diff --git a/RELEASENOTES.html b/RELEASENOTES.html
index d9b3926..a751215 100644
--- a/RELEASENOTES.html
+++ b/RELEASENOTES.html
@@ -2,10 +2,10 @@
- Squid 3.4.5 release notes
+ Squid 3.4.7 release notes
-Squid 3.4.5 release notes
+Squid 3.4.7 release notes
Squid Developers
@@ -57,7 +57,7 @@ for Applied Network Research and members of the Web Caching community.
-The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.
+The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.4/ or the
mirrors.
diff --git a/squid-3.4.6.tar.bz2 b/squid-3.4.6.tar.bz2
deleted file mode 100644
index f021a92..0000000
--- a/squid-3.4.6.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:37338218562a2c85e855b4fa472848ca8f8a0408f3e04d15636acdaace3811ca
-size 3057715
diff --git a/squid-3.4.6.tar.bz2.asc b/squid-3.4.6.tar.bz2.asc
deleted file mode 100644
index f224eff..0000000
--- a/squid-3.4.6.tar.bz2.asc
+++ /dev/null
@@ -1,20 +0,0 @@
-File: squid-3.4.6.tar.bz2
-Date: Wed Jun 25 15:31:30 UTC 2014
-Size: 3057715
-MD5 : d3ca4ce0a039bbba8258d6b67d6afaa1
-SHA1: 0b8850a0bf73d85797e441e589324da8309cd738
-Key : 0xFF5CF463
- fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
- keyring = http://www.squid-cache.org/pgp.asc
- keyserver = subkeys.pgp.net
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQEcBAABAgAGBQJTqx1kAAoJELJo5wb/XPRjsjEIAOCdBy3rvR5fK5JluK2uUjkf
-+EQbglgl10SoMMxS63mswFI5ZlpyHffPhpuL9RGOSeRxjUV7S9a8I9WuG+1ox6Of
-P6VXZxnUpZNwSWht7MJL8gIUs8oafYsPPlwP9r67VxQeP8Nz42HwsYOaWhNVi72w
-TU2axLEnIg89qg9heG7jN1gFBYOSTW4arW3+1Rzefo5sNvLXjbtE1i6woLYp+9E1
-v/ZXPo/LIW7WoV8/n/kr43PMGExPg40YZXVybdKBtHjybpLzxJSPv61cKqMtzN9C
-b6RRjLNM8BuVGdi8wdEDJuwCcnIbT8Bsqi6SPYDDfkNRhh+CBp8/mA9Rdgg+QVE=
-=OMF0
------END PGP SIGNATURE-----
diff --git a/squid-3.4.9.tar.bz2 b/squid-3.4.9.tar.bz2
new file mode 100644
index 0000000..8d8525b
--- /dev/null
+++ b/squid-3.4.9.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42f2ffbfed6679e1e4ba9a29088495c088ff76cc2517d22d5fb792e2b802ce66
+size 3043750
diff --git a/squid-3.4.9.tar.bz2.asc b/squid-3.4.9.tar.bz2.asc
new file mode 100644
index 0000000..b65df61
--- /dev/null
+++ b/squid-3.4.9.tar.bz2.asc
@@ -0,0 +1,20 @@
+File: squid-3.4.9.tar.bz2
+Date: Fri Oct 31 10:20:30 UTC 2014
+Size: 3043750
+MD5 : bb8ecbee8fa9fa8659b4349a78696fe7
+SHA1: a356cadc324d91c41119f96a7d1a20330866c1ac
+Key : 0xFF5CF463
+ fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
+ keyring = http://www.squid-cache.org/pgp.asc
+ keyserver = subkeys.pgp.net
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAABAgAGBQJUU3UxAAoJELJo5wb/XPRjhKUH/0flnkcc6gTQzh7Vh/kusCFk
+pC/sfpt0mrZeZZQxAYS/wJFIym5jo8PkiKrvC2ZgOHchpVlGC3hLn2ENqbzR6VEv
+L5V7M1XGJdgC1ynjj+H9ML4PBmV1E/XfakkOgnhY+3of32DrmuCN8CFuB5iGNcdH
+xHwzXGSeyJkDUjZObourtT2h64Rc12cARz/yXgsq2YKAhf0EM8+rld5Xm40kOWsX
+Vci/kvw3RkXuhMMwrL9jzxv8z5/nrsDHbHmwXy3mw2k0G9AmzbKx8ykdoABG/MH5
+awuHT1MNFQp5IBr6LisM++2BILjb3UNiyp3lhDtXCHbTo6RCik7jUvEih57koqI=
+=BI4b
+-----END PGP SIGNATURE-----
diff --git a/squid-cert_tool_use_bash_not_ksh.patch b/squid-cert_tool_use_bash_not_ksh.patch
deleted file mode 100644
index dd8d74e..0000000
--- a/squid-cert_tool_use_bash_not_ksh.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-diff -rNU 60 ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool ./helpers/external_acl/kerberos_ldap_group/cert_tool
---- ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool 2014-06-25 16:41:39.000000000 +0200
-+++ ./helpers/external_acl/kerberos_ldap_group/cert_tool 2014-08-14 16:40:59.000000000 +0200
-@@ -1,61 +1,61 @@
--#!/bin/ksh
-+#!/bin/bash
- #
- # -----------------------------------------------------------------------------
- #
- # Author: Markus Moeller (markus_moeller at compuserve.com)
- #
- # Copyright (C) 2007 Markus Moeller. All rights reserved.
- #
- # This program is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation; either version 2 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
- #
- # -----------------------------------------------------------------------------
- #
- #
- # creates the following files:
- # .cert
- # secmod.db
- # key3.db
- # cert8.db
- #
- #
- if [ -z "$1" ]; then
- echo "Usage: `basename $0` ldap-server port"
- exit 0
- fi
- if [ -z "$2" ]; then
- port=636
- else
- port=$2
- fi
-
- server=$1
-
- #
- # Remove old files
- #
- rm ${server}_[0-9]*.cert 2>/dev/null
- #
- # Get certs and store in .cert file
- #
- ( openssl s_client -showcerts -connect $server:$port 2>/dev/null < ostart ) {print $0 >>"'$server'_"start".cert"};
- if ( $0 ~ /END CERTIFICATE/) { ostart=start } }'
-
- #
- # from mozilla-nss-tools
- # /usr/sfw/bin on Solaris
diff --git a/squid-compiled_without_RPM_OPT_FLAGS.patch b/squid-compiled_without_RPM_OPT_FLAGS.patch
index d7c8b08..d020e79 100644
--- a/squid-compiled_without_RPM_OPT_FLAGS.patch
+++ b/squid-compiled_without_RPM_OPT_FLAGS.patch
@@ -2,7 +2,7 @@ Index: src/Makefile.am
===================================================================
--- src/Makefile.am.orig
+++ src/Makefile.am
-@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
+@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
@@ -15,7 +15,7 @@ Index: src/Makefile.in
===================================================================
--- src/Makefile.in.orig
+++ src/Makefile.in
-@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci
+@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
diff --git a/squid-config.patch b/squid-config.patch
index ea08e85..0454fc9 100644
--- a/squid-config.patch
+++ b/squid-config.patch
@@ -2,7 +2,7 @@ Index: src/cf.data.pre
===================================================================
--- src/cf.data.pre.orig
+++ src/cf.data.pre
-@@ -1350,6 +1350,8 @@ http_access deny manager
+@@ -1361,6 +1361,8 @@ http_access deny manager
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
@@ -11,7 +11,7 @@ Index: src/cf.data.pre
http_access allow localhost
# And finally deny all other access to this proxy
-@@ -3361,6 +3363,10 @@ DOC_START
+@@ -3414,6 +3416,10 @@ DOC_START
Instead, if you want Squid to use the entire disk drive,
subtract 20% and use that value.
@@ -22,7 +22,7 @@ Index: src/cf.data.pre
'L1' is the number of first-level subdirectories which
will be created under the 'Directory'. The default is 16.
-@@ -3494,7 +3500,7 @@ DOC_START
+@@ -3547,7 +3553,7 @@ DOC_START
NOCOMMENT_START
# Uncomment and adjust the following to add a disk cache directory.
@@ -31,7 +31,7 @@ Index: src/cf.data.pre
NOCOMMENT_END
DOC_END
-@@ -4147,7 +4153,7 @@ DOC_END
+@@ -4178,7 +4184,7 @@ DOC_END
NAME: logfile_rotate
TYPE: int
diff --git a/squid-nobuilddates.patch b/squid-nobuilddates.patch
index 816e2cb..7ed4f24 100644
--- a/squid-nobuilddates.patch
+++ b/squid-nobuilddates.patch
@@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc
- debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
- " starting up...\n");
+ debug("External ACL win32 group helper build starting up...\n");
- if (use_global)
+ if (use_global) {
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
- if (use_case_insensitive_compare)
+ }
Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
===================================================================
--- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
+++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
-@@ -272,7 +272,7 @@ main(int argc, char *argv[])
+@@ -274,7 +274,7 @@ main(int argc, char *argv[])
process_options(argc, argv);
@@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
===================================================================
--- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
+++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
-@@ -609,7 +609,7 @@ main(int argc, char *argv[])
+@@ -611,7 +611,7 @@ main(int argc, char *argv[])
process_options(argc, argv);
diff --git a/squid-rpmlintrc b/squid-rpmlintrc
index 30ffcdb..bdf14cb 100644
--- a/squid-rpmlintrc
+++ b/squid-rpmlintrc
@@ -1,5 +1,5 @@
-addFilter("macro-in-comment")
addFilter("no-manual-page-for-binary")
addFilter("zero-length")
+addFilter("incorrect-fsf-address")
# Temporary solution untill it is moved into factory
setBadness('permissions-unauthorized-file', 333)
diff --git a/squid.changes b/squid.changes
index 0d9f3f7..e6fd0d4 100644
--- a/squid.changes
+++ b/squid.changes
@@ -1,3 +1,83 @@
+-------------------------------------------------------------------
+Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com
+
+- Changes to 3.4.9 (31 Oct 2014):
+ + Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
+ + Bug 4102: sslbump cert contains only a dot character in key usage extension
+ + Bug 4093: source-maintenance.sh errors and warnings due to wrong
+ tools/options
+ + Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
+ + Bug 4024: Bad host/IP ::1 when using IPv4-only environment
+ + Bug 3803: ident leaks memory on failure
+ + kerberos_ldap_group/cert_tool: Remove ksh dependency;
+ obsoletes squid-cert_tool_use_bash_not_ksh.patch
+ + ... and some automated code style updates
+ + ... and some documentation updates
+- Changes to 3.4.8 (15 Sep 2014):
+ + Fix off by one in SNMP subsystem
+ + pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142;
+ http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268
+ obsoletes squid-icmp-DoS.patch
+
+-------------------------------------------------------------------
+Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com
+
+- Remove dependency on gpg-offline as signature checking is implemented in the
+ source validator.
+
+-------------------------------------------------------------------
+Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de
+
+- fix spec and changes file
+
+-------------------------------------------------------------------
+Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net
+
+- update logrotate file
+ * postrotate now defaults to 'systemd'
+
+-------------------------------------------------------------------
+Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net
+
+- fix for icmp pinger DOS bnc#891268
+
+-------------------------------------------------------------------
+Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de
+
+- some spec cleanup
+- some systemd/SysVinit fixes
+- fix sysconfig file for ! suse_version
+
+-------------------------------------------------------------------
+Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net
+
+- replaced permissions handling using setuid bit with use of
+ linux capabilities (on supported systems)
+- general cleanup of .spec file and systemd handling
+
+-------------------------------------------------------------------
+Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de
+
+- Changes to 3.4.7 (28 Aug 2014):
+ * Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
+ * Bug 4080: worker hangs when client identd is not responding
+ * Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
+ * HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
+ * SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
+ * Enable compile-time override for MAXTCPLISTENPORTS
+ * ntlm_sspi_auth: Fix various build errors
+ * negotiate_wrapper: Fix build issues with non-portable vfork()
+ * negotiate_sspi_auth: Portability fixes for MinGW
+ * ext_lm_group_acl: Portability fixes for MinGW
+ * ... and several minor memory leaks
+- fix for bnc#894636
+ * fix postrotate for systemd
+- rebase patches
+ * squid-cert_tool_use_bash_not_ksh.patch
+ * squid-compiled_without_RPM_OPT_FLAGS.patch
+ * squid-nobuilddates.patch
+ * squid-config.patch
+
-------------------------------------------------------------------
Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de
diff --git a/squid.logrotate b/squid.logrotate
index 657182d..04ea655 100644
--- a/squid.logrotate
+++ b/squid.logrotate
@@ -9,7 +9,7 @@
create 640 squid root
sharedscripts
postrotate
- /etc/init.d/squid reload
+ /usr/bin/systemctl reload squid.service
endscript
}
@@ -23,6 +23,6 @@
missingok
create 640 squid root
postrotate
- /etc/init.d/squid reload
+ /usr/bin/systemctl reload squid.service
endscript
}
diff --git a/squid.permissions.easy b/squid.permissions.easy
index c059e6c..275897d 100644
--- a/squid.permissions.easy
+++ b/squid.permissions.easy
@@ -1,4 +1,5 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
-/usr/sbin/pinger root:squid 4750
+/usr/sbin/pinger root:squid 750
+ +capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:shadow 2750
diff --git a/squid.permissions.paranoid b/squid.permissions.paranoid
index 15c7a04..bf26c3c 100644
--- a/squid.permissions.paranoid
+++ b/squid.permissions.paranoid
@@ -1,4 +1,5 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
-/usr/sbin/pinger root:root 755
+/usr/sbin/pinger root:squid 750
+ +capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:root 755
diff --git a/squid.spec b/squid.spec
index c20ef4a..96f9986 100644
--- a/squid.spec
+++ b/squid.spec
@@ -24,12 +24,13 @@ Name: squid
Summary: A fully featured HTTP/1.0 proxy
License: GPL-2.0+
Group: Productivity/Networking/Web/Proxy
-Version: 3.4.6
+Version: 3.4.9
Release: 0
+%define majorver %(echo %version|sed -re 's/^([0-9]).*/\1/g')
+%define majminver %(echo %version|sed -re 's/^([0-9]\.[0-9]).*/\1/g')
Url: http://www.squid-cache.org/Versions/v3/3.4
-#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
-Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
-Source1: %{name}-%{version}.tar.bz2.asc
+Source0: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2
+Source1: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2.asc
Source2: RELEASENOTES.html
Source3: squid.init
Source4: squid.sysconfig
@@ -65,7 +66,7 @@ Patch101: %{name}-nobuilddates.patch
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
Patch103: squid-brokenad.patch
-Patch104: %{name}-cert_tool_use_bash_not_ksh.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version}
PreReq: %fillup_prereq
@@ -88,9 +89,6 @@ BuildRequires: expat
BuildRequires: fdupes
%endif
BuildRequires: gcc-c++
-%if 0%{?suse_version}
-BuildRequires: gpg-offline
-%endif
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libexpat-devel
@@ -127,7 +125,7 @@ Provides: %{name}3 = %{version}
Obsoletes: %{name}3 < %{version}
%description
-Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
+Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.
Squid 3.4 represents a new feature release above 3.3.
@@ -140,15 +138,8 @@ The most important of these new features are:
* Transaction Annotations
* Multicast DNS
-Most user-facing changes are reflected in squid.conf (see below).
-
- First STABLE release Date: 08 Dec 2013
-
%prep
#setup -q -n %{name}-%{version}%{snap}
-%if 0%{?suse_version}
-%gpg_verify %{S:1}
-%endif
%setup -q -n %{name}-%{version}
cp %{S:10} .
# upstream patches after RELEASE
@@ -160,16 +151,10 @@ chmod a-x CREDITS
%patch101
%patch102
%patch103
-%patch104
%build
-#if 0%{?sles_version} == 1100
-#export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
-#export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
-#else
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
-#endif
export LDFLAGS='-Wl,-z,relro,-z,now -pie'
%configure \
--disable-strict-error-checking \
@@ -233,26 +218,33 @@ make SAMBAPREFIX=/usr %{?_smp_mflags}
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
-install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
-chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
+
+install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
install -d %{buildroot}%{_prefix}/sbin
+
+# make_install
make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
+
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
-install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
-install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
-# pinger should be secure "enough" anyway paranoid will strip everything :)
-install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
-install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
-install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
-%if 0%{?suse_version}
-install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
-%else # lets just assume other are rh based ones...
-install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
+
+# install permissions files
+cp -a %{SOURCE9} %{name}.easy
+cp -a %{SOURCE9} %{name}.secure
+cp -a %{SOURCE15} %{name}.paranoid
+%if !0%{?has_systemd}
+sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.easy
+sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.secure
+sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %{name}.paranoid
%endif
-ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
-install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+
+install -D -m 644 %{name}.easy %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
+# pinger should be secure "enough" anyway paranoid will strip everything :)
+install -m 644 %{name}.secure %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
+install -m 644 %{name}.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
+
+# install logrotate file
+install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
@@ -285,7 +277,22 @@ fdupes -q -n -r %{buildroot}%{_prefix}
%endif
%if 0%{?has_systemd}
-install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
+ install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
+ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+%else # SysVinit
+ # fix postrotate script for SysVinit
+ sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+ %if 0%{?suse_version}
+ install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
+ ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
+ %else # lets just assume other are rh based ones...
+ install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
+ %endif
+%endif
+%if 0%{?suse_version}
+ install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+%else
+ install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%endif
%pre
@@ -314,11 +321,14 @@ fi
%post
%if 0%{?suse_version} >= 1140
-%if 0%{?set_permissions:1}
- %set_permissions %name
-%else
- %run_permissions
-%endif
+ %if 0%{?set_permissions:1}
+%set_permissions %{_sbindir}/pinger
+%set_permissions %{_sbindir}/basic_pam_auth
+%set_permissions %{_localstatedir}/cache/squid/
+%set_permissions %{_localstatedir}/log/squid/
+ %else
+%run_permissions
+ %endif
%endif
# update mode?
if [ "$1" -gt "1" ]; then
@@ -329,50 +339,52 @@ if [ "$1" -gt "1" ]; then
# default group changed from nogroup to squid
%{_sbindir}/usermod -g %{name} %{name}
fi
-%if 0%{?suse_version}
-%{fillup_and_insserv -n "squid"}
-%else
-/sbin/chkconfig --add squid
-%endif
%if 0%{?has_systemd}
%service_add_post squid.service
+%else
+ %if 0%{?suse_version}
+%{fillup_and_insserv -n "squid"}
+ %else
+ /sbin/chkconfig --add squid
+ %endif
%endif
%preun
-%if 0%{?suse_version}
-%stop_on_removal squid
-%else
-if [ $1 = 0 ] ; then
- service squid stop >/dev/null 2>&1
- rm -f /var/log/squid/*
- /sbin/chkconfig --del squid
-fi
-%endif
-
%if 0%{?has_systemd}
%service_del_preun squid.service
+%else
+ %if 0%{?suse_version}
+%stop_on_removal squid
+ %else
+ if [ $1 = 0 ] ; then
+ service squid stop >/dev/null 2>&1
+ rm -f /var/log/squid/*
+ /sbin/chkconfig --del squid
+ fi
+ %endif
%endif
%postun
-
-%if 0%{?has_systemd}
-%service_del_postun squid.service
-%endif
-
%if 0%{?suse_version}
-%restart_on_update squid
-%insserv_cleanup
%verifyscript
%verify_permissions -e /usr/sbin/basic_pam_auth
%verify_permissions -e /usr/sbin/pinger
%verify_permissions -e /var/cache/squid/
%verify_permissions -e /var/log/squid/
+%endif
+%if 0%{?has_systemd}
+%service_del_postun squid.service
%else
-if [ "$1" -ge "1" ] ; then
- service squid condrestart >/dev/null 2>&1
-fi
+ %if 0%{?suse_version}
+%restart_on_update squid
+%insserv_cleanup
+ %else
+ if [ "$1" -ge "1" ] ; then
+ service squid condrestart >/dev/null 2>&1
+ fi
+ %endif
%endif
%files
@@ -385,6 +397,8 @@ fi
%doc %{_mandir}/man?/*
%if 0%{?has_systemd}
%{_unitdir}/%{name}.service
+%else
+%{_sysconfdir}/init.d/%{name}
%endif
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
@@ -402,7 +416,6 @@ fi
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
%config %{_sysconfdir}/pam.d/%{name}
-%config %{_sysconfdir}/init.d/%{name}
%config %{_sysconfdir}/permissions.d/%{name}.easy
%config %{_sysconfdir}/permissions.d/%{name}.secure
%config %{_sysconfdir}/permissions.d/%{name}.paranoid
@@ -423,7 +436,7 @@ fi
%{_sbindir}/basic_ncsa_auth
%{_sbindir}/basic_nis_auth
%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
-#%%{_sbindir}/basic_pam_auth
+#{_sbindir}/basic_pam_auth
%{_sbindir}/basic_pop3_auth
%{_sbindir}/basic_radius_auth
%{_sbindir}/basic_sasl_auth
@@ -450,15 +463,24 @@ fi
%{_sbindir}/negotiate_wrapper_auth
%{_sbindir}/ntlm_fake_auth
%{_sbindir}/ntlm_smb_lm_auth
-%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
-%{_sbindir}/rc%{name}
+# not working %%caps(cap_net_raw=ep)
+%if 0%{?has_systemd}
+%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
+%else
+%verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger
+%endif
%{_sbindir}/%{name}
%{_sbindir}/ssl_crtd
%{_sbindir}/storeid_file_rewrite
%{_sbindir}/unlinkd
%{_sbindir}/url_fake_rewrite
%{_sbindir}/url_fake_rewrite.sh
+%if 0%{?suse_version}
+%{_sbindir}/rc%{name}
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+%else
+%{_sysconfdir}/sysconfig/%{name}
+%endif
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi