commit: c32aef5d13c57017978860eb65c1c4f5ce88721c
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Sun Jun 23 17:13:53 2019 +0000
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sun Jun 23 17:15:16 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c32aef5d
net-im/openfire: new revision to clean up ownership handling.
The new revision (-r2) is intended to clean up some of the ownership
and group handling that led to the security issue in bug 630914. Note
that while that *particular* bug was fixed, the ebuild was still
calling "chmod" in a user-controlled directory, which is also
exploitable. The following changes hopefully eliminate all of
those problems:
* Add /opt/openfire/conf to CONFIG_PROTECT.
* Use insopts/diropts to create everything under /opt/openfire with
the correct ownership and permissions to begin with.
* Install conf/openfire.xml and conf/security.xml in src_install(),
instead of creating (and chmod'ing) them later in pkg_postinst().
* Drop pkg_postinst() entirely now that we install {openfire,security}.xml
in src_install().
Bug: https://bugs.gentoo.org/630914
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
Package-Manager: Portage-2.3.66, Repoman-2.3.11
net-im/openfire/openfire-4.2.3-r2.ebuild | 80 ++++++++++++++++++++++++++++++++
1 file changed, 80 insertions(+)
diff --git a/net-im/openfire/openfire-4.2.3-r2.ebuild
b/net-im/openfire/openfire-4.2.3-r2.ebuild
new file mode 100644
index 00000000000..d504e403aba
--- /dev/null
+++ b/net-im/openfire/openfire-4.2.3-r2.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit eutils java-pkg-2 java-ant-2 systemd
+
+MY_P=${PN}_src_${PV//./_}
+DESCRIPTION="Openfire (formerly wildfire) real time collaboration (RTC) server"
+HOMEPAGE="http://www.igniterealtime.org/projects/openfire/";
+SRC_URI="http://www.igniterealtime.org/builds/openfire/${MY_P}.tar.gz";
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="doc"
+
+RDEPEND=">=virtual/jre-1.7"
+DEPEND="net-im/jabber-base
+ ~dev-java/ant-contrib-1.0_beta2
+ >=virtual/jdk-1.7"
+
+S=${WORKDIR}/${PN}_src
+
+pkg_setup() {
+ java-pkg-2_pkg_setup
+}
+
+src_compile() {
+ # Jikes doesn't support -source 1.5
+ java-pkg_filter-compiler jikes
+
+ ANT_TASKS="ant-contrib"
+ eant -f build/build.xml openfire plugins $(use_doc)
+
+ # delete nativeAuth prebuilt libs:
+ # uses outdated unmaintained libshaj, does not support amd64
+ rm -rfv target/openfire/resources/nativeAuth || die
+}
+
+src_install() {
+ #Protect ssl key on upgrade
+ dodir /etc/env.d/
+ echo 'CONFIG_PROTECT="/opt/openfire/resources/security/"' >
"${D}"/etc/env.d/98openfire
+ echo 'CONFIG_PROTECT="/opt/openfire/conf/"' >
"${D}"/etc/env.d/98openfire
+
+ newinitd "${FILESDIR}"/openfire-initd openfire
+ newconfd "${FILESDIR}"/openfire-confd openfire
+ systemd_dounit "${FILESDIR}"/${PN}.service
+
+ diropts --owner=jabber --group=jabber
+ insopts --owner=jabber --group=jabber
+ dodir /opt/openfire
+
+ dodir /opt/openfire/logs
+ keepdir /opt/openfire/logs
+
+ dodir /opt/openfire/lib
+ insinto /opt/openfire/lib
+ doins target/openfire/lib/*
+
+ dodir /opt/openfire/plugins
+ insinto /opt/openfire/plugins
+ doins -r target/openfire/plugins/*
+
+ dodir /opt/openfire/resources
+ insinto /opt/openfire/resources
+ doins -r target/openfire/resources/*
+
+ if use doc; then
+ dohtml -r documentation/docs/*
+ fi
+ dodoc documentation/dist/*
+
+ dodir /opt/openfire/conf
+ insinto /opt/openfire/conf
+ insopts --mode=0600 --owner=jabber --group=jabber
+ newins target/openfire/conf/openfire.xml openfire.xml
+ newins target/openfire/conf/security.xml security.xml
+}
