From c32aef5d13c57017978860eb65c1c4f5ce88721c Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Sun, 23 Jun 2019 13:13:53 -0400 Subject: net-im/openfire: new revision to clean up ownership handling. The new revision (-r2) is intended to clean up some of the ownership and group handling that led to the security issue in bug 630914. Note that while that *particular* bug was fixed, the ebuild was still calling "chmod" in a user-controlled directory, which is also exploitable. The following changes hopefully eliminate all of those problems: * Add /opt/openfire/conf to CONFIG_PROTECT. * Use insopts/diropts to create everything under /opt/openfire with the correct ownership and permissions to begin with. * Install conf/openfire.xml and conf/security.xml in src_install(), instead of creating (and chmod'ing) them later in pkg_postinst(). * Drop pkg_postinst() entirely now that we install {openfire,security}.xml in src_install(). Bug: https://bugs.gentoo.org/630914 Signed-off-by: Michael Orlitzky Package-Manager: Portage-2.3.66, Repoman-2.3.11 --- net-im/openfire/openfire-4.2.3-r2.ebuild | 80 ++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 net-im/openfire/openfire-4.2.3-r2.ebuild (limited to 'net-im') diff --git a/net-im/openfire/openfire-4.2.3-r2.ebuild b/net-im/openfire/openfire-4.2.3-r2.ebuild new file mode 100644 index 000000000000..d504e403abae --- /dev/null +++ b/net-im/openfire/openfire-4.2.3-r2.ebuild @@ -0,0 +1,80 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit eutils java-pkg-2 java-ant-2 systemd + +MY_P=${PN}_src_${PV//./_} +DESCRIPTION="Openfire (formerly wildfire) real time collaboration (RTC) server" +HOMEPAGE="http://www.igniterealtime.org/projects/openfire/" +SRC_URI="http://www.igniterealtime.org/builds/openfire/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="doc" + +RDEPEND=">=virtual/jre-1.7" +DEPEND="net-im/jabber-base + ~dev-java/ant-contrib-1.0_beta2 + >=virtual/jdk-1.7" + +S=${WORKDIR}/${PN}_src + +pkg_setup() { + java-pkg-2_pkg_setup +} + +src_compile() { + # Jikes doesn't support -source 1.5 + java-pkg_filter-compiler jikes + + ANT_TASKS="ant-contrib" + eant -f build/build.xml openfire plugins $(use_doc) + + # delete nativeAuth prebuilt libs: + # uses outdated unmaintained libshaj, does not support amd64 + rm -rfv target/openfire/resources/nativeAuth || die +} + +src_install() { + #Protect ssl key on upgrade + dodir /etc/env.d/ + echo 'CONFIG_PROTECT="/opt/openfire/resources/security/"' > "${D}"/etc/env.d/98openfire + echo 'CONFIG_PROTECT="/opt/openfire/conf/"' > "${D}"/etc/env.d/98openfire + + newinitd "${FILESDIR}"/openfire-initd openfire + newconfd "${FILESDIR}"/openfire-confd openfire + systemd_dounit "${FILESDIR}"/${PN}.service + + diropts --owner=jabber --group=jabber + insopts --owner=jabber --group=jabber + dodir /opt/openfire + + dodir /opt/openfire/logs + keepdir /opt/openfire/logs + + dodir /opt/openfire/lib + insinto /opt/openfire/lib + doins target/openfire/lib/* + + dodir /opt/openfire/plugins + insinto /opt/openfire/plugins + doins -r target/openfire/plugins/* + + dodir /opt/openfire/resources + insinto /opt/openfire/resources + doins -r target/openfire/resources/* + + if use doc; then + dohtml -r documentation/docs/* + fi + dodoc documentation/dist/* + + dodir /opt/openfire/conf + insinto /opt/openfire/conf + insopts --mode=0600 --owner=jabber --group=jabber + newins target/openfire/conf/openfire.xml openfire.xml + newins target/openfire/conf/security.xml security.xml +} -- cgit v1.2.3-65-gdbad