Accepting request 263262 from server:proxy:Test

update to 3.4.9, fix for bnc#891268 (CVE-2014-7141, CVE-2014-7142)

OBS-URL: https://build.opensuse.org/request/show/263262
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=61
This commit is contained in:
Christian Wittmer 2014-11-27 20:53:15 +00:00 committed by Git OBS Bridge
parent c1113da01b
commit c3f10526dc
15 changed files with 217 additions and 179 deletions

View File

@ -2,10 +2,10 @@
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
<TITLE>Squid 3.4.5 release notes</TITLE>
<TITLE>Squid 3.4.7 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 3.4.5 release notes</H1>
<H1>Squid 3.4.7 release notes</H1>
<H2>Squid Developers</H2>
<HR>
@ -57,7 +57,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
<P>The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.</P>
<P>The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:37338218562a2c85e855b4fa472848ca8f8a0408f3e04d15636acdaace3811ca
size 3057715

View File

@ -1,20 +0,0 @@
File: squid-3.4.6.tar.bz2
Date: Wed Jun 25 15:31:30 UTC 2014
Size: 3057715
MD5 : d3ca4ce0a039bbba8258d6b67d6afaa1
SHA1: 0b8850a0bf73d85797e441e589324da8309cd738
Key : 0xFF5CF463 <squid3@treenet.co.nz>
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring = http://www.squid-cache.org/pgp.asc
keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJTqx1kAAoJELJo5wb/XPRjsjEIAOCdBy3rvR5fK5JluK2uUjkf
+EQbglgl10SoMMxS63mswFI5ZlpyHffPhpuL9RGOSeRxjUV7S9a8I9WuG+1ox6Of
P6VXZxnUpZNwSWht7MJL8gIUs8oafYsPPlwP9r67VxQeP8Nz42HwsYOaWhNVi72w
TU2axLEnIg89qg9heG7jN1gFBYOSTW4arW3+1Rzefo5sNvLXjbtE1i6woLYp+9E1
v/ZXPo/LIW7WoV8/n/kr43PMGExPg40YZXVybdKBtHjybpLzxJSPv61cKqMtzN9C
b6RRjLNM8BuVGdi8wdEDJuwCcnIbT8Bsqi6SPYDDfkNRhh+CBp8/mA9Rdgg+QVE=
=OMF0
-----END PGP SIGNATURE-----

3
squid-3.4.9.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:42f2ffbfed6679e1e4ba9a29088495c088ff76cc2517d22d5fb792e2b802ce66
size 3043750

20
squid-3.4.9.tar.bz2.asc Normal file
View File

@ -0,0 +1,20 @@
File: squid-3.4.9.tar.bz2
Date: Fri Oct 31 10:20:30 UTC 2014
Size: 3043750
MD5 : bb8ecbee8fa9fa8659b4349a78696fe7
SHA1: a356cadc324d91c41119f96a7d1a20330866c1ac
Key : 0xFF5CF463 <squid3@treenet.co.nz>
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring = http://www.squid-cache.org/pgp.asc
keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJUU3UxAAoJELJo5wb/XPRjhKUH/0flnkcc6gTQzh7Vh/kusCFk
pC/sfpt0mrZeZZQxAYS/wJFIym5jo8PkiKrvC2ZgOHchpVlGC3hLn2ENqbzR6VEv
L5V7M1XGJdgC1ynjj+H9ML4PBmV1E/XfakkOgnhY+3of32DrmuCN8CFuB5iGNcdH
xHwzXGSeyJkDUjZObourtT2h64Rc12cARz/yXgsq2YKAhf0EM8+rld5Xm40kOWsX
Vci/kvw3RkXuhMMwrL9jzxv8z5/nrsDHbHmwXy3mw2k0G9AmzbKx8ykdoABG/MH5
awuHT1MNFQp5IBr6LisM++2BILjb3UNiyp3lhDtXCHbTo6RCik7jUvEih57koqI=
=BI4b
-----END PGP SIGNATURE-----

View File

@ -1,66 +0,0 @@
diff -rNU 60 ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool ./helpers/external_acl/kerberos_ldap_group/cert_tool
--- ../squid-3.4.6-o/helpers/external_acl/kerberos_ldap_group/cert_tool 2014-06-25 16:41:39.000000000 +0200
+++ ./helpers/external_acl/kerberos_ldap_group/cert_tool 2014-08-14 16:40:59.000000000 +0200
@@ -1,61 +1,61 @@
-#!/bin/ksh
+#!/bin/bash
#
# -----------------------------------------------------------------------------
#
# Author: Markus Moeller (markus_moeller at compuserve.com)
#
# Copyright (C) 2007 Markus Moeller. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
#
# -----------------------------------------------------------------------------
#
#
# creates the following files:
# <server>.cert
# secmod.db
# key3.db
# cert8.db
#
#
if [ -z "$1" ]; then
echo "Usage: `basename $0` ldap-server port"
exit 0
fi
if [ -z "$2" ]; then
port=636
else
port=$2
fi
server=$1
#
# Remove old files
#
rm ${server}_[0-9]*.cert 2>/dev/null
#
# Get certs and store in .cert file
#
( openssl s_client -showcerts -connect $server:$port 2>/dev/null <<!
QUIT
!
) | awk 'BEGIN{start=0;ostart=0}{if ( $0 ~ /BEGIN CERTIFICATE/ ) { start=start+1 };
if ( start > ostart ) {print $0 >>"'$server'_"start".cert"};
if ( $0 ~ /END CERTIFICATE/) { ostart=start } }'
#
# from mozilla-nss-tools
# /usr/sfw/bin on Solaris

View File

@ -2,7 +2,7 @@ Index: src/Makefile.am
===================================================================
--- src/Makefile.am.orig
+++ src/Makefile.am
@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
@ -15,7 +15,7 @@ Index: src/Makefile.in
===================================================================
--- src/Makefile.in.orig
+++ src/Makefile.in
@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci
@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci

View File

@ -2,7 +2,7 @@ Index: src/cf.data.pre
===================================================================
--- src/cf.data.pre.orig
+++ src/cf.data.pre
@@ -1350,6 +1350,8 @@ http_access deny manager
@@ -1361,6 +1361,8 @@ http_access deny manager
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
@ -11,7 +11,7 @@ Index: src/cf.data.pre
http_access allow localhost
# And finally deny all other access to this proxy
@@ -3361,6 +3363,10 @@ DOC_START
@@ -3414,6 +3416,10 @@ DOC_START
Instead, if you want Squid to use the entire disk drive,
subtract 20% and use that value.
@ -22,7 +22,7 @@ Index: src/cf.data.pre
'L1' is the number of first-level subdirectories which
will be created under the 'Directory'. The default is 16.
@@ -3494,7 +3500,7 @@ DOC_START
@@ -3547,7 +3553,7 @@ DOC_START
NOCOMMENT_START
# Uncomment and adjust the following to add a disk cache directory.
@ -31,7 +31,7 @@ Index: src/cf.data.pre
NOCOMMENT_END
DOC_END
@@ -4147,7 +4153,7 @@ DOC_END
@@ -4178,7 +4184,7 @@ DOC_END
NAME: logfile_rotate
TYPE: int

View File

@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc
- debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
- " starting up...\n");
+ debug("External ACL win32 group helper build starting up...\n");
if (use_global)
if (use_global) {
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
if (use_case_insensitive_compare)
}
Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
===================================================================
--- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
+++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
@@ -272,7 +272,7 @@ main(int argc, char *argv[])
@@ -274,7 +274,7 @@ main(int argc, char *argv[])
process_options(argc, argv);
@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
===================================================================
--- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
+++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
@@ -609,7 +609,7 @@ main(int argc, char *argv[])
@@ -611,7 +611,7 @@ main(int argc, char *argv[])
process_options(argc, argv);

View File

@ -1,5 +1,5 @@
addFilter("macro-in-comment")
addFilter("no-manual-page-for-binary")
addFilter("zero-length")
addFilter("incorrect-fsf-address")
# Temporary solution untill it is moved into factory
setBadness('permissions-unauthorized-file', 333)

View File

@ -1,3 +1,83 @@
-------------------------------------------------------------------
Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com
- Changes to 3.4.9 (31 Oct 2014):
+ Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
+ Bug 4102: sslbump cert contains only a dot character in key usage extension
+ Bug 4093: source-maintenance.sh errors and warnings due to wrong
tools/options
+ Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
+ Bug 4024: Bad host/IP ::1 when using IPv4-only environment
+ Bug 3803: ident leaks memory on failure
+ kerberos_ldap_group/cert_tool: Remove ksh dependency;
obsoletes squid-cert_tool_use_bash_not_ksh.patch
+ ... and some automated code style updates
+ ... and some documentation updates
- Changes to 3.4.8 (15 Sep 2014):
+ Fix off by one in SNMP subsystem
+ pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142;
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268
obsoletes squid-icmp-DoS.patch
-------------------------------------------------------------------
Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com
- Remove dependency on gpg-offline as signature checking is implemented in the
source validator.
-------------------------------------------------------------------
Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de
- fix spec and changes file
-------------------------------------------------------------------
Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net
- update logrotate file
* postrotate now defaults to 'systemd'
-------------------------------------------------------------------
Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net
- fix for icmp pinger DOS bnc#891268
-------------------------------------------------------------------
Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de
- some spec cleanup
- some systemd/SysVinit fixes
- fix sysconfig file for ! suse_version
-------------------------------------------------------------------
Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net
- replaced permissions handling using setuid bit with use of
linux capabilities (on supported systems)
- general cleanup of .spec file and systemd handling
-------------------------------------------------------------------
Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de
- Changes to 3.4.7 (28 Aug 2014):
* Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
* Bug 4080: worker hangs when client identd is not responding
* Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
* HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
* SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
* Enable compile-time override for MAXTCPLISTENPORTS
* ntlm_sspi_auth: Fix various build errors
* negotiate_wrapper: Fix build issues with non-portable vfork()
* negotiate_sspi_auth: Portability fixes for MinGW
* ext_lm_group_acl: Portability fixes for MinGW
* ... and several minor memory leaks
- fix for bnc#894636
* fix postrotate for systemd
- rebase patches
* squid-cert_tool_use_bash_not_ksh.patch
* squid-compiled_without_RPM_OPT_FLAGS.patch
* squid-nobuilddates.patch
* squid-config.patch
-------------------------------------------------------------------
Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de

View File

@ -9,7 +9,7 @@
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
/usr/bin/systemctl reload squid.service
endscript
}
@ -23,6 +23,6 @@
missingok
create 640 squid root
postrotate
/etc/init.d/squid reload
/usr/bin/systemctl reload squid.service
endscript
}

View File

@ -1,4 +1,5 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
/usr/sbin/pinger root:squid 4750
/usr/sbin/pinger root:squid 750
+capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:shadow 2750

View File

@ -1,4 +1,5 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
/usr/sbin/pinger root:root 755
/usr/sbin/pinger root:squid 750
+capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:root 755

View File

@ -24,12 +24,13 @@ Name: squid
Summary: A fully featured HTTP/1.0 proxy
License: GPL-2.0+
Group: Productivity/Networking/Web/Proxy
Version: 3.4.6
Version: 3.4.9
Release: 0
%define majorver %(echo %version|sed -re 's/^([0-9]).*/\1/g')
%define majminver %(echo %version|sed -re 's/^([0-9]\.[0-9]).*/\1/g')
Url: http://www.squid-cache.org/Versions/v3/3.4
#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
Source1: %{name}-%{version}.tar.bz2.asc
Source0: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2
Source1: http://www.squid-cache.org/Versions/%{majorver}/%{majminver}/%{name}-%{version}.tar.bz2.asc
Source2: RELEASENOTES.html
Source3: squid.init
Source4: squid.sysconfig
@ -65,7 +66,7 @@ Patch101: %{name}-nobuilddates.patch
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
Patch103: squid-brokenad.patch
Patch104: %{name}-cert_tool_use_bash_not_ksh.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version}
PreReq: %fillup_prereq
@ -88,9 +89,6 @@ BuildRequires: expat
BuildRequires: fdupes
%endif
BuildRequires: gcc-c++
%if 0%{?suse_version}
BuildRequires: gpg-offline
%endif
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libexpat-devel
@ -127,7 +125,7 @@ Provides: %{name}3 = %{version}
Obsoletes: %{name}3 < %{version}
%description
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.
Squid 3.4 represents a new feature release above 3.3.
@ -140,15 +138,8 @@ The most important of these new features are:
* Transaction Annotations
* Multicast DNS
Most user-facing changes are reflected in squid.conf (see below).
First STABLE release Date: 08 Dec 2013
%prep
#setup -q -n %{name}-%{version}%{snap}
%if 0%{?suse_version}
%gpg_verify %{S:1}
%endif
%setup -q -n %{name}-%{version}
cp %{S:10} .
# upstream patches after RELEASE
@ -160,16 +151,10 @@ chmod a-x CREDITS
%patch101
%patch102
%patch103
%patch104
%build
#if 0%{?sles_version} == 1100
#export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
#export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
#else
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
#endif
export LDFLAGS='-Wl,-z,relro,-z,now -pie'
%configure \
--disable-strict-error-checking \
@ -233,26 +218,33 @@ make SAMBAPREFIX=/usr %{?_smp_mflags}
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
install -d %{buildroot}%{_prefix}/sbin
# make_install
make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
# pinger should be secure "enough" anyway paranoid will strip everything :)
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%if 0%{?suse_version}
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
%else # lets just assume other are rh based ones...
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
# install permissions files
cp -a %{SOURCE9} %{name}.easy
cp -a %{SOURCE9} %{name}.secure
cp -a %{SOURCE15} %{name}.paranoid
%if !0%{?has_systemd}
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.easy
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %{name}.secure
sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %{name}.paranoid
%endif
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
install -D -m 644 %{name}.easy %{buildroot}%{_sysconfdir}/permissions.d/%{name}.easy
# pinger should be secure "enough" anyway paranoid will strip everything :)
install -m 644 %{name}.secure %{buildroot}%{_sysconfdir}/permissions.d/%{name}.secure
install -m 644 %{name}.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
# install logrotate file
install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
@ -285,7 +277,22 @@ fdupes -q -n -r %{buildroot}%{_prefix}
%endif
%if 0%{?has_systemd}
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
%else # SysVinit
# fix postrotate script for SysVinit
sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%if 0%{?suse_version}
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
%else # lets just assume other are rh based ones...
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
%endif
%endif
%if 0%{?suse_version}
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%else
install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%endif
%pre
@ -314,11 +321,14 @@ fi
%post
%if 0%{?suse_version} >= 1140
%if 0%{?set_permissions:1}
%set_permissions %name
%else
%run_permissions
%endif
%if 0%{?set_permissions:1}
%set_permissions %{_sbindir}/pinger
%set_permissions %{_sbindir}/basic_pam_auth
%set_permissions %{_localstatedir}/cache/squid/
%set_permissions %{_localstatedir}/log/squid/
%else
%run_permissions
%endif
%endif
# update mode?
if [ "$1" -gt "1" ]; then
@ -329,50 +339,52 @@ if [ "$1" -gt "1" ]; then
# default group changed from nogroup to squid
%{_sbindir}/usermod -g %{name} %{name}
fi
%if 0%{?suse_version}
%{fillup_and_insserv -n "squid"}
%else
/sbin/chkconfig --add squid
%endif
%if 0%{?has_systemd}
%service_add_post squid.service
%else
%if 0%{?suse_version}
%{fillup_and_insserv -n "squid"}
%else
/sbin/chkconfig --add squid
%endif
%endif
%preun
%if 0%{?suse_version}
%stop_on_removal squid
%if 0%{?has_systemd}
%service_del_preun squid.service
%else
if [ $1 = 0 ] ; then
%if 0%{?suse_version}
%stop_on_removal squid
%else
if [ $1 = 0 ] ; then
service squid stop >/dev/null 2>&1
rm -f /var/log/squid/*
/sbin/chkconfig --del squid
fi
%endif
%if 0%{?has_systemd}
%service_del_preun squid.service
fi
%endif
%endif
%postun
%if 0%{?has_systemd}
%service_del_postun squid.service
%endif
%if 0%{?suse_version}
%restart_on_update squid
%insserv_cleanup
%verifyscript
%verify_permissions -e /usr/sbin/basic_pam_auth
%verify_permissions -e /usr/sbin/pinger
%verify_permissions -e /var/cache/squid/
%verify_permissions -e /var/log/squid/
%endif
%if 0%{?has_systemd}
%service_del_postun squid.service
%else
if [ "$1" -ge "1" ] ; then
%if 0%{?suse_version}
%restart_on_update squid
%insserv_cleanup
%else
if [ "$1" -ge "1" ] ; then
service squid condrestart >/dev/null 2>&1
fi
fi
%endif
%endif
%files
@ -385,6 +397,8 @@ fi
%doc %{_mandir}/man?/*
%if 0%{?has_systemd}
%{_unitdir}/%{name}.service
%else
%{_sysconfdir}/init.d/%{name}
%endif
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
@ -402,7 +416,6 @@ fi
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
%config %{_sysconfdir}/pam.d/%{name}
%config %{_sysconfdir}/init.d/%{name}
%config %{_sysconfdir}/permissions.d/%{name}.easy
%config %{_sysconfdir}/permissions.d/%{name}.secure
%config %{_sysconfdir}/permissions.d/%{name}.paranoid
@ -423,7 +436,7 @@ fi
%{_sbindir}/basic_ncsa_auth
%{_sbindir}/basic_nis_auth
%verify(not user group mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
#%%{_sbindir}/basic_pam_auth
#{_sbindir}/basic_pam_auth
%{_sbindir}/basic_pop3_auth
%{_sbindir}/basic_radius_auth
%{_sbindir}/basic_sasl_auth
@ -450,15 +463,24 @@ fi
%{_sbindir}/negotiate_wrapper_auth
%{_sbindir}/ntlm_fake_auth
%{_sbindir}/ntlm_smb_lm_auth
%verify(not user group mode) %attr(4750,root,squid) %{_sbindir}/pinger
%{_sbindir}/rc%{name}
# not working %%caps(cap_net_raw=ep)
%if 0%{?has_systemd}
%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
%else
%verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger
%endif
%{_sbindir}/%{name}
%{_sbindir}/ssl_crtd
%{_sbindir}/storeid_file_rewrite
%{_sbindir}/unlinkd
%{_sbindir}/url_fake_rewrite
%{_sbindir}/url_fake_rewrite.sh
%if 0%{?suse_version}
%{_sbindir}/rc%{name}
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%else
%{_sysconfdir}/sysconfig/%{name}
%endif
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi