diff options
author | Michael Orlitzky <mjo@gentoo.org> | 2017-05-13 20:17:43 -0400 |
---|---|---|
committer | Michael Orlitzky <mjo@gentoo.org> | 2017-05-14 09:45:17 -0400 |
commit | bdd24a8411337b6308e001e3e3016930c8e55007 (patch) | |
tree | fdfc41d271d46f4d432a6079112b5b7f83bfc9fd | |
parent | media-gfx/openscad: Add emacs mode, thanks Emery Hemingway for the ebuild (bu... (diff) | |
download | gentoo-bdd24a8411337b6308e001e3e3016930c8e55007.tar.gz gentoo-bdd24a8411337b6308e001e3e3016930c8e55007.tar.bz2 gentoo-bdd24a8411337b6308e001e3e3016930c8e55007.zip |
www-apache/mod_security: new revision with updated default configuration.
I've made a few small changes to the configuration file that we
install by default. First, I've added two settings, SecTmpDir and
SecUploadDir, which serve a similar purpose as the existing
SecDataDir. All of those need to be located somewhere safe, and the
upstream defaults point to /tmp (which is not safe). It is therefore
necessary that we override them, and point them to a location that is
created and made private in the ebuild. We now use
/var/lib/modsecurity/{data,tmp,upload}
and I've made them mode 0750 by default (owned by apache:apache).
I've also removed two settings that used to be present. Our default
configuration is extremely close to the upstream defaults, and sets
almost nothing in 79_mod_security.conf explicitly. The presence of
SecHttpBlKey was therefore rather strange, since it was disabled by
default and contained nothing Gentoo-specific. I've removed it for
consistency (it is documented upstream for people who want it).
The other setting that I've removed is SecGeoLookupDb. This one could
at least be justified for containing a Gentoo-specific path. However,
the path doesn't work out-of-the-box; it requires you to (manually, or
via cron) update your GeoIP database at least once before using it. At
that point, you know the location of the database, and can point
mod_security to it yourself. Taking that into consideration, it again
makes more sense to omit the setting for consistency and defer to the
upstream documentation and defaults.
Package-Manager: Portage-2.3.3, Repoman-2.3.1
-rw-r--r-- | www-apache/mod_security/files/79_mod_security.conf | 20 | ||||
-rw-r--r-- | www-apache/mod_security/mod_security-2.9.1-r1.ebuild (renamed from www-apache/mod_security/mod_security-2.9.1.ebuild) | 7 |
2 files changed, 20 insertions, 7 deletions
diff --git a/www-apache/mod_security/files/79_mod_security.conf b/www-apache/mod_security/files/79_mod_security.conf index bd88e88a9771..8c7e128571ed 100644 --- a/www-apache/mod_security/files/79_mod_security.conf +++ b/www-apache/mod_security/files/79_mod_security.conf @@ -1,11 +1,19 @@ <IfDefine SECURITY> LoadModule security2_module modules/mod_security2.so - SecDataDir /var/lib/modsecurity - # Enable looking up geolocation data from MaxMind's GeoIP database - # SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat + # These paths are Gentoo-specific, created by the ebuild. + SecDataDir /var/lib/modsecurity/data + SecTmpDir /var/lib/modsecurity/tmp + SecUploadDir /var/lib/modsecurity/upload - # Define here your http:BL API key if any - # see http://www.projecthoneypot.org/httpbl_api.php - #SecHttpBlKey xxxxxxxx + # A copy of upstream's modsecurity.conf-recommended is installed + # along with the documentation for mod_security. It contains many + # recommended settings that you should evaluate for your system. + # The full documentation for the available settings can be found + # in the mod_security reference manual, at + # + # https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual + # + # and in particular in the "Configuration Directives" setting. + # </IfDefine> diff --git a/www-apache/mod_security/mod_security-2.9.1.ebuild b/www-apache/mod_security/mod_security-2.9.1-r1.ebuild index c444dd2ecf3c..6dc8bf354d1c 100644 --- a/www-apache/mod_security/mod_security-2.9.1.ebuild +++ b/www-apache/mod_security/mod_security-2.9.1-r1.ebuild @@ -90,7 +90,12 @@ src_install() { # Bug 605496. keepdir /var/lib/modsecurity fowners apache:apache /var/lib/modsecurity - fperms 0770 /var/lib/modsecurity + fperms 0750 /var/lib/modsecurity + for dir in data tmp upload; do + keepdir "/var/lib/modsecurity/${dir}" + fowners apache:apache "/var/lib/modsecurity/${dir}" + fperms 0750 "/var/lib/modsecurity/${dir}" + done } pkg_postinst() { |