3 files changed, 56 insertions, 81 deletions

diff --git a/shells/scponly/Makefile b/shells/scponly/Makefile
index 953a4b190f5e..4b9a8a647ff4 100644
--- a/shells/scponly/Makefile
+++ b/shells/scponly/Makefile
@@ -5,76 +5,11 @@
 # $FreeBSD$
 #
 
-# There are many knobs to tune scponly towards your specific wishes
-# and preferences.
-# You can activate a knob by typing something like
-# "make -DKNOB" or "make KNOB=yes" instead of just "make"
-#
-# A description of the several possibilities is available here:
-#
-#
-# Core funcionality:
-#
-# SCPONLY_DEFAULT_CHDIR=DIR
-# default: undefined
-# example: public_html
-# define if you want to make users `cd' to this directory after authentication
-#
-# WITHOUT_SCPONLY_WILDCARDS
-# default: undefined
-# define if you want to disable wildcard processing.
-#
-# WITHOUT_SCPONLY_GFTP
-# default: undefined
-# define if you want to disable gftp compatibility.
-#
-# WITH_SCPONLY_CHROOT
-# default: undefined
-# define if you want to use chroot functionality (set UID to root).
-#
-# WITH_SCPONLY_RSYNC
-# default: undefined
-# define if you want to enable rsync compatibility.
-#
-# WITH_SCPONLY_SCP
-# default: undefined
-# define if you want to enable vanilla scp compatibility.
-#
-# WITH_SCPONLY_SFTP_LOGGING
-# default: undefined
-# define if you want to enable sftp logging compatibility.
-#
-# WITH_SCPONLY_SVN
-# default: undefined
-# define if you want to enable subversion compatibility.
-#
-# WITH_SCPONLY_SVNSERVE
-# default: undefined
-# define if you want to enable subversion compatibility with svn+ssh://
-#
-# WITH_SCPONLY_UNISON
-# default: undefined
-# define if you want to enable unison compatibility.
-#
-# WITH_SCPONLY_WINSCP
-# default: undefined
-# define if you want to enable WinSCP compatibility.
-#
-#
-# Additional knobs:
-#
-# NOPORTDOCS
-# default: undefined
-# This knob prevents the ports system from installing additional
-# documentation. If you define this, only the manpage is going
-# to be installed.
-
 PORTNAME=	scponly
 PORTVERSION=	4.8
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	shells security
-MASTER_SITES=	http://www.sublimation.org/scponly/ \
-		SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}
+MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}/${PORTNAME}-${PORTVERSION}
 EXTRACT_SUFX=	.tgz
 
 MAINTAINER=	rfarmer@predatorlabs.net
@@ -82,6 +17,8 @@ COMMENT=	A tiny shell that only permits scp and sftp
 
 MAN8=		scponly.8
 
+PORTDOCS=	BUILDING-JAILS.TXT INSTALL README SECURITY
+
 GNU_CONFIGURE=	yes
 
 OPTIONS=	SCPONLY_WILDCARDS "wildcards processing" on \
@@ -153,14 +90,10 @@ CONFIGURE_ARGS+=--enable-unison-compat
 CONFIGURE_ARGS+=--enable-winscp-compat
 .endif
 
-pre-everything::
-	@${ECHO_MSG} "From scponly 4.2, scp & WinSCP compatibilities are not"
-	@${ECHO_MSG} "enabled by default.  To enable those compatibilities,"
-	@${ECHO_MSG} "define WITH_SCPONLY_SCP and/or WITH_SCPONLY_WINSCP,"
-	@${ECHO_MSG} "respectively."
-	@${ECHO_MSG} ""
-	@${ECHO_MSG} "You can enable chroot functionality by defining WITH_SCPONLY_CHROOT."
-	@${ECHO_MSG} ""
+post-patch:
+	@${ECHO_MSG} "In addition to knobs available from the OPTIONS dialog,"
+	@${ECHO_MSG} "you may set SCPONLY_DEFAULT_CHDIR to make users 'cd' to"
+	@${ECHO_MSG} "this directory after authentication."
 
 post-install:
 	@${ECHO_MSG} "Updating /etc/shells"
@@ -180,14 +113,19 @@ post-install:
 	@${ECHO_MSG} "To setup chroot cage, run the following commands:"
 	@${ECHO_MSG} "  1) cd ${EXAMPLESDIR}/ && ${SH} setup_chroot.sh"
 	@${ECHO_MSG} "  2) Set scponlyc_enable=\"YES\" in /etc/rc.conf"
-	@${ECHO_MSG} "  3) Run ${LOCALBASE}/etc/rc.d/scponly start"
+	@${ECHO_MSG} "  3) Run ${PREFIX}/etc/rc.d/scponly start"
 	@${ECHO_MSG} ""
 .endif
 .if !defined(NOPORTDOCS)
 	@${MKDIR} ${DOCSDIR}
-.for i in README INSTALL TODO
+.for i in ${PORTDOCS}
 	@${INSTALL_DATA} ${WRKSRC}/$i ${DOCSDIR}
 .endfor
+	@${ECHO_MSG} ""
+	@${ECHO_MSG} "For information on several potential security concerns,"
+	@${ECHO_MSG} "please read:"
+	@${ECHO_MSG} "${DOCSDIR}/SECURITY"
+	@${ECHO_MSG} ""
 .endif
 
 .include <bsd.port.post.mk>
diff --git a/shells/scponly/files/patch-SECURITY b/shells/scponly/files/patch-SECURITY
new file mode 100644
index 000000000000..89da8df8e0ce
--- /dev/null
+++ b/shells/scponly/files/patch-SECURITY
@@ -0,0 +1,32 @@
+--- SECURITY.orig	2010-12-10 15:03:24.950162769 -0800
++++ SECURITY	2010-12-10 15:03:31.669374009 -0800
+@@ -28,6 +28,10 @@
+ 
+ 	  svn, svnserve, rsync, and unison
+ 
++	  Note specifically that rsync uses popt for parsing command line arguments
++	  and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
++	  users can likely bypass argument checking for rsync.
++
+ 4) Make sure that all files required for the chroot have the IMMUTABLE and
+    UNDELETABLE bits set.  Other bits might also be prudent. See: man 1 chattr.
+ 
+@@ -39,13 +43,16 @@
+    ~/.ssh, ~/.unison, ~/.subversion
+ 
+    NOTE: depending on file permissions in the above, ssh, unison, and
+-   subversion may not work correctly.
++   subversion may not work correctly.  Also note that the location of the
++   above directories is sometimes system dependent, so please check the
++   documentation specific to your system.
+ 
+ 7) Make sure that every directory the users have write permissions to are
+    on a filesystem that is mounted NODEV, NOEXEC.  Eg. Make sure that they
+    cannot execute files that they have permissions to upload.  They should
+    also not need permissions to create any devices.  If the user can't execute
+-   any files that he has access to upload, then you need not worry about the
++   any files that he has access to upload and the executable files on the
++   system are not considered harmful, then you need not worry about the
+    security problems referencing svn/svnserve above!
+ 
+ 8) Monitor your logs!  If you start to see something funny, odd, or strange in
diff --git a/shells/scponly/pkg-plist b/shells/scponly/pkg-plist
index 8a95a3ae36c5..cc6d791f6921 100644
--- a/shells/scponly/pkg-plist
+++ b/shells/scponly/pkg-plist
@@ -1,15 +1,20 @@
 bin/scponly
 @exec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak
 @unexec echo "Updating /etc/shells"; cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak
+%%SCPONLY_CHROOT%%@exec echo ""
+%%SCPONLY_CHROOT%%@exec echo "To setup chroot cage, run the following commands:"
+%%SCPONLY_CHROOT%%@exec echo "  1) cd %%PREFIX%%/%%EXAMPLESDIR%%/ && /bin/sh setup_chroot.sh"
+%%SCPONLY_CHROOT%%@exec echo "  2) Set scponlyc_enable=\"YES\" in /etc/rc.conf"
+%%SCPONLY_CHROOT%%@exec echo "  3) Run %%PREFIX%%/etc/rc.d/scponly start"
+%%PORTDOCS%%@exec echo ""
+%%PORTDOCS%%@exec echo "For information on several potential security concerns,"
+%%PORTDOCS%%@exec echo "please read:"
+%%PORTDOCS%%@exec echo "%%PREFIX%%/%%DOCSDIR%%/SECURITY"
 %%SCPONLY_CHROOT%%sbin/scponlyc
 %%SCPONLY_CHROOT%%@exec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak; echo %D/%F) >/etc/shells; rm -f /etc/shells.bak
 %%SCPONLY_CHROOT%%@unexec cp /etc/shells /etc/shells.bak; (grep -v %D/%F /etc/shells.bak) >/etc/shells; rm -f /etc/shells.bak
 %%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/setup_chroot.sh
 %%SCPONLY_CHROOT%%%%EXAMPLESDIR%%/config.h
 etc/scponly/debuglevel
-%%PORTDOCS%%%%DOCSDIR%%/README
-%%PORTDOCS%%%%DOCSDIR%%/INSTALL
-%%PORTDOCS%%%%DOCSDIR%%/TODO
 @dirrm etc/scponly
-%%PORTDOCS%%@dirrm %%DOCSDIR%%
 %%SCPONLY_CHROOT%%@dirrm %%EXAMPLESDIR%%