Sigh... Some day, I'll learn how to do patches correctly. See new diff
(I had forgotten to "cvs add" some of the patches/* files). The
already submitted tar file is correct though.
Andreas
On Thu, Dec 06, 2018 at 03:20:10PM +0100, Andreas Kusalananda Kähäri wrote:
> On Wed, Dec 05, 2018 at 12:05:07AM +0000, Stuart Henderson wrote:
> > On 2018/12/05 00:21, Andreas Kusalananda Kähäri wrote:
> > > Attached is a port of sshguard-2.2.0 which appears to work, sort of. It
> > > does not start at boot when started from pkg_scripts. It *does* start
> > > reliably when started manually with "rcctl start sshguard" and it shuts
> > > down reliably both at system shutdown and manually (and in-between, it
> > > runs well).
> > >
> > > Any help with possible diagnoses of the startup problem would be
> > > helpful. I haven't found any other port that starts a shell script as a
> > > daemon, but I have only looked for "/bin/sh" in the rc scripts for that.
> > >
> > > The "stop" action in the rc script is a bit unorthodox:
> > >
> > > kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx
> > > "${pexp}" )" )"
> > >
> > > ... and that's to send a TERM signal to all the processes in the
> > > relevant process group (sshguard consists of a total of seven separate
> > > processes). The main script does do something similar to this ("kill 0"
> > > in a trap), but this may require bash to work (and even then it doesn't
> > > seem to work reliably).
> > >
> > > I have attached a diff for the port as well as a tar archive of it.
> >
> > It may be worth removing from pkg_scripts and running from rc.local
> > to see if it fails there. If so then run from there under ktrace e.g.
> > "ktrace -f /tmp/ktrace.out -i /usr/sbin/rcctl start sshguard" and
> > see if anything can be gleaned from running kdump on that file.
>
> Yes, it's getting hupped. I have now patched out the installing of the
> signal handler for HUP in one of the helper programs, and I'm ignoring
> the same signal in the main script. The daemon now survives the boot.
> Termination has also been improved (see end).
>
> >
> > A couple of porting notes,
>
> I appreciate these. Thanks! They are all incorporated.
>
> >
> > > +CONFIGURE_STYLE=simple
> > > +CONFIGURE_ARGS= --sysconfdir="${SYSCONFDIR}" \
> > > + --mandir="${TRUEPREFIX}/man"
> >
> > This has crept back in, it should stay at CONFIGURE_STYLE=gnu and
> > remove the manual setting of --sysconfdir= and --mandir.
> >
> > > +share/examples/sshguard/
> > > +share/examples/sshguard/sshguard.conf.sample
> > > +share/examples/sshguard/whitelistfile.example
> > > Index: pkg/README
> > > ===================================================================
> > > RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
> > > retrieving revision 1.3
> > > diff -u -p -r1.3 README
> > > --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
> > > +++ pkg/README 4 Dec 2018 21:10:55 -0000
> > > @@ -4,7 +4,13 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
> > > | Running ${PKGSTEM} on OpenBSD
> > > +-----------------------------------------------------------------------
> > >
> > > -To use sshguard with pf(4), add the following to /etc/pf.conf:
> > > +Copy the example configuration file:
> > > +
> > > + cp ${PREFIX}/share/examples/sshguard/sshguard.conf.sample \
> > > + ${SYSCONFDIR}/sshguard.conf
> >
> > Should use @sample in PLIST instead of telling people to do that by
> > hand, e.g.
> >
> > share/examples/sshguard/
> > share/examples/sshguard/sshguard.conf.sample
> > @sample ${SYSCONFDIR}/sshguard.conf
> >
> > Simpler, and helps pkg_delete -c.
> >
> > > +
> > > +pexp="/bin/sh $pexp"
> > > +
> > > +rc_stop () {
> > > + # Need to send TERM to all processes in the process group not just
> > > + # to the ones matching "$pexp". The main sshguard shell script does
> > > + # set up a trap for doing this, but it relies on running under bash.
> > > + kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx
> > > "${pexp}" )" )"
> > > +}
> > >
> > > rc_bg=YES
> > > rc_reload=NO
> >
> > <insert see-no-evil-monkey emoji here> ;)
>
> It was evil and have now been removed. I noticed that this way of doing
> it would probably have killed the kernel relinking that happens after
> boot, had anyone manually stopped the sshguard daemon with "rcctl stop
> sshguard" early enough. This is not the way to do it.
>
> Instead, I do what I believe the sshguard-devs intended people to do,
> which is to kill the "sshg-blocker" process instead. This leads to the
> rest of the group of processes terminating, except for a "tail" process
> (but this will exit as soon as it discovers that there is nobody
> reading from the pipe it's writing to).
>
> This leads me to believe that the diff attached is an actual working
> port of sshguard-2.2.0. A tar archive of the port is also attached, as
> before.
>
> I'm happy to be maintainer of this port if nobody else feels that they
> should be.
>
> Regards,
> Andreas
>
> --
> Andreas Kusalananda Kähäri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.
--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.
Index: Makefile
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/Makefile,v
retrieving revision 1.13
diff -u -p -r1.13 Makefile
--- Makefile 4 Sep 2018 12:46:21 -0000 1.13
+++ Makefile 6 Dec 2018 14:12:27 -0000
@@ -2,22 +2,31 @@
COMMENT= protect against brute force attacks on sshd and others
-DISTNAME= sshguard-1.5
-REVISION= 6
+DISTNAME= sshguard-2.2.0
CATEGORIES= security
+HOMEPAGE= https://www.sshguard.net/
+
+MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
+
+MAINTAINER= Andreas Kusalananda Kahari <andreas.kah...@abc.se>
+
# BSD
PERMIT_PACKAGE_CDROM= Yes
WANTLIB+= c pthread
-HOMEPAGE= https://www.sshguard.net/
-MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
-EXTRACT_SUFX= .tar.bz2
-
CONFIGURE_STYLE=gnu
-CONFIGURE_ARGS= --with-firewall=pf
NO_TEST= Yes
+
+post-patch:
+ ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \
+ ${WRKSRC}/examples/sshguard.conf.sample
+
+post-install:
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard
+ ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \
+ ${PREFIX}/share/examples/sshguard
.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 27 Jan 2014 15:49:15 -0000 1.3
+++ distinfo 4 Dec 2018 10:29:38 -0000
@@ -1,2 +1,2 @@
-SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk=
-SIZE (sshguard-1.5.tar.bz2) = 303767
+SHA256 (sshguard-2.2.0.tar.gz) = Kv8H/ubsM+T/1UEZFrdRiZd68dd7htrF84NN06o2VsI=
+SIZE (sshguard-2.2.0.tar.gz) = 737612
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $
-
-Index: configure
---- configure.orig
-+++ configure
-@@ -5949,7 +5949,6 @@ then
- STD99_CFLAGS="-xc99"
- else
- # other compiler (assume gcc-compatibile :( )
-- OPTIMIZER_CFLAGS="-O2"
- WARNING_CFLAGS="-Wall"
- STD99_CFLAGS="-std=c99"
- fi
Index: patches/patch-doc_sshguard_8
===================================================================
RCS file: patches/patch-doc_sshguard_8
diff -N patches/patch-doc_sshguard_8
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-doc_sshguard_8 4 Dec 2018 21:52:04 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+Index: doc/sshguard.8
+--- doc/sshguard.8.orig
++++ doc/sshguard.8
+@@ -119,8 +119,8 @@ Set to enable verbose output from sshg\-blocker.
+ .SH FILES
+ .INDENT 0.0
+ .TP
+-.B %PREFIX%/etc/sshguard.conf
+-See sample configuration file.
++.B ${SYSCONFDIR}/sshguard.conf
++See sample configuration file in
${PREFIX}/share/examples/sshguard/sshguard.conf.sample
+ .UNINDENT
+ .SH WHITELISTING
+ .sp
Index: patches/patch-examples_sshguard_conf_sample
===================================================================
RCS file: patches/patch-examples_sshguard_conf_sample
diff -N patches/patch-examples_sshguard_conf_sample
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-examples_sshguard_conf_sample 4 Dec 2018 16:14:34 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+Index: examples/sshguard.conf.sample
+--- examples/sshguard.conf.sample.orig
++++ examples/sshguard.conf.sample
+@@ -7,9 +7,11 @@
+ #### REQUIRED CONFIGURATION ####
+ # Full path to backend executable (required, no default)
+ #BACKEND="/usr/local/libexec/sshg-fw-iptables"
++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf"
+
+ # Space-separated list of log files to monitor. (optional, no default)
+ #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
++FILES=/var/log/authlog
+
+ # Shell command that provides logs on standard output. (optional, no default)
+ # Example 1: ssh and sendmail from systemd journal:
Index: patches/patch-src_blocker_blocker_c
===================================================================
RCS file: patches/patch-src_blocker_blocker_c
diff -N patches/patch-src_blocker_blocker_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_blocker_blocker_c 6 Dec 2018 10:37:47 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/blocker/blocker.c
+--- src/blocker/blocker.c.orig
++++ src/blocker/blocker.c
+@@ -139,7 +139,8 @@ int main(int argc, char *argv[]) {
+
+ /* termination signals */
+ signal(SIGTERM, sigfin_handler);
+- signal(SIGHUP, sigfin_handler);
++ /* Don't install handler for HUP */
++ /* signal(SIGHUP, sigfin_handler); */
+ signal(SIGINT, sigfin_handler);
+ atexit(finishup);
+
Index: patches/patch-src_fwalls_command_c
===================================================================
RCS file: patches/patch-src_fwalls_command_c
diff -N patches/patch-src_fwalls_command_c
--- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011
-+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011
-@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind,
- return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ?
FWALL_OK : FWALL_ERR);
- }
-
--int fw_block_list(const char *restrict addresses[], int addrkind, const int
service_codes[]) {
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int
service_codes[]) {
- /* block each address individually */
- int i;
-
Index: patches/patch-src_sshguard_fw_h
===================================================================
RCS file: patches/patch-src_sshguard_fw_h
diff -N patches/patch-src_sshguard_fw_h
--- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011
-+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011
-@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind,
- *
- * @return FWALL_OK or FWALL_ERR
- */
--int fw_block_list(const char *restrict addresses[], int addrkind, const int
service_codes[]);
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int
service_codes[]);
-
-
- /**
Index: patches/patch-src_sshguard_in
===================================================================
RCS file: patches/patch-src_sshguard_in
diff -N patches/patch-src_sshguard_in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sshguard_in 6 Dec 2018 10:35:54 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/sshguard.in
+--- src/sshguard.in.orig
++++ src/sshguard.in
+@@ -5,6 +5,9 @@
+ # entire process group (subshell) on exit/interrupts.
+ trap "trap - TERM && kill 0" INT TERM EXIT
+
++# Ignore HUP
++trap "" HUP
++
+ libexec="@libexecdir@"
+ version="@sshguardversion@"
+
Index: patches/patch-src_sshguard_logsuck_c
===================================================================
RCS file: patches/patch-src_sshguard_logsuck_c
diff -N patches/patch-src_sshguard_logsuck_c
--- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000
1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $
---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011
-+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011
-@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
- if (ret > 0) {
- if (kevs[0].filter == EVFILT_READ) {
- /* got data on this one. Read from it */
-- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.",
kevs[0].ident);
-+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.",
kevs[0].ident);
- readentry = list_seek(& sources_list, & kevs[0].ident);
- assert(readentry != NULL);
- assert(readentry->active);
Index: patches/patch-src_sshguard_procauth_c
===================================================================
RCS file: patches/patch-src_sshguard_procauth_c
diff -N patches/patch-src_sshguard_procauth_c
--- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000
1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert
Exp $
---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010
-+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010
-@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
- dup2(ps2me[1], 1);
-
- sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'.");
-- execlp("ps", "ps", "axo", "pid,ppid", NULL);
-+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0);
-
- sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.",
strerror(errno));
- exit(-1);
Index: pkg/PLIST
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/pkg/PLIST,v
retrieving revision 1.5
diff -u -p -r1.5 PLIST
--- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.5
+++ pkg/PLIST 5 Dec 2018 08:15:56 -0000
@@ -1,6 +1,23 @@
@comment $OpenBSD: PLIST,v 1.5 2018/09/04 12:46:21 espie Exp $
@pkgpath security/sshguard,tcpd
+@rcscript ${RCDIR}/sshguard
+@bin libexec/sshg-blocker
+libexec/sshg-fw-firewalld
+@bin libexec/sshg-fw-hosts
+libexec/sshg-fw-ipfilter
+libexec/sshg-fw-ipfw
+libexec/sshg-fw-ipset
+libexec/sshg-fw-iptables
+libexec/sshg-fw-nft-sets
+libexec/sshg-fw-null
+libexec/sshg-fw-pf
+libexec/sshg-logtail
+@bin libexec/sshg-parser
+@man man/man7/sshguard-setup.7
@man man/man8/sshguard.8
-@bin sbin/sshguard
+sbin/sshguard
share/doc/pkg-readmes/${PKGSTEM}
-@rcscript ${RCDIR}/sshguard
+share/examples/sshguard/
+share/examples/sshguard/sshguard.conf.sample
+@sample ${SYSCONFDIR}/sshguard.conf
+share/examples/sshguard/whitelistfile.example
Index: pkg/README
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
retrieving revision 1.3
diff -u -p -r1.3 README
--- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
+++ pkg/README 5 Dec 2018 08:16:29 -0000
@@ -4,7 +4,8 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------
-To use sshguard with pf(4), add the following to /etc/pf.conf:
+To use ${PKGSTEM} with pf(4), add something similar to the following to
+${SYSCONFDIR}/pf.conf:
table <sshguard> persist
Index: pkg/sshguard.rc
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/pkg/sshguard.rc,v
retrieving revision 1.4
diff -u -p -r1.4 sshguard.rc
--- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4
+++ pkg/sshguard.rc 6 Dec 2018 11:44:46 -0000
@@ -3,9 +3,10 @@
# $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $
daemon="${TRUEPREFIX}/sbin/sshguard"
-daemon_flags="-l /var/log/authlog"
. /etc/rc.d/rc.subr
+
+pexp="${TRUEPREFIX}/libexec/sshg-blocker .*"
rc_bg=YES
rc_reload=NO
