diff options
author | Matthew N. Dodd <mdodd@FreeBSD.org> | 2002-07-12 02:52:31 +0000 |
---|---|---|
committer | Matthew N. Dodd <mdodd@FreeBSD.org> | 2002-07-12 02:52:31 +0000 |
commit | 02f34c6f5f2e9a778ae3cede9acdb17244ffc856 (patch) | |
tree | 059af0a71d3a82118d8d6cce05ea88588da813e6 /security/sfs | |
parent | e53dffd9cce4e1b53384cc02739ef690ce5cd9c8 (diff) |
A secure global network file system. SFS names FSs by public keys
PR: ports/40455
Submitted by: Michael Handler <handler@grendel.net>
Notes
Notes:
svn path=/head/; revision=62840
Diffstat (limited to 'security/sfs')
-rw-r--r-- | security/sfs/Makefile | 72 | ||||
-rw-r--r-- | security/sfs/distinfo | 1 | ||||
-rw-r--r-- | security/sfs/files/etc-sfsrwsd_config.sample | 51 | ||||
-rw-r--r-- | security/sfs/files/patch-async_malloc.C | 18 | ||||
-rw-r--r-- | security/sfs/files/sfscd.sh | 17 | ||||
-rw-r--r-- | security/sfs/files/sfssd.sh | 17 | ||||
-rw-r--r-- | security/sfs/files/share-doc-README.config | 64 | ||||
-rw-r--r-- | security/sfs/pkg-comment | 1 | ||||
-rw-r--r-- | security/sfs/pkg-deinstall | 29 | ||||
-rw-r--r-- | security/sfs/pkg-descr | 12 | ||||
-rw-r--r-- | security/sfs/pkg-install | 59 | ||||
-rw-r--r-- | security/sfs/pkg-plist | 173 |
12 files changed, 514 insertions, 0 deletions
diff --git a/security/sfs/Makefile b/security/sfs/Makefile new file mode 100644 index 000000000000..6912dd4a81a5 --- /dev/null +++ b/security/sfs/Makefile @@ -0,0 +1,72 @@ +# Ports collection makefile for: sfs +# Date created: Thu Jul 4 2002 +# Whom: Michael Handler <handler@grendel.net> +# Matthew Dodd <winter@jurai.net> +# +# $FreeBSD$ +# + +PORTNAME= sfs +PORTVERSION= 0.6 +PORTREVISION= 0 +CATEGORIES= security net +MASTER_SITES= http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/dist/ + +MAINTAINER= handler@grendel.net + +.include <bsd.port.pre.mk> + +USE_GMAKE= yes +USE_OPENSSL= yes + +GNU_CONFIGURE= yes +CONFIGURE_ARGS+=--with-sfsuser=sfs \ + --with-sfsgroup=sfs \ + --with-sfsdir=/var/spool/sfs \ + --with-etcdir=${PREFIX}/etc/sfs \ + --with-openssl=${OPENSSLBASE} \ + --disable-uvfs + +.if ${OSVERSION} > 500000 +LIB_DEPENDS+= gmp.5:${PORTSDIR}/math/libgmp4 +CONFIGURE_ARGS+=--with-gmp=${PREFIX} +.else +CONFIGURE_ARGS+=--with-gmp=/usr +.endif + +MAN1= \ + rex.1 \ + sfsagent.1 \ + sfskey.1 \ + ssu.1 + +MAN5= \ + sfs_config.5 \ + sfs_users.5 \ + sfscd_config.5 \ + sfssd_config.5 \ + sfs_srp_params.5 \ + sfsauthd_config.5 \ + sfsrwsd_config.5 + +MAN8= \ + sfsauthd.8 \ + sfscd.8 \ + sfsrwsd.8 \ + sfssd.8 + +post-extract: + @${SED} -e "s=%%PREFIX%%=${PREFIX}=g" ${FILESDIR}/sfscd.sh > ${WRKSRC}/sfscd.sh + @${SED} -e "s=%%PREFIX%%=${PREFIX}=g" ${FILESDIR}/sfssd.sh > ${WRKSRC}/sfssd.sh + +post-install: + ${INSTALL_SCRIPT} ${WRKSRC}/sfscd.sh ${PREFIX}/etc/rc.d/sfscd.sh.sample + ${INSTALL_SCRIPT} ${WRKSRC}/sfssd.sh ${PREFIX}/etc/rc.d/sfssd.sh.sample + ${MKDIR} ${PREFIX}/etc/sfs + ${INSTALL_DATA} ${FILESDIR}/etc-sfsrwsd_config.sample ${PREFIX}/etc/sfs/sfsrwsd_config.sample + ${MKDIR} ${PREFIX}/share/doc/sfs + ${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/sfs/ + ${INSTALL_DATA} ${FILESDIR}/share-doc-README.config ${PREFIX}/share/doc/sfs/README.config + PKG_PREFIX=${PREFIX} ${SH} pkg-install ${PKGNAME} POST-INSTALL + +.include <bsd.port.post.mk> diff --git a/security/sfs/distinfo b/security/sfs/distinfo new file mode 100644 index 000000000000..fac07dc65541 --- /dev/null +++ b/security/sfs/distinfo @@ -0,0 +1 @@ +MD5 (sfs-0.6.tar.gz) = 0965e874ba18568655e1a7a3f273dc19 diff --git a/security/sfs/files/etc-sfsrwsd_config.sample b/security/sfs/files/etc-sfsrwsd_config.sample new file mode 100644 index 000000000000..d60f032a305d --- /dev/null +++ b/security/sfs/files/etc-sfsrwsd_config.sample @@ -0,0 +1,51 @@ +# To set up your own SFS server, copy this file (sfsrwsd_config.sample) +# to sfsrwsd_config, and add any necessary lines. For most installations, +# you only need to add Export lines for any directories you want to +# export; the hostname should be picked up automatically from your +# system unless you're doing something complex, and the keyfile path is +# already set correctly from the port. +# +# N.B.: any directories exported in an Export statement must also be +# exported to localhost via NFS, and must follow all NFS export rules, +# i.e. no symlinks in the exported directory pathname, the exported +# path must be absolute to the physical mount point. If you want to +# export /usr/ports via SFS, and /usr/ports is really a symlink to +# /vol/h0/ports, you have to use: +# +# Export /vol/h0/ports /ports +# +# not: +# +# Export /usr/ports /ports +# +# And then /vol/h0/ports must be added to /etc/export, rather than +# /usr/ports. +# +# Configuration reference: +# +# Hostname name +# Set the Location part of the server's self-certifying pathname. The +# default is the current host's fully-qualified hostname. +# +# Keyfile path +# Tells sfsrwsd to look for its private key in file path. The default +# is sfs_host_key. SFS looks for file names that do not start with / +# in /etc/sfs, or whatever directory you specified if you used the +# --with-etcdir option to configure (see configure). +# +# Export local-directory sfs-name [R|W] +# Tells sfsrwsd to export local-directory, giving it the name sfs-name +# with respect to the server's self-certifying pathname. Appending R +# to an export directive gives anonymous users read-only access to +# the file system (under user ID -2 and group ID -2). Appending W +# gives anonymous users both read and write access. See Quick server +# setup, for an example of the Export directive. There is almost no +# reason to use the W flag. The R flag lets anyone on the Internet +# issue NFS calls to your kernel as user -2. SFS filters these calls; +# it makes sure that they operate on files covered by the export +# directive, and it blocks any calls that would modify the file system. +# This approach is safe given a perfect NFS3 implementation. If, +# however, there are bugs in your NFS code, attackers may exploit +# them if you have the R option--probably just crashing your server +# but possibly doing worse + diff --git a/security/sfs/files/patch-async_malloc.C b/security/sfs/files/patch-async_malloc.C new file mode 100644 index 000000000000..e3322c7feffc --- /dev/null +++ b/security/sfs/files/patch-async_malloc.C @@ -0,0 +1,18 @@ +--- async/malloc.C.orig Thu Jul 11 21:33:30 2002 ++++ async/malloc.C Thu Jul 11 21:32:22 2002 +@@ -136,13 +136,13 @@ + + + void +-operator delete (void *ptr) ++operator delete (void *ptr) throw () + { + xfree (ptr); + } + + void +-operator delete[] (void *ptr) ++operator delete[] (void *ptr) throw () + { + xfree (ptr); + } diff --git a/security/sfs/files/sfscd.sh b/security/sfs/files/sfscd.sh new file mode 100644 index 000000000000..a3c977efbcdb --- /dev/null +++ b/security/sfs/files/sfscd.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +PIDFILE=/var/run/sfscd.pid + +case "$1" in +start) + [ -x %%PREFIX%%/sbin/sfscd ] && %%PREFIX%%/sbin/sfscd && echo -n ' sfscd' + ;; +stop) + [ -r $PIDFILE ] && kill -TERM `cat $PIDFILE` && echo -n ' sfscd' + ;; +*) + echo "Usage: `basename $0` {start|stop}" >&2 + ;; +esac + +exit 0 diff --git a/security/sfs/files/sfssd.sh b/security/sfs/files/sfssd.sh new file mode 100644 index 000000000000..c288a91919ae --- /dev/null +++ b/security/sfs/files/sfssd.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +PIDFILE=/var/run/sfssd.pid + +case "$1" in +start) + [ -x %%PREFIX%%/sbin/sfssd ] && %%PREFIX%%/sbin/sfssd && echo -n ' sfssd' + ;; +stop) + [ -r $PIDFILE ] && kill -TERM `cat $PIDFILE` && echo -n ' sfssd' + ;; +*) + echo "Usage: `basename $0` {start|stop}" >&2 + ;; +esac + +exit 0 diff --git a/security/sfs/files/share-doc-README.config b/security/sfs/files/share-doc-README.config new file mode 100644 index 000000000000..4114ccde6bb8 --- /dev/null +++ b/security/sfs/files/share-doc-README.config @@ -0,0 +1,64 @@ +Notes on SFS configuration: + +SFS is a complex system to configure, and cannot be adequately +described in these limited files. It is strongly suggested that you +read the SFS documentation on <URL://www.fs.net/> before configuring +any of the various programs. A limited roadmap is provided for +reference here, but that is no substitute for a reading of the full +documentation. Also see /usr/local/share/sfs/doc/README and the +manual page for sfsrwsd_config(5). + +The various programs in the SFS package are configured via files +in two directories: /usr/local/share/sfs/ (henceforth "share/sfs") +and /usr/local/etc/sfs (henceforth "etc/sfs"). The port installs +various configuration files into share/sfs directly from the +compilation of the SFS package. These files should never be edited +directly; they can be overridden by the creation of new files in +etc/sfs, as detailed below. + +[ The following section is taken nearly verbatim from +<URL:http://www.fs.net/sfs/new-york.lcs.mit.edu:85xq6pznt4mgfvj4mb23x6b8adak55ue/pub/sfswww/sfs.html#SFS%20configuration>. ] + +SFS configuration files: + +SFS comprises a number of programs, many of which have configuration +files. All programs look for configuration files in two directories--first +/usr/local/etc/sfs, then, if they don't find the file there, in +/usr/local/share/sfs. + +This port installs reasonable defaults in /usr/local/share/sfs +for all configuration files except sfsrwsd_config. On particular +hosts where you wish to change the default behavior, you can override +the default configuration file by creating a new file of the same +name in /usr/local/etc/sfs. + +The sfs_config file contains system-wide configuration parameters +for most of the programs comprising SFS. Note that +/usr/local/share/sfs/sfs_config is always parsed, even if +/usr/local/etc/sfs/sfs_config exists. Options in +/usr/local/etc/sfs/sfs_config simply override the defaults in +/usr/local/share/sfs/sfs_config. For the other configuration files, +a file in /usr/local/etc/sfs/ entirely overrides the version in +/usr/local/share/sfs/. + +If you are running a server, you will need to create an sfsrwsd_config +file to tell SFS what directories to export, and possibly an +sfsauthd_config if you wish to share the database of user public +keys across several file servers. + +The sfssd_config file contains information about which protocols +and services to route to which daemons on an SFS server, including +support for backwards compatibility across several versions of SFS. +You probably don't need to change this file. + +sfs_srp_params contains some cryptographic parameters for retrieving +keys securely over the network with a passphrase (as with the sfskey +add usr@server command). + +sfscd_config contains information about extensions to the SFS +protocol and which kinds of file servers to route to which daemons. +You almost certainly should not touch this file unless you are +developing new versions of the SFS software. + +Note that configuration command names are case-insensitive in all +configuration files (though the arguments are not). diff --git a/security/sfs/pkg-comment b/security/sfs/pkg-comment new file mode 100644 index 000000000000..2c8b2b9c5f06 --- /dev/null +++ b/security/sfs/pkg-comment @@ -0,0 +1 @@ +A secure global network file system. (Self-certifying File System) diff --git a/security/sfs/pkg-deinstall b/security/sfs/pkg-deinstall new file mode 100644 index 000000000000..cf61b7097f18 --- /dev/null +++ b/security/sfs/pkg-deinstall @@ -0,0 +1,29 @@ +#!/bin/sh + +if [ "$2" != "POST-DEINSTALL" ]; then + exit 0 +fi + +USER=sfs +GROUP=sfs + +SFSDIR=/var/spool/sfs + +if pw groupshow "${GROUP}" >/dev/null 2>&1; then + echo "If you're done with SFS permanently, delete the sfs group manually: pw groupdel ${GROUP}" | fmt +fi + +if pw usershow "${USER}" >/dev/null 2>&1; then + echo + echo "If you're done with SFS permanently, delete the sfs user manually: pw userdel ${USER}" | fmt +fi + +if [ -d "$PKG_PREFIX/etc/sfs" ] && ! rmdir $PKG_PREFIX/etc/sfs 2>/dev/null; then + echo + echo "You may wish to investigate the contents of $PKG_PREFIX/etc/sfs and delete the directory if you're done with SFS permanently." | fmt +fi + +if [ -d "$SFSDIR" ] && ! rmdir $SFSDIR 2>/dev/null; then + echo + echo "You may wish to investigate the contents of $SFSDIR and delete the directory if you're done with SFS permanently." | fmt +fi diff --git a/security/sfs/pkg-descr b/security/sfs/pkg-descr new file mode 100644 index 000000000000..90f77a967a0d --- /dev/null +++ b/security/sfs/pkg-descr @@ -0,0 +1,12 @@ +WWW: http://www.fs.net/ + +SFS (Self-certifying File System) is a secure, global network file +system. SFS names file systems by public keys. Every remote file +server is mounted on a self-certifying pathname--a directory of the +form /sfs/LOCATION:HOSTID, where LOCATION is a DNS hostname and +HOSTID is a cryptographic hash of a public key. This naming scheme +allows for completely decentralized control--anyone can create a +file server, and any user can access any file server from any client. +Various key management schemes can be built on top of SFS using +symbolic links to map human-readable names to self-certifying +pathnames. diff --git a/security/sfs/pkg-install b/security/sfs/pkg-install new file mode 100644 index 000000000000..468cdef3e4cc --- /dev/null +++ b/security/sfs/pkg-install @@ -0,0 +1,59 @@ +#!/bin/sh + +if [ "$2" != "POST-INSTALL" ]; then + exit 0 +fi + +KEYFILE="$PKG_PREFIX/etc/sfs/sfs_host_key" + +USER=sfs +GROUP=sfs + +SFSDIR=/var/spool/sfs + +echo -n "Checking for group '$GROUP'... " + +if ! pw groupshow $GROUP >/dev/null 2>&1; then + echo "doesn't exist, adding." + pw groupadd $GROUP -g 71 +else + echo "exists." +fi + +echo -n "Checking for user '$USER'... " + +if ! pw usershow $USER >/dev/null 2>&1; then + echo "doesn't exist, adding." + pw useradd $USER -u 71 -c 'Self-Certifying File System' -d /nonexistent -g $GROUP -s /sbin/nologin -h - +else + echo "exists." +fi + +echo -n "Checking for SFS directory ($SFSDIR)... " + +if [ -d "$SFSDIR" ]; then + echo "already exists." +else + echo "creating." + mkdir $SFSDIR +fi + +chmod 750 $SFSDIR +chown $USER:$GROUP $SFSDIR + +echo -n "Checking for SFS host key ($KEYFILE)... " + +if [ -f "$KEYFILE" ]; then + echo "already exists, not generating." +else + echo "doesn't exist, generating." + echo "Starting sfscd for entropy services." + $PKG_PREFIX/sbin/sfscd + echo -n "Sleeping ten seconds to give sfscd time to start up... " + sleep 10 + echo "done." + $PKG_PREFIX/bin/sfskey gen -KP -n `uname -n` $KEYFILE + echo -n "Key generation done, killing sfscd... " + kill -TERM `cat /var/run/sfscd.pid` + echo "done." +fi diff --git a/security/sfs/pkg-plist b/security/sfs/pkg-plist new file mode 100644 index 000000000000..7ef59ff7a53e --- /dev/null +++ b/security/sfs/pkg-plist @@ -0,0 +1,173 @@ +bin/dirsearch +bin/newaid +bin/rex +bin/rpcc +bin/sfsagent +bin/sfskey +bin/ssu +@unexec if [ -f %D/etc/rc.d/sfscd.sh ]; then cmp -s %D/etc/rc.d/sfscd.sh.sample %D/etc/rc.d/sfscd.sh && rm -f %D/etc/rc.d/sfscd.sh || echo "${PKG_PREFIX}/etc/rc.d/sfscd.sh is different than distribution sample, leaving for manual cleanup." | fmt; fi +etc/rc.d/sfscd.sh.sample +@unexec if [ -f %D/etc/rc.d/sfssd.sh ]; then cmp -s %D/etc/rc.d/sfssd.sh.sample %D/etc/rc.d/sfssd.sh && rm -f %D/etc/rc.d/sfssd.sh || echo "${PKG_PREFIX}/etc/rc.d/sfssd.sh is different than distribution sample, leaving for manual cleanup." | fmt; fi +etc/rc.d/sfssd.sh.sample +etc/sfs/sfsrwsd_config.sample +include/sfs +include/sfs-0.6/aclnt.h +include/sfs-0.6/aes.h +include/sfs-0.6/afsnode.h +include/sfs-0.6/agentconn.h +include/sfs-0.6/agentmisc.h +include/sfs-0.6/aiod.h +include/sfs-0.6/aiod_prot.h +include/sfs-0.6/aios.h +include/sfs-0.6/amisc.h +include/sfs-0.6/arc4.h +include/sfs-0.6/arena.h +include/sfs-0.6/arpc.h +include/sfs-0.6/array.h +include/sfs-0.6/asrv.h +include/sfs-0.6/async.h +include/sfs-0.6/autoconf.h +include/sfs-0.6/axprt.h +include/sfs-0.6/axprt_crypt.h +include/sfs-0.6/backoff.h +include/sfs-0.6/bbuddy.h +include/sfs-0.6/bench.h +include/sfs-0.6/bigint.h +include/sfs-0.6/bitvec.h +include/sfs-0.6/blowfish.h +include/sfs-0.6/callback.h +include/sfs-0.6/cbuf.h +include/sfs-0.6/crypt.h +include/sfs-0.6/crypt_prot.h +include/sfs-0.6/crypt_prot.x +include/sfs-0.6/crypthash.h +include/sfs-0.6/dns.h +include/sfs-0.6/dnsparse.h +include/sfs-0.6/err.h +include/sfs-0.6/esign.h +include/sfs-0.6/fdlim.h +include/sfs-0.6/getfh3.h +include/sfs-0.6/hashcash.h +include/sfs-0.6/ihash.h +include/sfs-0.6/init.h +include/sfs-0.6/itree.h +include/sfs-0.6/keyfunc.h +include/sfs-0.6/list.h +include/sfs-0.6/modalg.h +include/sfs-0.6/mount_prot.h +include/sfs-0.6/mount_prot.x +include/sfs-0.6/msb.h +include/sfs-0.6/nfs3_ext.x +include/sfs-0.6/nfs3_nonnul.h +include/sfs-0.6/nfs3_prot.h +include/sfs-0.6/nfs3_prot.x +include/sfs-0.6/nfs3close_prot.h +include/sfs-0.6/nfs3close_prot.x +include/sfs-0.6/nfs3exp_prot.h +include/sfs-0.6/nfs3exp_prot.x +include/sfs-0.6/nfs_prot.h +include/sfs-0.6/nfs_prot.x +include/sfs-0.6/nfsmounter.h +include/sfs-0.6/nfsmounter.x +include/sfs-0.6/nfsserv.h +include/sfs-0.6/nfstrans.h +include/sfs-0.6/opnew.h +include/sfs-0.6/parseopt.h +include/sfs-0.6/password.h +include/sfs-0.6/pcre.h +include/sfs-0.6/pmap_prot.h +include/sfs-0.6/pmap_prot.x +include/sfs-0.6/prime.h +include/sfs-0.6/prng.h +include/sfs-0.6/qhash.h +include/sfs-0.6/rabin.h +include/sfs-0.6/refcnt.h +include/sfs-0.6/rex.h +include/sfs-0.6/rex_prot.h +include/sfs-0.6/rex_prot.x +include/sfs-0.6/rpctypes.h +include/sfs-0.6/rwfd.h +include/sfs-0.6/rxx.h +include/sfs-0.6/seqno.h +include/sfs-0.6/serial.h +include/sfs-0.6/sfs-internal.h +include/sfs-0.6/sfs_prot.h +include/sfs-0.6/sfs_prot.x +include/sfs-0.6/sfsagent.h +include/sfs-0.6/sfsagent.x +include/sfs-0.6/sfsauth_prot.h +include/sfs-0.6/sfsauth_prot.x +include/sfs-0.6/sfscd_prot.h +include/sfs-0.6/sfscd_prot.x +include/sfs-0.6/sfsclient.h +include/sfs-0.6/sfsconnect.h +include/sfs-0.6/sfskeymisc.h +include/sfs-0.6/sfsmisc.h +include/sfs-0.6/sfsro_prot.h +include/sfs-0.6/sfsro_prot.x +include/sfs-0.6/sfsserv.h +include/sfs-0.6/sfstty.h +include/sfs-0.6/sha1.h +include/sfs-0.6/srp.h +include/sfs-0.6/stllike.h +include/sfs-0.6/str.h +include/sfs-0.6/suio++.h +include/sfs-0.6/sysconf.h +include/sfs-0.6/tiger.h +include/sfs-0.6/union.h +include/sfs-0.6/uvfstrans.h +include/sfs-0.6/vatmpl.h +include/sfs-0.6/vec.h +include/sfs-0.6/wmstr.h +include/sfs-0.6/xdr_suio.h +include/sfs-0.6/xdrmisc.h +include/sfs-0.6/xhinfo.h +include/sfs.h +@dirrm include/sfs-0.6 +@unexec install-info --delete %D/info/sfs.info %D/info/dir +info/sfs.info +info/sfs.info-1 +info/sfs.info-2 +@exec install-info %D/info/sfs.info %D/info/dir +lib/libsfs.a +lib/sfs +lib/sfs-0.6/aiod +lib/sfs-0.6/connect +lib/sfs-0.6/libarpc.a +lib/sfs-0.6/libarpc.la +lib/sfs-0.6/libasync.a +lib/sfs-0.6/libasync.la +lib/sfs-0.6/libsfscrypt.a +lib/sfs-0.6/libsfscrypt.la +lib/sfs-0.6/libsfsmisc.a +lib/sfs-0.6/libsfsmisc.la +lib/sfs-0.6/libsvc.a +lib/sfs-0.6/libsvc.la +lib/sfs-0.6/listen +lib/sfs-0.6/mallock.o +lib/sfs-0.6/moduled +lib/sfs-0.6/newaid +lib/sfs-0.6/nfsmounter +lib/sfs-0.6/pathinfo +lib/sfs-0.6/proxy +lib/sfs-0.6/ptyd +lib/sfs-0.6/rexd +lib/sfs-0.6/sfsauthd +lib/sfs-0.6/sfsrwcd +lib/sfs-0.6/sfsrwsd +lib/sfs-0.6/suidconnect +lib/sfs-0.6/ttyd +lib/sfs-0.6/xfer +@dirrm lib/sfs-0.6 +sbin/funmount +sbin/sfscd +sbin/sfssd +share/doc/sfs/README +share/doc/sfs/README.config +@dirrm share/doc/sfs +share/sfs/sfs_config +share/sfs/sfs_srp_parms +share/sfs/sfsauthd_config +share/sfs/sfscd_config +share/sfs/sfssd_config +@dirrm share/sfs |