commit: dc104f3fb51e6aba53f999c03ad23534bccf2f79 Author: Glenn Strauss <gstrauss <AT> gluelogic <DOT> com> AuthorDate: Fri Apr 4 07:15:13 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Apr 7 00:25:14 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc104f3f
www-servers/lighttpd: add 1.4.79 Signed-off-by: Glenn Strauss <gstrauss <AT> gluelogic.com> Closes: https://github.com/gentoo/gentoo/pull/41455 Signed-off-by: Sam James <sam <AT> gentoo.org> www-servers/lighttpd/Manifest | 2 + www-servers/lighttpd/files/lighttpd.service-r3 | 84 ++++++++++++++++++++++ ...lighttpd-9999.ebuild => lighttpd-1.4.79.ebuild} | 2 +- www-servers/lighttpd/lighttpd-9999.ebuild | 2 +- 4 files changed, 88 insertions(+), 2 deletions(-) diff --git a/www-servers/lighttpd/Manifest b/www-servers/lighttpd/Manifest index 45951ca01580..20efaf15ff25 100644 --- a/www-servers/lighttpd/Manifest +++ b/www-servers/lighttpd/Manifest @@ -2,3 +2,5 @@ DIST lighttpd-1.4.77.tar.xz 857872 BLAKE2B 52775633d494d502b76ec200efefadb99996d DIST lighttpd-1.4.77.tar.xz.asc 833 BLAKE2B 5d3bdccd5788fce50d908eb028760290bd8033d27c0f15f414d2c5fe7d07b31ecd05aa2028d3a6b37ebdaaf2aafebb37c685834af6c502b80de185740c52de3a SHA512 5068f871244929054cc63c0381ec99f43cea573bd1d303ce3ad8a46df09e4358a96679fcb0a689d49ee2ab0228f11a95270b4e8418b7d69b7cddce425f1b14b1 DIST lighttpd-1.4.78.tar.xz 863668 BLAKE2B 7465cc1794a5cf1167635615126e458c6708c58aaf87fc3bab9c54a140973193227f1dc0071ee618d3e6087d220de40883196f8d3c0a8e998036b3bb47e51d01 SHA512 40559e676da38b7b4742d7140ab1afe6b69a10ececc5ab1e18c1ea0e4b1c3f13f8058e8e005cbad3df8c008b6b80511afbd0bde9c8094848f3db4d5a29961181 DIST lighttpd-1.4.78.tar.xz.asc 833 BLAKE2B 6341885ffda6712aa3eef07842a0534d9a4e80f0b55c98711f977fdc726d5193f17b0f5d6615fa2d8748b895a12484264cf98e3cac4a7b805e7eafa5459a3efd SHA512 09569a4ebff206cfa2ad5439e5fa6876ed10ea555c8cc990bcf83dffc2723febfdcbdd26ede09eb616fdc6c6a94b53d23842567af6901ec66dfcbb287374a7c5 +DIST lighttpd-1.4.79.tar.xz 865428 BLAKE2B 99a30d778b8df794695ed8ae6a016e0cec7c0a428ac247a87087f683e9a10a7a957d7e637a5710ea3df7793b046f7f0a659013d680c34c434a607885bd5f9997 SHA512 e0f1bb2cfca5e81001ea30d13f088425dfc7acbec924ecddf438eb6326ab3158a61c6c4aaee0b68a90666d1cb987ce94b1f6a48afd92485cc995db5b58265f83 +DIST lighttpd-1.4.79.tar.xz.asc 833 BLAKE2B a05351e88f73134b90fe85056d3dfa4861d34915980d2fb095327b26ec15d090db576208837a232b2faf9b929874ef86a9370859b078f87d7ec228f71db08a46 SHA512 d57546d57652ab27a5972c2a6977f175a0f9062dcfcdfaa6f4ec952d07d0780d5a98d6d94eaab086e9c5577a3e960371459d1f3cd8631b881d0a6164a6471326 diff --git a/www-servers/lighttpd/files/lighttpd.service-r3 b/www-servers/lighttpd/files/lighttpd.service-r3 new file mode 100644 index 000000000000..288d08e00729 --- /dev/null +++ b/www-servers/lighttpd/files/lighttpd.service-r3 @@ -0,0 +1,84 @@ +[Unit] +Description=Lighttpd Daemon +After=syslog.target network-online.target +Documentation=man:lighttpd https://wiki.lighttpd.net + +# optional: systemd socket activation for lighttpd +# Requires lighttpd.conf: server.systemd-socket-activation = "enable" +# Requires installation, configuration, enabling of systemd lighttpd*.socket +# https://git.lighttpd.net/lighttpd/lighttpd1.4/src/branch/master/doc/systemd/ +#Requires=lighttpd-http-ipv4.socket lighttpd-http-ipv6.socket lighttpd-https-ipv4.socket lighttpd-https-ipv6.socket + +[Install] +WantedBy=multi-user.target + +[Service] +Type=simple +PIDFile=/run/lighttpd.pid +ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf +ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf +ExecReload=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf +ExecReload=/bin/kill -USR1 $MAINPID +Restart=on-failure + +# increase num files soft limit; 1024 harkens back to select() limit +# (lighttpd.conf must still be configured with `server.max-fds`; default 4096) +LimitNOFILE=32768:524288 + +# +# system capabilities hardening +# + +# (comment all out if running lighttpd as root to manage system, e.g. via LuCI) + +# Recommended configuration: have systemd start lighttpd as unprivileged user. +# Note: starting lighttpd as unprivileged user requires TLS certificates to be +# readable by the unprivileged user and will fail for existing configurations +# where that is not currently the case. For that scenario and for similar +# compatibility reasons, this is not yet enabled by default. +#User=lighttpd +#Group=lighttpd + +# Allow unprivileged lighttpd to bind,listen to ports < 1024 (i.e. 80 and 443). +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# Recommended configuration: strictly limit capabilities +# Limit capabilities, including for children and privileged processes, e.g. root +# CAP_NET_BIND_SERVICE allows bind() to ports < 1024 (i.e. 80 and 443). +# CAP_SETGID, CAP_SETUID, and CAP_SYS_CHROOT are self explanatory. +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT +# If not starting lighttpd as root, minimal capability to bind to ports < 1024: +#CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +# Using systemd socket activation, even CAP_NET_BIND_SERVICE is not necessary +# and could be removed from AmbientCapabilities and CapabilityBoundingSet. +# Requires lighttpd*.socket 'Requires' in [Unit] section at top of this file. + +# Note: PrivateTmp=yes +# could break backends if named socket from independent daemon is located +# in /tmp; must relocate lighttpd.conf socket paths to e.g. /run/lighttpd +# Note: ProtectHome=read-only +# could break CGI scripts or WebDAV writing to home paths +# Note: RestrictSUIDSGID=yes +# could break CGI scripts or WebDAV setting suid/sgid permission bit on files + +KeyringMode=private +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=full +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native diff --git a/www-servers/lighttpd/lighttpd-9999.ebuild b/www-servers/lighttpd/lighttpd-1.4.79.ebuild similarity index 98% copy from www-servers/lighttpd/lighttpd-9999.ebuild copy to www-servers/lighttpd/lighttpd-1.4.79.ebuild index ad6023182db3..acf2800b1887 100644 --- a/www-servers/lighttpd/lighttpd-9999.ebuild +++ b/www-servers/lighttpd/lighttpd-1.4.79.ebuild @@ -196,7 +196,7 @@ src_install() { fowners lighttpd:lighttpd /var/l{ib,og}/lighttpd fperms 0750 /var/l{ib,og}/lighttpd - systemd_newunit "${FILESDIR}"/${PN}.service-r2 ${PN}.service + systemd_newunit "${FILESDIR}"/${PN}.service-r3 ${PN}.service newtmpfiles "${FILESDIR}"/${PN}.tmpfiles.conf ${PN}.conf } diff --git a/www-servers/lighttpd/lighttpd-9999.ebuild b/www-servers/lighttpd/lighttpd-9999.ebuild index ad6023182db3..acf2800b1887 100644 --- a/www-servers/lighttpd/lighttpd-9999.ebuild +++ b/www-servers/lighttpd/lighttpd-9999.ebuild @@ -196,7 +196,7 @@ src_install() { fowners lighttpd:lighttpd /var/l{ib,og}/lighttpd fperms 0750 /var/l{ib,og}/lighttpd - systemd_newunit "${FILESDIR}"/${PN}.service-r2 ${PN}.service + systemd_newunit "${FILESDIR}"/${PN}.service-r3 ${PN}.service newtmpfiles "${FILESDIR}"/${PN}.tmpfiles.conf ${PN}.conf }
