usr/sfw/bin on Solaris diff --git a/squid-compiled_without_RPM_OPT_FLAGS.patch b/squid-compiled_without_RPM_OPT_FLAGS.patch index d7c8b08..d020e79 100644 --- a/squid-compiled_without_RPM_OPT_FLAGS.patch +++ b/squid-compiled_without_RPM_OPT_FLAGS.patch @@ -2,7 +2,7 @@ Index: src/Makefile.am =================================================================== --- src/Makefile.am.orig +++ src/Makefile.am -@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci +@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci @@ -15,7 +15,7 @@ Index: src/Makefile.in =================================================================== --- src/Makefile.in.orig +++ src/Makefile.in -@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci +@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci diff --git a/squid-config.patch b/squid-config.patch index ea08e85..0454fc9 100644 --- a/squid-config.patch +++ b/squid-config.patch @@ -2,7 +2,7 @@ Index: src/cf.data.pre =================================================================== --- src/cf.data.pre.orig +++ src/cf.data.pre -@@ -1350,6 +1350,8 @@ http_access deny manager +@@ -1361,6 +1361,8 @@ http_access deny manager # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet @@ -11,7 +11,7 @@ Index: src/cf.data.pre http_access allow localhost # And finally deny all other access to this proxy -@@ -3361,6 +3363,10 @@ DOC_START +@@ -3414,6 +3416,10 @@ DOC_START Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value. @@ -22,7 +22,7 @@ Index: src/cf.data.pre 'L1' is the number of first-level subdirectories which will be created under the 'Directory'. The default is 16. -@@ -3494,7 +3500,7 @@ DOC_START +@@ -3547,7 +3553,7 @@ DOC_START NOCOMMENT_START # Uncomment and adjust the following to add a disk cache directory. @@ -31,7 +31,7 @@ Index: src/cf.data.pre NOCOMMENT_END DOC_END -@@ -4147,7 +4153,7 @@ DOC_END +@@ -4178,7 +4184,7 @@ DOC_END NAME: logfile_rotate TYPE: int diff --git a/squid-nobuilddates.patch b/squid-nobuilddates.patch index 816e2cb..7ed4f24 100644 --- a/squid-nobuilddates.patch +++ b/squid-nobuilddates.patch @@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("External ACL win32 group helper build starting up...\n"); - if (use_global) + if (use_global) { debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); - if (use_case_insensitive_compare) + } Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc =================================================================== --- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig +++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc -@@ -272,7 +272,7 @@ main(int argc, char *argv[]) +@@ -274,7 +274,7 @@ main(int argc, char *argv[]) process_options(argc, argv); @@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc =================================================================== --- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig +++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc -@@ -609,7 +609,7 @@ main(int argc, char *argv[]) +@@ -611,7 +611,7 @@ main(int argc, char *argv[]) process_options(argc, argv); diff --git a/squid-rpmlintrc b/squid-rpmlintrc index 30ffcdb..bdf14cb 100644 --- a/squid-rpmlintrc +++ b/squid-rpmlintrc @@ -1,5 +1,5 @@ -addFilter("macro-in-comment") addFilter("no-manual-page-for-binary") addFilter("zero-length") +addFilter("incorrect-fsf-address") # Temporary solution untill it is moved into factory setBadness('permissions-unauthorized-file', 333) diff --git a/squid.changes b/squid.changes index 0d9f3f7..e6fd0d4 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,83 @@ +------------------------------------------------------------------- +Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com + +- Changes to 3.4.9 (31 Oct 2014): + + Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update + + Bug 4102: sslbump cert contains only a dot character in key usage extension + + Bug 4093: source-maintenance.sh errors and warnings due to wrong + tools/options + + Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0 + + Bug 4024: Bad host/IP ::1 when using IPv4-only environment + + Bug 3803: ident leaks memory on failure + + kerberos_ldap_group/cert_tool: Remove ksh dependency; + obsoletes squid-cert_tool_use_bash_not_ksh.patch + + ... and some automated code style updates + + ... and some documentation updates +- Changes to 3.4.8 (15 Sep 2014): + + Fix off by one in SNMP subsystem + + pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142; + http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268 + obsoletes squid-icmp-DoS.patch + +------------------------------------------------------------------- +Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com + +- Remove dependency on gpg-offline as signature checking is implemented in the + source validator. + +------------------------------------------------------------------- +Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de + +- fix spec and changes file + +------------------------------------------------------------------- +Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net + +- update logrotate file + * postrotate now defaults to 'systemd' + +------------------------------------------------------------------- +Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net + +- fix for icmp pinger DOS bnc#891268 + +------------------------------------------------------------------- +Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de + +- some spec cleanup +- some systemd/SysVinit fixes +- fix sysconfig file for ! suse_version + +------------------------------------------------------------------- +Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net + +- replaced permissions handling using setuid bit with use of + linux capabilities (on supported systems) +- general cleanup of .spec file and systemd handling + +------------------------------------------------------------------- +Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de + +- Changes to 3.4.7 (28 Aug 2014): + * Regression Fix: Kerberos LDAP authorizing groups with principle subdomain + * Bug 4080: worker hangs when client identd is not responding + * Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC + * HTTP/1.1: Ignore Range headers with unidentifiable byte-range values + * SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension + * Enable compile-time override for MAXTCPLISTENPORTS + * ntlm_sspi_auth: Fix various build errors + * negotiate_wrapper: Fix build issues with non-portable vfork() + * negotiate_sspi_auth: Portability fixes for MinGW + * ext_lm_group_acl: Portability fixes for MinGW + * ... and several minor memory leaks +- fix for bnc#894636 + * fix postrotate for systemd +- rebase patches + * squid-cert_tool_use_bash_not_ksh.patch + * squid-compiled_without_RPM_OPT_FLAGS.patch + * squid-nobuilddates.patch + * squid-config.patch + ------------------------------------------------------------------- Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de diff --git a/squid.logrotate b/squid.logrotate index 657182d..04ea655 100644 --- a/squid.logrotate +++ b/squid.logrotate @@ -9,7 +9,7 @@ create 640 squid root sharedscripts postrotate - /etc/init.d/squid reload + /usr/bin/systemctl reload squid.service endscript } @@ -23,6 +23,6 @@ missingok create 640 squid root postrotate - /etc/init.d/squid reload + /usr/bin/systemctl reload squid.service endscript } diff --git a/squid.permissions.easy b/squid.permissions.easy index c059e6c..275897d 100644 --- a/squid.permissions.easy +++ b/squid.permissions.easy @@ -1,4 +1,5 @@ /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 -/usr/sbin/pinger root:squid 4750 +/usr/sbin/pinger root:squid 750 + +capabilities cap_net_raw=ep /usr/sbin/basic_pam_auth root:shadow 2750 diff --git a/squid.permissions.paranoid b/squid.permissions.paranoid index 15c7a04..bf26c3c 100644 --- a/squid.permissions.paranoid +++ b/squid.permissions.paranoid @@ -1,4 +1,5 @@ /var/cache/squid/ squid:root 750 /var/log/squid/ squid:root 750 -/usr/sbin/pinger root:root 755 +/usr/sbin/pinger root:squid 750 + +capabilities cap_net_raw=ep /usr/sbin/basic_pam_auth root:root 755 diff --git a/squid.spec b/squid.spec index c20ef4a..96f9986 100644 --- a/squid.spec +++ b/squid.spec @@ -24,12 +24,13 @@ Name: squid Summary: A fully featured HTTP/1.0 proxy License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy -Version: 3.4.6 +Version: 3.4.9 Release: 0 +%define majorver %(echo %version|sed -re 's/^([0-9]).*/\1/g') +%define majminver %(echo %version|sed -re 's/^([0-9]\.[0-9]).*/\1/g') Url: http://www.squid-cache.org/Versions/v3/3.4 -#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2 -Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2 -Source1: %{name}-%{version}.tar.bz2.asc +Source0: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2 +Source1: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2.asc Source2: RELEASENOTES.html Source3: squid.init Source4: squid.sysconfig @@ -65,7 +66,7 @@ Patch101: %{name}-nobuilddates.patch Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042) Patch103: squid-brokenad.patch -Patch104: %{name}-cert_tool_use_bash_not_ksh.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} PreReq: %fillup_prereq @@ -88,9 +89,6 @@ BuildRequires: expat BuildRequires: fdupes %endif BuildRequires: gcc-c++ -%if 0%{?suse_version} -BuildRequires: gpg-offline -%endif BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel @@ -127,7 +125,7 @@ Provides: %{name}3 = %{version} Obsoletes: %{name}3 < %{version} %description -Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. +Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance. Squid 3.4 represents a new feature release above 3.3. @@ -140,15 +138,8 @@ The most important of these new features are: * Transaction Annotations * Multicast DNS -Most user-facing changes are reflected in squid.conf (see below). - - First STABLE release Date: 08 Dec 2013 - %prep #setup -q -n %{name}-%{version}%{snap} -%if 0%{?suse_version} -%gpg_verify %{S:1} -%endif %setup -q -n %{name}-%{version} cp %{S:10} . # upstream patches after RELEASE @@ -160,16 +151,10 @@ chmod a-x CREDITS %patch101 %patch102 %patch103 -%patch104 %build -#if 0%{?sles_version} == 1100 -#export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" -#export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" -#else export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" -#endif export LDFLAGS='-Wl,-z,relro,-z,now -pie' %configure \ --disable-strict-error-checking \ @@ -233,26 +218,33 @@ make SAMBAPREFIX=/usr %{?_smp_mflags} %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || : %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ -g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || : -install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name} -chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} + +install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} install -d %{buildroot}%{_prefix}/sbin + +# make_install make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr + mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible -install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d -install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy -# pinger should be secure "enough" anyway paranoid will strip everything :) -install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure -install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid -install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d -install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} -%if 0%{?suse_version} -install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} -%else # lets just assume other are rh based ones... -install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name} + +# install permissions files +cp -a %{SOURCE9} %{name}.easy +cp -a %{SOURCE9} %{name}.secure +cp -a %{SOURCE15} %{name}.paranoid +%if !0%{?has_systemd} +sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.easy +sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.secure +sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %{name}.paranoid %endif -ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid -install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} + +install -D -m 644 %{name}.easy %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy +# pinger should be secure "enough" anyway paranoid will strip everything :) +install -m 644 %{name}.secure %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure +install -m 644 %{name}.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid + +# install logrotate file +install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -d -m 755 doc/scripts install scripts/*.pl doc/scripts @@ -285,7 +277,22 @@ fdupes -q -n -r %{buildroot}%{_prefix} %endif %if 0%{?has_systemd} -install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service + install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service + ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} +%else # SysVinit + # fix postrotate script for SysVinit + sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + %if 0%{?suse_version} + install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} + ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} + %else # lets just assume other are rh based ones... + install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name} + %endif +%endif +%if 0%{?suse_version} + install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%else + install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} %endif %pre @@ -314,11 +321,14 @@ fi %post %if 0%{?suse_version} >= 1140 -%if 0%{?set_permissions:1} - %set_permissions %name -%else - %run_permissions -%endif + %if 0%{?set_permissions:1} +%set_permissions %{_sbindir}/pinger +%set_permissions %{_sbindir}/basic_pam_auth +%set_permissions %{_localstatedir}/cache/squid/ +%set_permissions %{_localstatedir}/log/squid/ + %else +%run_permissions + %endif %endif # update mode? if [ "$1" -gt "1" ]; then @@ -329,50 +339,52 @@ if [ "$1" -gt "1" ]; then # default group changed from nogroup to squid %{_sbindir}/usermod -g %{name} %{name} fi -%if 0%{?suse_version} -%{fillup_and_insserv -n "squid"} -%else -/sbin/chkconfig --add squid -%endif %if 0%{?has_systemd} %service_add_post squid.service +%else + %if 0%{?suse_version} +%{fillup_and_insserv -n "squid"} + %else + /sbin/chkconfig --add squid + %endif %endif %preun -%if 0%{?suse_version} -%stop_on_removal squid -%else -if [ $1 = 0 ] ; then - service squid stop >/dev/null 2>&1 - rm -f /var/log/squid/* - /sbin/chkconfig --del squid -fi -%endif - %if 0%{?has_systemd} %service_del_preun squid.service +%else + %if 0%{?suse_version} +%stop_on_removal squid + %else + if [ $1 = 0 ] ; then + service squid stop >/dev/null 2>&1 + rm -f /var/log/squid/* + /sbin/chkconfig --del squid + fi + %endif %endif %postun - -%if 0%{?has_systemd} -%service_del_postun squid.service -%endif - %if 0%{?suse_version} -%restart_on_update squid -%insserv_cleanup %verifyscript %verify_permissions -e /usr/sbin/basic_pam_auth %verify_permissions -e /usr/sbin/pinger %verify_permissions -e /var/cache/squid/ %verify_permissions -e /var/log/squid/ +%endif +%if 0%{?has_systemd} +%service_del_postun squid.service %else -if [ "$1" -ge "1" ] ; then - service squid condrestart >/dev/null 2>&1 -fi + %if 0%{?suse_version} +%restart_on_update squid +%insserv_cleanup + %else + if [ "$1" -ge "1" ] ; then + service squid condrestart >/dev/null 2>&1 + fi + %endif %endif %files @@ -385,6 +397,8 @@ fi %doc %{_mandir}/man?/* %if 0%{?has_systemd} %{_unitdir}/%{name}.service +%else +%{_sysconfdir}/init.d/%{name} %endif %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ @@ -402,7 +416,6 @@ fi %config %{squidconfdir}/%{name}.conf.default %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} -%config %{_sysconfdir}/init.d/%{name} %config %{_sysconfdir}/permissions.d/%{name}.easy %config %{_sysconfdir}/permissions.d/%{name}.secure %config %{_sysconfdir}/permissions.d/%{name}.paranoid @@ -423,7 +436,7 @@ fi %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth %verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth -#%%{_sbindir}/basic_pam_auth +#{_sbindir}/basic_pam_auth %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth @@ -450,15 +463,24 @@ fi %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth -%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger -%{_sbindir}/rc%{name} +# not working %%caps(cap_net_raw=ep) +%if 0%{?has_systemd} +%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger +%else +%verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger +%endif %{_sbindir}/%{name} %{_sbindir}/ssl_crtd %{_sbindir}/storeid_file_rewrite %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh +%if 0%{?suse_version} +%{_sbindir}/rc%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%else +%{_sysconfdir}/sysconfig/%{name} +%endif %dir %{_libdir}/%{name} %{_libdir}/%{name}/cachemgr.cgi