diff options
author | Tom William Payne <twp@gentoo.org> | 2006-01-25 19:37:10 +0000 |
---|---|---|
committer | Tom William Payne <twp@gentoo.org> | 2006-01-25 19:37:10 +0000 |
commit | 190bf5403b66134ce60d8e36e75573a2039fbfee (patch) | |
tree | 1a03ec220860980102e249a085538bb751903668 /www-apache | |
parent | New upstream release: MonetDB 4.10.0 "Earth" (diff) | |
download | gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.tar.gz gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.tar.bz2 gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.zip |
Improved default security and webapp support. Thanks webapp and apache herds.
(Portage version: 2.1_pre3-r1)
Diffstat (limited to 'www-apache')
-rw-r--r-- | www-apache/anyterm/ChangeLog | 10 | ||||
-rw-r--r-- | www-apache/anyterm/Manifest | 11 | ||||
-rw-r--r-- | www-apache/anyterm/anyterm-1.1.8-r1.ebuild | 116 | ||||
-rw-r--r-- | www-apache/anyterm/anyterm-1.1.8-r2.ebuild | 105 | ||||
-rw-r--r-- | www-apache/anyterm/files/50_anyterm.conf | 8 | ||||
-rw-r--r-- | www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch | 71 | ||||
-rw-r--r-- | www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt | 59 | ||||
-rw-r--r-- | www-apache/anyterm/files/digest-anyterm-1.1.8-r2 (renamed from www-apache/anyterm/files/digest-anyterm-1.1.8-r1) | 0 |
8 files changed, 232 insertions, 148 deletions
diff --git a/www-apache/anyterm/ChangeLog b/www-apache/anyterm/ChangeLog index 16b887a53ff0..dfb6a46d299f 100644 --- a/www-apache/anyterm/ChangeLog +++ b/www-apache/anyterm/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for www-apache/anyterm # Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/ChangeLog,v 1.2 2006/01/24 00:03:28 twp Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/ChangeLog,v 1.3 2006/01/25 19:37:10 twp Exp $ + +*anyterm-1.1.8-r2 (25 Jan 2006) + + 25 Jan 2006; Tom Payne <twp@gentoo.org> + +files/anyterm-1.1.8-postinst-en.txt, files/50_anyterm.conf, + files/anyterm-1.1.8-browser-gentoo.patch, -anyterm-1.1.8-r1.ebuild, + +anyterm-1.1.8-r2.ebuild: + Improved default security and webapp support. Thanks webapp and apache herds. *anyterm-1.1.8-r1 (24 Jan 2006) diff --git a/www-apache/anyterm/Manifest b/www-apache/anyterm/Manifest index 698767d4f009..7e921a1d5019 100644 --- a/www-apache/anyterm/Manifest +++ b/www-apache/anyterm/Manifest @@ -1,9 +1,10 @@ -MD5 9e300f2c25878e05c66b33279c4c47a6 ChangeLog 782 -MD5 e38f2535fa61685394b86a8661d75fad anyterm-1.1.8-r1.ebuild 3178 -MD5 a14a3081dd3f5b6827bae63d13585320 files/50_anyterm.conf 199 +MD5 9dfed76c6f17c87f91527e39595aee31 ChangeLog 1099 +MD5 5e0da5e85b6a6e0c7b9a72eec3412bed anyterm-1.1.8-r2.ebuild 2843 +MD5 5d4c363d94576d82610a3b238da8b1e4 files/50_anyterm.conf 245 MD5 5a58f6af7f808560b821511c1e00261c files/anyterm-1.1.8-apachemod-Makefile.patch 891 -MD5 16d2edd9a6fe24882d8e5135400cac30 files/anyterm-1.1.8-browser-gentoo.patch 1249 +MD5 c9e7d1d08a12c4eccbff1002a3d5295f files/anyterm-1.1.8-browser-gentoo.patch 2086 MD5 edfc9bd9803d9fd760243cef69b00575 files/anyterm-1.1.8-common-extern.patch 655 MD5 a6069c73dec076f0f2c69ea2cb4b55b8 files/anyterm-1.1.8-libpbe-no-pg_config.patch 432 -MD5 1fafa77a32bc461f15aae771d3d2ea70 files/digest-anyterm-1.1.8-r1 62 +MD5 b3ff11277b2fe4d9712d2bf8ded7a6e0 files/anyterm-1.1.8-postinst-en.txt 1976 +MD5 1fafa77a32bc461f15aae771d3d2ea70 files/digest-anyterm-1.1.8-r2 62 MD5 d992d28bec4a3bfd72b441145091a58e metadata.xml 244 diff --git a/www-apache/anyterm/anyterm-1.1.8-r1.ebuild b/www-apache/anyterm/anyterm-1.1.8-r1.ebuild deleted file mode 100644 index f7c523f39cec..000000000000 --- a/www-apache/anyterm/anyterm-1.1.8-r1.ebuild +++ /dev/null @@ -1,116 +0,0 @@ -# Copyright 1999-2006 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/anyterm-1.1.8-r1.ebuild,v 1.1 2006/01/24 00:03:28 twp Exp $ - -inherit apache-module eutils toolchain-funcs webapp - -DESCRIPTION="A terminal anywhere" -HOMEPAGE="http://anyterm.org/" -SRC_URI="http://anyterm.org/download/${P}.tbz2" - -LICENSE="GPL-2" -KEYWORDS="~x86" -IUSE="pam ssl" -DEPEND=" - dev-libs/boost - >=dev-libs/rote-0.2.8 - >=sys-devel/gcc-3 - virtual/ssh - pam? ( net-www/mod_auth_pam ) - " -RDEPEND="${DEPEND}" - -APACHE2_MOD_CONF="50_${PN}" -APACHE2_MOD_DEFINE="ANYTERM" -useq ssl && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D SSL" -useq pam && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D AUTH_PAM" -APACHE2_MOD_FILE="${S}/apachemod/.libs/anyterm.so" -DOCFILES="CHANGELOG README" - -need_apache2 - -src_unpack() { - unpack ${A} - cp ${FILESDIR}/${APACHE2_MOD_CONF}.conf ${S} || die - epatch ${FILESDIR}/${P}-apachemod-Makefile.patch - epatch ${FILESDIR}/${P}-common-extern.patch - epatch ${FILESDIR}/${P}-browser-gentoo.patch - - # The bundled libpbe causes lots of problems because it links to various - # assorted packages, without any checks. These packages may or not be - # installed. Here we disable all packages which are not required. - epatch ${FILESDIR}/${P}-libpbe-no-pg_config.patch - for f in Database Recoder jpegsize; do - rm ${S}/libpbe/src/${f}.{cc,hh} - done -} - -src_compile() { - ( cd apachemod && emake CC=$(tc-getCC) CXX=$(tc-getCXX) ) || die -} - -src_install() { - apache-module_src_install - - webapp_src_preinst - cp browser/* browser/.htaccess ${D}/${MY_HTDOCSDIR} - webapp_src_install -} - -pkg_postinst() { - webapp_pkg_postinst - - apache-module_pkg_postinst - - if ! built_with_use 'net-www/apache' ssl || ! use pam; then - - if ! built_with_use 'net-www/apache' ssl; then - eerror "net-www/apache is missing SSL support." - fi - - if ! use pam; then - eerror "PAM support disabled." - fi - - eerror - eerror "For security reasons, the default Gentoo anyterm installation" - eerror "requires SSL and PAM. You will need to edit anyterm's" - eerror ".htaccess to suit your configuration." - eerror - eerror "For more information see:" - eerror "\thttp://anyterm.org/security.html" - eerror - - sleep 5 - - else - - eerror - eerror "The default Gentoo installation of Anyterm uses SSL and PAM for" - eerror "security. However, you will have to disable logging yourself," - eerror "otherwise anyone who can read your log files (EVERYBODY by" - eerror "default!) can observe all the characters you send, including" - eerror "passwords!" - eerror - eerror "To do this, add" - eerror "\tenv=!DONTLOG" - eerror "to the CustomLog directive in" - eerror "\t/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf" - eerror - eerror "If you are using a custom SSL virtual host configuration" - eerror "(i.e. you don't use -D SSL_DEFAULT_VHOST) then you will need" - eerror "to modify CustomLog directives elsewhere." - eerror - eerror "For more information see:" - eerror "\thttp://anyterm.org/security.html" - eerror - - einfo - einfo "Anyterm is now installed at:" - einfo "\thttps://localhost/anyterm/anyterm.html" - einfo - - sleep 5 - - fi -} diff --git a/www-apache/anyterm/anyterm-1.1.8-r2.ebuild b/www-apache/anyterm/anyterm-1.1.8-r2.ebuild new file mode 100644 index 000000000000..121d9f7bdbd2 --- /dev/null +++ b/www-apache/anyterm/anyterm-1.1.8-r2.ebuild @@ -0,0 +1,105 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/anyterm-1.1.8-r2.ebuild,v 1.1 2006/01/25 19:37:10 twp Exp $ + +inherit apache-module eutils toolchain-funcs webapp + +DESCRIPTION="A terminal anywhere" +HOMEPAGE="http://anyterm.org/" +SRC_URI="http://anyterm.org/download/${P}.tbz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86" +IUSE="pam ssl opera" +DEPEND=" + dev-libs/boost + >=dev-libs/rote-0.2.8 + >=sys-devel/gcc-3 + virtual/ssh + pam? ( net-www/mod_auth_pam ) + " +RDEPEND="${DEPEND}" + +APACHE2_MOD_CONF="50_${PN}" +APACHE2_MOD_DEFINE="ANYTERM" +useq ssl && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D SSL" +useq pam && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D AUTH_PAM" +APACHE2_MOD_FILE="${S}/apachemod/.libs/anyterm.so" +DOCFILES="CHANGELOG README" + +WEBAPP_MANUAL_SLOT="yes" + +need_apache2 + +pkg_setup() { + webapp_pkg_setup + + apache-module_pkg_setup + + use ssl && ! built_with_use net-www/apache ssl && \ + eerror "Build net-www/apache with USE=ssl." + use pam && ! built_with_use net-www/mod_auth_pam apache2 && \ + eerror "Build net-www/mod_auth_pam with USE=apache2." +} + +src_unpack() { + unpack ${A} + + epatch ${FILESDIR}/${P}-apachemod-Makefile.patch + epatch ${FILESDIR}/${P}-common-extern.patch + epatch ${FILESDIR}/${P}-browser-gentoo.patch + + # The bundled libpbe causes lots of problems because it links to various + # assorted packages, without any checks. These packages may or not be + # installed. Here we disable all packages which are not required. + epatch ${FILESDIR}/${P}-libpbe-no-pg_config.patch + for f in Database Recoder jpegsize; do + rm ${S}/libpbe/src/${f}.{cc,hh} + done +} + +src_compile() { + ( cd apachemod && emake CC=$(tc-getCC) CXX=$(tc-getCXX) ) || die + + # Modify browser files to reflect USE flags. + for flag in ssl pam opera; do + if use ${flag}; then + sed -i -e "s/^#USE=${flag}#//" browser/{*,.htaccess} + sed -i -e "/^#USE=-${flag}#/D" browser/{*,.htaccess} + else + sed -i -e "s/^#USE=-${flag}#//" browser/{*,.htaccess} + sed -i -e "/^#USE=${flag}#/D" browser/{*,.htaccess} + fi + done +} + +src_install() { + apache-module_src_install + + webapp_src_preinst + cp browser/{*,.htaccess} ${D}/${MY_HTDOCSDIR} + webapp_postinst_txt en ${FILESDIR}/${P}-postinst-en.txt + webapp_src_install +} + +pkg_postinst() { + webapp_pkg_postinst + + apache-module_pkg_postinst + + if ! use ssl; then + ewarn "USE=-ssl: Anyterm without SSL is very insecure!" + fi + if ! use pam; then + ewarn "USE=-pam: You will have to add your own authentication" + ewarn " mechanism." + fi + if use opera; then + ewarn "USE=opera: Be sure to disable some logging in your apache" + ewarn " configuration files!" + fi + if ! use ssl || ! use pam || use opera; then + ewarn "For more information see http://anyterm.org/security.html" + fi +} diff --git a/www-apache/anyterm/files/50_anyterm.conf b/www-apache/anyterm/files/50_anyterm.conf index f84d7d89be55..24e04ce564ef 100644 --- a/www-apache/anyterm/files/50_anyterm.conf +++ b/www-apache/anyterm/files/50_anyterm.conf @@ -2,7 +2,9 @@ <IfModule !anyterm.c> LoadModule anyterm modules/anyterm.so </IfModule> - <Directory "/var/www/localhost/htdocs/anyterm/"> - AllowOverride All - </Directory> + <IfDefine DEFAULT_VHOST> + <Directory "/var/www/localhost/htdocs/anyterm"> + AllowOverride All + </Directory> + </IfDefine> </IfDefine> diff --git a/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch b/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch index b6f201f6bf05..d2f203d8ce71 100644 --- a/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch +++ b/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch @@ -1,46 +1,71 @@ +diff -Naur anyterm-1.1.8/browser/anyterm.js anyterm/browser/anyterm.js +--- anyterm-1.1.8/browser/anyterm.js 2005-11-24 19:54:15.000000000 +0100 ++++ anyterm/browser/anyterm.js 2006-01-25 16:52:46.000000000 +0100 +@@ -26,16 +26,21 @@ + var open=false; + var session; + +-//var post_method="POST"; +-var post_method="GET"; ++#USE=opera#//var post_method="POST"; ++#USE=opera#var post_method="GET"; ++#USE=-opera#var post_method="POST"; ++#USE=-opera#//var post_method="GET"; + + // Random sequence numbers are needed to prevent Opera from caching + // replies + + var is_opera = navigator.userAgent.toLowerCase().indexOf("opera") != -1; +-if (is_opera) { +- post_method="GET"; +-} ++#USE=opera#if (is_opera) { ++#USE=opera# post_method="GET"; ++#USE=opera#} ++#USE=-opera#//if (is_opera) { ++#USE=-opera#// post_method="GET"; ++#USE=-opera#//} + + var seqnum_val=Math.round(Math.random()*100000); + function cachebust() { diff -Naur anyterm-1.1.8/browser/.htaccess anyterm/browser/.htaccess --- anyterm-1.1.8/browser/.htaccess 2005-09-05 00:49:44.000000000 +0200 -+++ anyterm/browser/.htaccess 2006-01-23 22:36:42.000000000 +0100 -@@ -7,6 +7,11 @@ ++++ anyterm/browser/.htaccess 2006-01-25 17:03:29.000000000 +0100 +@@ -6,6 +6,8 @@ + # will be ignored if the anyterm module has not been loaded. <IfModule anyterm> ++#USE=ssl#<IfModule mod_ssl.c> ++#USE=pam#<IfModule mod_auth_pam.c> -+# twp: To force Anyterm installations to be as secure as possible "out-of-the- -+# twp: box", we also require that both mod_ssl and mod_auth_pam are present. -+<IfModule mod_ssl.c> -+<IfModule mod_auth_pam.c> -+ # Use an anyterm_command directive to specify the command to run # inside the terminal: - # -@@ -24,6 +29,18 @@ +@@ -24,6 +26,16 @@ # Example: # anyterm_command '/path/to/anygetty --remotehost "Anyterm: %h" --autologin=%u' +# twp: Use ssh to avoid problems with Gentoo's /bin/login. +anyterm_command '/usr/bin/ssh %u@localhost' + -+# twp: Only provide Anyterm over SSL connections. -+SSLRequireSSL -+ -+# twp: Require a valid user using mod_auth_pam. -+AuthPAM_Enabled on -+AuthType Basic -+AuthName "Anyterm" -+Require valid-user -+ ++#USE=ssl#SSLRequireSSL ++#USE=ssl# ++#USE=pam#AuthPAM_Enabled on ++#USE=pam#AuthType Basic ++#USE=pam#AuthName "Anyterm" ++#USE=pam#Require valid-user ++#USE=pam# <Files anyterm-module> SetHandler anyterm -@@ -34,7 +51,10 @@ +@@ -34,7 +46,10 @@ # CustomLog /path/to/logfile combined env=!DONTLOG # See the Apache documentation for details. Note "=!" not "!=" ! - # SetEnv DONTLOG -+ SetEnv DONTLOG ++#USE=opera# SetEnv DONTLOG ++#USE=-opera# # SetEnv DONTLOG </Files> ++#USE=pam#</IfModule> ++#USE=ssl#</IfModule> </IfModule> -+</IfModule> -+ -+</IfModule> diff --git a/www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt b/www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt new file mode 100644 index 000000000000..f96f0dcef3e9 --- /dev/null +++ b/www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt @@ -0,0 +1,59 @@ +DEFAULT GENTOO INSTALLATION + +The default Gentoo installation is designed to work and be as secure as +possible out-of-the box as long as you have USE="ssl pam -opera". + + +USE FLAGS + ++ssl forces anyterm to only run over secure (HTTPS) connections. +-ssl disables secure connections, all data will pass over the network in + plain text, including passwords! ++pam enables PAM authentication, so anyone with an account on your computer + can use anyterm without any further configuration. +-pam means that you will have to configure your own authentication + mechanism. ++opera Enables a workaround for a bug in the Opera browser, but you will have + to modify apache's logging behaviour to prevent snooping by local + users. +-opera Disables the Opera bug workaround. + + +INSTALLATION INSTRUCTIONS + +1. Add the following flags to APACHE2_OPTS in /etc/init.d/apache2: + -D ANYTERM + -D SSL # if USE=ssl + -D SSL_DEFAULT_VHOST # if USE="ssl -vhosts" + -D AUTH_PAM # if USE=pam + +2. If you have USE=vhosts then you need to add the following directives to + each virtual host's configuration file: + <Directory "${MY_INSTALLDIR}"> + AllowOverride All + </Directory> + +3. If you have USE=opera then you should disable logging of some requests. In + each apache configuration file add env=!DONTLOG to each CustomLog + directive. For example: + USE="ssl -vhosts": + Edit /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf: + CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" \ + env=!DONTLOG + USE="-ssl -vhosts": + Edit /etc/apache2/httpd.conf: + CustomLog logs/access_log common env=!DONTLOG + +4. Restart apache2: + /etc/init.d/apache2 restart + +5. Browse to: + https://${VHOST_HOSTNAME}${VHOST_APPDIR}/${PN}.html # if USE=ssl + http://${VHOST_HOSTNAME}${VHOST_APPDIR}/${PN}.html # if USE=-ssl + + +MORE INFORMATION + +http://anyterm.org/ +http://anyterm.org/security.html diff --git a/www-apache/anyterm/files/digest-anyterm-1.1.8-r1 b/www-apache/anyterm/files/digest-anyterm-1.1.8-r2 index 5aa11d832d47..5aa11d832d47 100644 --- a/www-apache/anyterm/files/digest-anyterm-1.1.8-r1 +++ b/www-apache/anyterm/files/digest-anyterm-1.1.8-r2 |