From 2867e8fae79a8167c8b718adfb5f1449c3b7eb6a Mon Sep 17 00:00:00 2001 From: Sergey Matveychuk Date: Tue, 17 Aug 2004 05:29:01 +0000 Subject: * Uses WWWOWN and WWWGRP. * Changes tweaks to CGIWRAP_ALLOWFILE and CGIWRAP_DENYFILE. * Add optional ability to build without some features. * Adds CGIWRAP_DEBUG, which adds support for the cgiwrapd/nph-cgiwrapd binaries. * Proper/secure permissions on the binaries. * Another cosmetic changes. * Pass maintainership to submitter. PR: ports/70106 Submitted by: Jeremy Chadwick --- www/cgiwrap/Makefile | 109 +++++++++++++++++++++++++++++++++--------------- www/cgiwrap/pkg-descr | 3 -- www/cgiwrap/pkg-message | 12 ++---- www/cgiwrap/pkg-plist | 4 +- 4 files changed, 82 insertions(+), 46 deletions(-) (limited to 'www') diff --git a/www/cgiwrap/Makefile b/www/cgiwrap/Makefile index 4c3444ec7f7c..0e89401eb7ab 100644 --- a/www/cgiwrap/Makefile +++ b/www/cgiwrap/Makefile @@ -7,56 +7,99 @@ PORTNAME= cgiwrap PORTVERSION= 3.9 +PORTREVISION= 1 CATEGORIES= www security MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} -MAINTAINER= jre@vineyard.net +MAINTAINER= freebsd@jdc.parodius.com COMMENT= Securely execute ~user CGI scripts GNU_CONFIGURE= yes -CONFIGURE_ARGS= --with-httpd-user=${HTTPDUSER} \ +CONFIGURE_ARGS= --with-httpd-user=${WWWOWN} \ + --with-install-group=${WWWGRP} \ --with-install-dir=${MAINCGIDIR} \ - --with-install-group=${BINGRP} \ - --with-cgi-dir=${CGIDIR} \ - --with-allow-file=${ALLOWFILE} \ - --with-deny-file=${DENYFILE} \ - ${WITHOUTCHECK} + --with-cgi-dir=${CGIWRAP_CGIDIR} \ + --with-local-contact=${CGIWRAP_CONTACT} \ + --with-allow-file=${CGIWRAP_ALLOWFILE} \ + --with-deny-file=${CGIWRAP_DENYFILE} -### +# # Set this to the directory (relative to each user's home) where CGI -# scripts will be found. (Another common value is "www/cgi-bin".) -### -CGIDIR?= public_html/cgi-bin -### -# The default security settings are very tight; enable one or more -# of these to loosen them. Run "configure -help" for information on -# these and other options. -### -#WITHOUTCHECK?= --without-check-owner --without-check-setuid \ -# --without-check-group --without-check-setgid \ -# --without-check-group-writable \ -# --without-check-world-writable -### -# Use these options for Apache: -### +# scripts will be found. Common alternate values are "www/cgi-bin" +# (a.k.a. ~user/www/cgi-bin) and "cgi-bin" (a.k.a. ~user/cgi-bin) +# +CGIWRAP_CGIDIR?= public_html/cgi-bin + +# +# MAINCGIDIR is the directory the cgiwrap binaries get installed to. +# MAINCGIDIR?= ${PREFIX}/www/cgi-bin -HTTPDUSER?= www -### + +# # The allow and deny files control access to cgiwrap. +# +CGIWRAP_ALLOWFILE?= ${PREFIX}/etc/${PORTNAME}.allow +CGIWRAP_DENYFILE?= ${PREFIX}/etc/${PORTNAME}.deny + +# +# Set the contact Email address. +# +CGIWRAP_CONTACT?= webmaster@dummy-host.example.com + +# +# Define CGIWRAP_LOGGING and specify where you want the logfile. +# +.if defined(CGIWRAP_LOGGING) +CONFIGURE_ARGS+= --with-logging-file=${CGIWRAP_LOGGING} +.endif + +# +# Some users enjoy being able to debug their own CGI scripts, since +# the standard "Internal server error" response doesn't help much. +# Administrators may find this useful as well. See the cgiwrap +# documentation for details on how to use this. +# +.if defined(CGIWRAP_DEBUG) +PLIST_SUB+= CGIWRAPDFLAG= +.else +PLIST_SUB+= CGIWRAPDFLAG="@comment " +.endif + +# +# A slew of --without-* configure flags exist for cgiwrap. You +# should refer to the cgiwrap documentation for details regarding +# what these do, and when (if) they're necessary. +# ### -ALLOWFILE?= ${PREFIX}/etc/${PORTNAME}.allow -DENYFILE?= ${PREFIX}/etc/${PORTNAME}.deny +.if defined(CGIWRAP_WITHOUT_CHECK_OWNER) +CONFIGURE_ARGS+= --without-check-owner +.endif +.if defined(CGIWRAP_WITHOUT_CHECK_GROUP) +CONFIGURE_ARGS+= --without-check-group +.endif +.if defined(CGIWRAP_WITHOUT_CHECK_SETUID) +CONFIGURE_ARGS+= --without-check-setuid +.endif +.if defined(CGIWRAP_WITHOUT_CHECK_SETGID) +CONFIGURE_ARGS+= --without-check-setgid +.endif +.if defined(CGIWRAP_WITHOUT_CHECK_GROUP_WRITABLE) +CONFIGURE_ARGS+= --without-check-group-writable +.endif +.if defined(CGIWRAP_WITHOUT_CHECK_WORLD_WRITABLE) +CONFIGURE_ARGS+= --without-check-world-writable +.endif pre-install: @${MKDIR} ${MAINCGIDIR} post-install: - ${STRIP_CMD} ${MAINCGIDIR}/cgiwrap - ${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd - ${CP} ${MAINCGIDIR}/cgiwrap ${MAINCGIDIR}/cgiwrapd - ${LN} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd - ${CHMOD} 644 ${MAINCGIDIR}/cgiwrapd + @${STRIP_CMD} ${MAINCGIDIR}/cgiwrap + @${CHMOD} 4550 ${MAINCGIDIR}/cgiwrap +.if !defined(CGIWRAP_WITH_DEBUG) + @${RM} ${MAINCGIDIR}/cgiwrapd ${MAINCGIDIR}/nph-cgiwrapd +.endif .if !defined(NOPORTDOCS) @${MKDIR} ${DOCSDIR} .for file in accesscontrol.html afs.html changes.html chroot.html \ @@ -68,6 +111,6 @@ post-install: .endfor @${ECHO} "Documentation installed in ${DOCSDIR}" .endif - @${CAT} ${PKGMESSAGE} + @${CAT} ${PKGMESSAGE} | ${SED} -e's#%%PREFIX%%#${PREFIX}#g' .include diff --git a/www/cgiwrap/pkg-descr b/www/cgiwrap/pkg-descr index 4d6e2c28101c..239b326a78c8 100644 --- a/www/cgiwrap/pkg-descr +++ b/www/cgiwrap/pkg-descr @@ -9,6 +9,3 @@ and Communications servers, and probably any other Unix based web server software that supports CGI. WWW: http://cgiwrap.sourceforge.net/ - -- Pete -petef@databits.net diff --git a/www/cgiwrap/pkg-message b/www/cgiwrap/pkg-message index cc9557fe7320..b1d9d6e0c10c 100644 --- a/www/cgiwrap/pkg-message +++ b/www/cgiwrap/pkg-message @@ -6,14 +6,10 @@ a depend. If you are unsure of which webserver to use, it is recommended to try the Apache web server package. The cgiwrap scripts have been installed in: - ${PREFIX}/www/cgi-bin + %%PREFIX%%/www/cgi-bin ...the default location for Apache's cgi-bin directory. -The cgiwrapd and nph-cgiwrapd scripts are disabled by default, as they -may give away sensitive information about the CGI environment. To -enable them, you must chmod 4755 ${PREFIX}/www/cgi-bin/cgiwrapd - -Access control enabled, you must create either -${PREFIX}/etc/cgiwrap.allow or ${PREFIX}/etc/cgiwrap.deny before -cgiwrap will function. +If cgiwrap's allow/deny control is enabled, you must create either +%%PREFIX%%/etc/cgiwrap.allow and/or %%PREFIX%%/etc/cgiwrap.deny +before cgiwrap will function. ----------------------------------------------------------------- diff --git a/www/cgiwrap/pkg-plist b/www/cgiwrap/pkg-plist index 08221bfbc6e2..5ceb10ea2903 100644 --- a/www/cgiwrap/pkg-plist +++ b/www/cgiwrap/pkg-plist @@ -18,8 +18,8 @@ %%PORTDOCS%%%%DOCSDIR%%/tricks.html %%PORTDOCS%%%%DOCSDIR%%/y2k.html www/cgi-bin/cgiwrap -www/cgi-bin/cgiwrapd +%%CGIWRAPDFLAG%%www/cgi-bin/cgiwrapd www/cgi-bin/nph-cgiwrap -www/cgi-bin/nph-cgiwrapd +%%CGIWRAPDFLAG%%www/cgi-bin/nph-cgiwrapd @unexec rmdir %D/www/cgi-bin 2>/dev/null || true %%PORTDOCS%%@dirrm %%DOCSDIR%% -- cgit v1.2.3