commit: e3a9968929b0dbb164a56bcb18db0a5a86839a78 Author: Hank Leininger <hlein <AT> korelogic <DOT> com> AuthorDate: Sat May 25 17:44:57 2024 +0000 Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org> CommitDate: Wed Jul 3 13:26:37 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3a99689
net-proxy/squid: add 6.9 Fix some gcc-14 compilation issues, add upstream memleak fix patch, init script & logrotate/cron fixes. Closes: https://bugs.gentoo.org/932742 Closes: https://bugs.gentoo.org/931123 Closes: https://bugs.gentoo.org/932744 Closes: https://bugs.gentoo.org/932750 Signed-off-by: Hank Leininger <hlein <AT> korelogic.com> Closes: https://github.com/gentoo/gentoo/pull/36815 Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org> net-proxy/squid/Manifest | 2 + net-proxy/squid/files/squid-6.9-memleak_fix.patch | 563 ++++++++++++++++++++++ net-proxy/squid/files/squid.cron-r1 | 15 + net-proxy/squid/files/squid.initd-r7 | 133 +++++ net-proxy/squid/files/squid.logrotate-r1 | 11 + net-proxy/squid/squid-6.9.ebuild | 391 +++++++++++++++ 6 files changed, 1115 insertions(+) diff --git a/net-proxy/squid/Manifest b/net-proxy/squid/Manifest index 320eecdf2f0e..e577ed2f01bb 100644 --- a/net-proxy/squid/Manifest +++ b/net-proxy/squid/Manifest @@ -2,3 +2,5 @@ DIST squid-6.6.tar.xz 2554824 BLAKE2B 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4f DIST squid-6.6.tar.xz.asc 1193 BLAKE2B c37a400c51c30de35c6fe52123389c134d05670a36b1ffae4d67e7d06981bbf94788343daf2fdeafb782d464a977ee31bc601e3b1b92b45cd40ba6a6725b9a16 SHA512 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297 DIST squid-6.7.tar.xz 2427468 BLAKE2B 0cd892213085326d1f4cc065778d95d74c03edaaf98b839b4422397fdcd449716b022e74adcbac636ca98e9d5c45a8f7aa156c3edc9f306fb13fc5cc21125dd6 SHA512 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0 DIST squid-6.7.tar.xz.asc 646 BLAKE2B 6d4e6075b261f54269577fc31b28e7cb74b835c851741542c322b226d29325128cdbaadd156070e9fe6c5af5c33149c78f71b01272934a62676e08f3f75f8628 SHA512 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c +DIST squid-6.9.tar.xz 2557992 BLAKE2B cac10d3a16fe31a9becfcd0fc278413d53c52285cdca9ece897ca4e3a0e50806e186960091f9050243180996382c6b5209360d9fff249d26b20d1e529285a038 SHA512 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e +DIST squid-6.9.tar.xz.asc 646 BLAKE2B fafa49d40af849103d04c0f07e19e5b9007306ba0f85bcabed761b53f94015aefc65ec2035963c95fd938cb04dfdb878363fcf5150a06889b563fa48922ef289 SHA512 ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa diff --git a/net-proxy/squid/files/squid-6.9-memleak_fix.patch b/net-proxy/squid/files/squid-6.9-memleak_fix.patch new file mode 100644 index 000000000000..797489ac4136 --- /dev/null +++ b/net-proxy/squid/files/squid-6.9-memleak_fix.patch @@ -0,0 +1,563 @@ +Backport of fixes in master/v7 + +https://bugs.squid-cache.org/show_bug.cgi?id=5322 +https://bugs.squid-cache.org/attachment.cgi?id=3891 +diff -aurN a/src/AclRegs.cc b/src/AclRegs.cc +--- a/src/AclRegs.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/AclRegs.cc 2024-05-02 14:39:02.842264552 +0300 +@@ -130,8 +130,8 @@ + RegisterMaker("dstdom_regex", [](TypeName name)->ACL* { return new ACLStrategised<char const *>(new ACLRegexData, new ACLDestinationDomainStrategy, name); }); + RegisterMaker("dst", [](TypeName)->ACL* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor + RegisterMaker("hier_code", [](TypeName name)->ACL* { return new ACLStrategised<hier_code>(new ACLHierCodeData, new ACLHierCodeStrategy, name); }); +- RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised<HttpHeader*>(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); }); +- RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised<HttpHeader*>(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); }); ++ RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised<const HttpHeader &>(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); }); ++ RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised<const HttpHeader &>(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); }); + RegisterMaker("http_status", [](TypeName name)->ACL* { return new ACLHTTPStatus(name); }); + RegisterMaker("maxconn", [](TypeName name)->ACL* { return new ACLMaxConnection(name); }); + RegisterMaker("method", [](TypeName name)->ACL* { return new ACLStrategised<HttpRequestMethod>(new ACLMethodData, new ACLMethodStrategy, name); }); +diff -aurN a/src/DelayId.cc b/src/DelayId.cc +--- a/src/DelayId.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/DelayId.cc 2024-05-02 13:14:06.529560559 +0300 +@@ -87,10 +87,7 @@ + + ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, nullptr); + clientAclChecklistFill(ch, http); +- if (!ch.reply && reply) { +- ch.reply = reply; +- HTTPMSGLOCK(reply); +- } ++ ch.updateReply(reply); + // overwrite ACLFilledChecklist acl_uses_indirect_client-based decision + #if FOLLOW_X_FORWARDED_FOR + if (Config.onoff.delay_pool_uses_indirect_client) +diff -aurN a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc +--- a/src/HttpHeaderTools.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/HttpHeaderTools.cc 2024-05-02 13:15:05.133567028 +0300 +@@ -289,11 +289,7 @@ + + ACLFilledChecklist checklist(hm->access_list, request, nullptr); + +- checklist.al = al; +- if (al && al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(al); + + // XXX: The two "It was denied" clauses below mishandle cases with no + // matching rules, violating the "If no rules within the set have matching +@@ -489,11 +485,7 @@ + { + ACLFilledChecklist checklist(nullptr, request, nullptr); + +- checklist.al = al; +- if (al && al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(al); + + for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) { + if (!hwa->aclList || checklist.fastCheck(hwa->aclList).allowed()) { +diff -aurN a/src/HttpReply.cc b/src/HttpReply.cc +--- a/src/HttpReply.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/HttpReply.cc 2024-05-02 13:15:39.572584896 +0300 +@@ -596,8 +596,7 @@ + + ACLFilledChecklist ch(nullptr, &request, nullptr); + // XXX: cont-cast becomes irrelevant when checklist is HttpReply::Pointer +- ch.reply = const_cast<HttpReply *>(this); +- HTTPMSGLOCK(ch.reply); ++ ch.updateReply(this); + for (AclSizeLimit *l = Config.ReplyBodySize; l; l = l -> next) { + /* if there is no ACL list or if the ACLs listed match use this size value */ + if (!l->aclList || ch.fastCheck(l->aclList).allowed()) { +diff -aurN a/src/Notes.cc b/src/Notes.cc +--- a/src/Notes.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/Notes.cc 2024-05-02 13:54:09.664336645 +0300 +@@ -70,11 +70,9 @@ + Note::match(HttpRequest *request, HttpReply *reply, const AccessLogEntry::Pointer &al, SBuf &matched) + { + ACLFilledChecklist ch(nullptr, request, nullptr); +- ch.al = al; +- ch.reply = reply; ++ ch.updateAle(al); ++ ch.updateReply(reply); + ch.syncAle(request, nullptr); +- if (reply) +- HTTPMSGLOCK(ch.reply); + + for (const auto &v: values) { + assert(v->aclList); +diff -aurN a/src/acl/ConnectionsEncrypted.cc b/src/acl/ConnectionsEncrypted.cc +--- a/src/acl/ConnectionsEncrypted.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/ConnectionsEncrypted.cc 2024-05-02 14:11:23.059165031 +0300 +@@ -55,8 +55,8 @@ + + const bool safeRequest = + !(filled->request->sources & Http::Message::srcUnsafe); +- const bool safeReply = !filled->reply || +- !(filled->reply->sources & Http::Message::srcUnsafe); ++ const bool safeReply = !filled->hasReply() || ++ !(filled->reply().sources & Http::Message::srcUnsafe); + + return (safeRequest && safeReply) ? 1 : 0; + } +diff -aurN a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc +--- a/src/acl/FilledChecklist.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/FilledChecklist.cc 2024-05-02 14:07:41.297685699 +0300 +@@ -27,7 +27,6 @@ + ACLFilledChecklist::ACLFilledChecklist() : + dst_rdns(nullptr), + request (nullptr), +- reply (nullptr), + #if USE_AUTH + auth_user_request (nullptr), + #endif +@@ -54,8 +53,6 @@ + + HTTPMSGUNLOCK(request); + +- HTTPMSGUNLOCK(reply); +- + cbdataReferenceDone(conn_); + + debugs(28, 4, "ACLFilledChecklist destroyed " << this); +@@ -107,9 +104,9 @@ + } + } + +- if (reply && !al->reply) { ++ if (hasReply() && !al->reply) { + showDebugWarning("HttpReply object"); +- al->reply = reply; ++ al->reply = reply_; + } + + #if USE_IDENT +@@ -214,7 +211,6 @@ + ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request, const char *ident): + dst_rdns(nullptr), + request(nullptr), +- reply(nullptr), + #if USE_AUTH + auth_user_request(nullptr), + #endif +@@ -268,3 +264,21 @@ + #endif + } + ++void ++ACLFilledChecklist::updateAle(const AccessLogEntry::Pointer &a) ++{ ++ if (!a) ++ return; ++ ++ al = a; // could have been set already (to a different value) ++ if (!request) ++ setRequest(a->request); ++ updateReply(a->reply); ++} ++ ++void ++ACLFilledChecklist::updateReply(const HttpReply::Pointer &r) ++{ ++ if (r) ++ reply_ = r; // may already be set, including to r ++} +diff -aurN a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h +--- a/src/acl/FilledChecklist.h 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/FilledChecklist.h 2024-05-02 13:45:57.773923228 +0300 +@@ -14,6 +14,8 @@ + #include "acl/forward.h" + #include "base/CbcPointer.h" + #include "error/forward.h" ++#include "HttpReply.h" ++#include "HttpRequest.h" + #include "ip/Address.h" + #if USE_AUTH + #include "auth/UserRequest.h" +@@ -42,6 +44,7 @@ + void setRequest(HttpRequest *); + /// configure rfc931 user identity for the first time + void setIdent(const char *userIdentity); ++ void updateAle(const AccessLogEntry::Pointer &); + + public: + /// The client connection manager +@@ -57,6 +60,14 @@ + + //int authenticated(); + ++ /// response added by updateReply() ++ /// \prec hasReply() ++ const HttpReply &reply() const { return *reply_; } ++ ++ /// Remembers the given response (if it is not nil) or does nothing ++ /// (otherwise). ++ void updateReply(const HttpReply::Pointer &); ++ + bool destinationDomainChecked() const; + void markDestinationDomainChecked(); + bool sourceDomainChecked() const; +@@ -64,7 +75,7 @@ + + // ACLChecklist API + bool hasRequest() const override { return request != nullptr; } +- bool hasReply() const override { return reply != nullptr; } ++ bool hasReply() const override { return reply_ != nullptr; } + bool hasAle() const override { return al != nullptr; } + void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override; + void verifyAle() const override; +@@ -77,7 +88,6 @@ + char *dst_rdns; + + HttpRequest *request; +- HttpReply *reply; + + char rfc931[USER_IDENT_SZ]; + #if USE_AUTH +@@ -108,6 +118,9 @@ + private: + ConnStateData * conn_; /**< hack for ident and NTLM */ + int fd_; /**< may be available when conn_ is not */ ++ ++ HttpReply::Pointer reply_; ///< response added by updateReply() or nil ++ + bool destinationDomainChecked_; + bool sourceDomainChecked_; + /// not implemented; will cause link failures if used +diff -aurN a/src/acl/HttpHeaderData.cc b/src/acl/HttpHeaderData.cc +--- a/src/acl/HttpHeaderData.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpHeaderData.cc 2024-05-02 13:39:44.260625713 +0300 +@@ -36,20 +36,18 @@ + } + + bool +-ACLHTTPHeaderData::match(HttpHeader* hdr) ++ACLHTTPHeaderData::match(const HttpHeader &hdr) + { +- if (hdr == nullptr) +- return false; + + debugs(28, 3, "aclHeaderData::match: checking '" << hdrName << "'"); + + String value; + if (hdrId != Http::HdrType::BAD_HDR) { +- if (!hdr->has(hdrId)) ++ if (!hdr.has(hdrId)) + return false; +- value = hdr->getStrOrList(hdrId); ++ value = hdr.getStrOrList(hdrId); + } else { +- if (!hdr->hasNamed(hdrName, &value)) ++ if (!hdr.hasNamed(hdrName, &value)) + return false; + } + +diff -aurN a/src/acl/HttpHeaderData.h b/src/acl/HttpHeaderData.h +--- a/src/acl/HttpHeaderData.h 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpHeaderData.h 2024-05-02 13:40:26.326492200 +0300 +@@ -14,14 +14,14 @@ + #include "sbuf/SBuf.h" + #include "SquidString.h" + +-class ACLHTTPHeaderData : public ACLData<HttpHeader*> ++class ACLHTTPHeaderData: public ACLData<const HttpHeader &> + { + MEMPROXY_CLASS(ACLHTTPHeaderData); + + public: + ACLHTTPHeaderData(); + ~ACLHTTPHeaderData() override; +- bool match(HttpHeader* hdr) override; ++ bool match(const HttpHeader &) override; + SBufList dump() const override; + void parse() override; + bool empty() const override; +diff -aurN a/src/acl/HttpRepHeader.cc b/src/acl/HttpRepHeader.cc +--- a/src/acl/HttpRepHeader.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpRepHeader.cc 2024-05-02 14:22:13.208427916 +0300 +@@ -13,8 +13,9 @@ + #include "HttpReply.h" + + int +-ACLHTTPRepHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist) ++ACLHTTPRepHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist * const ch) + { +- return data->match (&checklist->reply->header); ++ const auto checklist = Filled(ch); ++ return data->match(checklist->reply().header); + } + +diff -aurN a/src/acl/HttpRepHeader.h b/src/acl/HttpRepHeader.h +--- a/src/acl/HttpRepHeader.h 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpRepHeader.h 2024-05-02 14:26:12.634833092 +0300 +@@ -14,7 +14,7 @@ + #include "HttpHeader.h" + + /// \ingroup ACLAPI +-class ACLHTTPRepHeaderStrategy : public ACLStrategy<HttpHeader*> ++class ACLHTTPRepHeaderStrategy : public ACLStrategy<const HttpHeader &> + { + + public: +diff -aurN a/src/acl/HttpReqHeader.cc b/src/acl/HttpReqHeader.cc +--- a/src/acl/HttpReqHeader.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpReqHeader.cc 2024-05-02 14:22:47.381726897 +0300 +@@ -13,8 +13,9 @@ + #include "HttpRequest.h" + + int +-ACLHTTPReqHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist) ++ACLHTTPReqHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist * const ch) + { +- return data->match (&checklist->request->header); ++ const auto checklist = Filled(ch); ++ return data->match (checklist->request->header); + } + +diff -aurN a/src/acl/HttpReqHeader.h b/src/acl/HttpReqHeader.h +--- a/src/acl/HttpReqHeader.h 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpReqHeader.h 2024-05-02 14:26:59.730191970 +0300 +@@ -13,7 +13,7 @@ + #include "HttpHeader.h" + + /// \ingroup ACLAPI +-class ACLHTTPReqHeaderStrategy : public ACLStrategy<HttpHeader*> ++class ACLHTTPReqHeaderStrategy : public ACLStrategy<const HttpHeader &> + { + + public: +diff -aurN a/src/acl/HttpStatus.cc b/src/acl/HttpStatus.cc +--- a/src/acl/HttpStatus.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/HttpStatus.cc 2024-05-02 13:48:12.200714068 +0300 +@@ -116,7 +116,7 @@ + int + ACLHTTPStatus::match(ACLChecklist *checklist) + { +- return aclMatchHTTPStatus(&data, Filled(checklist)->reply->sline.status()); ++ return aclMatchHTTPStatus(&data, Filled(checklist)->reply().sline.status()); + } + + int +diff -aurN a/src/acl/ReplyHeaderStrategy.h b/src/acl/ReplyHeaderStrategy.h +--- a/src/acl/ReplyHeaderStrategy.h 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/ReplyHeaderStrategy.h 2024-05-02 13:48:40.981219348 +0300 +@@ -28,7 +28,7 @@ + int + ACLReplyHeaderStrategy<header>::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist) + { +- char const *theHeader = checklist->reply->header.getStr(header); ++ char const *theHeader = checklist->reply().header.getStr(header); + + if (nullptr == theHeader) + return 0; +diff -aurN a/src/acl/ReplyMimeType.h b/src/acl/ReplyMimeType.h +--- a/src/acl/ReplyMimeType.h 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/acl/ReplyMimeType.h 2024-05-02 13:51:50.684699376 +0300 +@@ -19,7 +19,8 @@ + inline int + ACLReplyHeaderStrategy<Http::HdrType::CONTENT_TYPE>::match(ACLData<char const *> * &data, ACLFilledChecklist *checklist) + { +- char const *theHeader = checklist->reply->header.getStr(Http::HdrType::CONTENT_TYPE); ++ char const *theHeader = checklist->reply().header.getStr(Http::HdrType::CONTENT_TYPE); ++ + + if (nullptr == theHeader) + theHeader = ""; +diff -aurN a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc +--- a/src/adaptation/AccessCheck.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/adaptation/AccessCheck.cc 2024-05-02 13:56:05.309606789 +0300 +@@ -131,9 +131,8 @@ + /* BUG 2526: what to do when r->acl is empty?? */ + // XXX: we do not have access to conn->rfc931 here. + acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str); +- if ((acl_checklist->reply = filter.reply)) +- HTTPMSGLOCK(acl_checklist->reply); +- acl_checklist->al = filter.al; ++ acl_checklist->updateAle(filter.al); ++ acl_checklist->updateReply(filter.reply); + acl_checklist->syncAle(filter.request, nullptr); + acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this); + return; +diff -aurN a/src/adaptation/icap/Launcher.cc b/src/adaptation/icap/Launcher.cc +--- a/src/adaptation/icap/Launcher.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/adaptation/icap/Launcher.cc 2024-05-02 13:25:41.483439412 +0300 +@@ -142,8 +142,7 @@ + + ACLFilledChecklist *cl = + new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str); +- cl->reply = info.icapReply; +- HTTPMSGLOCK(cl->reply); ++ cl->updateReply(info.icapReply); + + bool result = cl->fastCheck().allowed(); + delete cl; +diff -aurN a/src/adaptation/icap/icap_log.cc b/src/adaptation/icap/icap_log.cc +--- a/src/adaptation/icap/icap_log.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/adaptation/icap/icap_log.cc 2024-05-02 13:26:09.810655898 +0300 +@@ -61,10 +61,7 @@ + { + if (IcapLogfileStatus == LOG_ENABLE) { + ACLFilledChecklist checklist(nullptr, al->adapted_request, nullptr); +- if (al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(al); + accessLogLogTo(Config.Log.icaplogs, al, &checklist); + } + } +diff -aurN a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc +--- a/src/auth/UserRequest.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/auth/UserRequest.cc 2024-05-02 13:26:56.382746257 +0300 +@@ -466,8 +466,7 @@ + { + if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) { + ACLFilledChecklist ch(nullptr, request, nullptr); +- ch.reply = rep; +- HTTPMSGLOCK(ch.reply); ++ ch.updateReply(rep); + const auto answer = ch.fastCheck(Auth::TheConfig.schemeAccess); + if (answer.allowed()) + return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs; +diff -aurN a/src/client_side.cc b/src/client_side.cc +--- a/src/client_side.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/client_side.cc 2024-05-02 13:32:24.247196027 +0300 +@@ -446,31 +446,19 @@ + } + // The al->notes and request->notes must point to the same object. + al->syncNotes(request); +- } +- +- ACLFilledChecklist checklist(nullptr, request, nullptr); +- if (al->reply) { +- checklist.reply = al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } +- +- if (request) { + HTTPMSGUNLOCK(al->adapted_request); + al->adapted_request = request; + HTTPMSGLOCK(al->adapted_request); + } ++ ACLFilledChecklist checklist(nullptr, request, nullptr); ++ checklist.updateAle(al); + // no need checklist.syncAle(): already synced +- checklist.al = al; + accessLogLog(al, &checklist); + + bool updatePerformanceCounters = true; + if (Config.accessList.stats_collection) { + ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, nullptr); +- statsCheck.al = al; +- if (al->reply) { +- statsCheck.reply = al->reply.getRaw(); +- HTTPMSGLOCK(statsCheck.reply); +- } ++ statsCheck.updateAle(al); + updatePerformanceCounters = statsCheck.fastCheck().allowed(); + } + +@@ -3546,12 +3534,8 @@ + checklist.setRequest(http->request); + + if (!checklist.al && http->al) { +- checklist.al = http->al; ++ checklist.updateAle(http->al); + checklist.syncAle(http->request, http->log_uri); +- if (!checklist.reply && http->al->reply) { +- checklist.reply = http->al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } + } + + if (const auto conn = http->getConn()) +diff -aurN a/src/client_side_reply.cc b/src/client_side_reply.cc +--- a/src/client_side_reply.cc 2024-05-02 14:48:58.863528254 +0300 ++++ b/src/client_side_reply.cc 2024-05-02 13:33:55.668212735 +0300 +@@ -843,11 +843,9 @@ + if (http->flags.internal) + return false; // internal content "hits" cannot be blocked + +- const auto &rep = http->storeEntry()->mem().freshestReply(); + { + std::unique_ptr<ACLFilledChecklist> chl(clientAclChecklistCreate(Config.accessList.sendHit, http)); +- chl->reply = const_cast<HttpReply*>(&rep); // ACLChecklist API bug +- HTTPMSGLOCK(chl->reply); ++ chl->updateReply(&http->storeEntry()->mem().freshestReply()); + return !chl->fastCheck().allowed(); // when in doubt, block + } + } +@@ -1850,8 +1848,7 @@ + /** Process http_reply_access lists */ + ACLFilledChecklist *replyChecklist = + clientAclChecklistCreate(Config.accessList.reply, http); +- replyChecklist->reply = reply; +- HTTPMSGLOCK(replyChecklist->reply); ++ replyChecklist->updateReply(reply); + replyChecklist->nonBlockingCheck(ProcessReplyAccessResult, this); + } + +diff -aurN a/src/clients/Client.cc b/src/clients/Client.cc +--- a/src/clients/Client.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/clients/Client.cc 2024-05-02 13:56:57.931087748 +0300 +@@ -555,9 +555,8 @@ + // This relatively expensive check is not in StoreEntry::checkCachable: + // That method lacks HttpRequest and may be called too many times. + ACLFilledChecklist ch(acl, originalRequest().getRaw()); +- ch.reply = const_cast<HttpReply*>(&entry->mem().freshestReply()); // ACLFilledChecklist API bug +- HTTPMSGLOCK(ch.reply); +- ch.al = fwd->al; ++ ch.updateAle(fwd->al); ++ ch.updateReply(&entry->mem().freshestReply()); + if (!ch.fastCheck().allowed()) { // when in doubt, block + debugs(20, 3, "store_miss prohibits caching"); + return true; +diff -aurN a/src/http/Stream.cc b/src/http/Stream.cc +--- a/src/http/Stream.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/http/Stream.cc 2024-05-02 13:35:57.062950806 +0300 +@@ -294,8 +294,7 @@ + for (const auto &pool: MessageDelayPools::Instance()->pools) { + if (pool->access) { + std::unique_ptr<ACLFilledChecklist> chl(clientAclChecklistCreate(pool->access, http)); +- chl->reply = rep; +- HTTPMSGLOCK(chl->reply); ++ chl->updateReply(rep); + const auto answer = chl->fastCheck(); + if (answer.allowed()) { + writeQuotaHandler = pool->createBucket(); +diff -aurN a/src/http.cc b/src/http.cc +--- a/src/http.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/http.cc 2024-05-02 13:35:29.522323694 +0300 +@@ -773,10 +773,9 @@ + // check whether the 1xx response forwarding is allowed by squid.conf + if (Config.accessList.reply) { + ACLFilledChecklist ch(Config.accessList.reply, originalRequest().getRaw()); +- ch.al = fwd->al; +- ch.reply = reply; ++ ch.updateAle(fwd->al); ++ ch.updateReply(reply); + ch.syncAle(originalRequest().getRaw(), nullptr); +- HTTPMSGLOCK(ch.reply); + if (!ch.fastCheck().allowed()) // TODO: support slow lookups? + return drop1xx("http_reply_access blocked it"); + } +diff -aurN a/src/neighbors.cc b/src/neighbors.cc +--- a/src/neighbors.cc 2024-04-08 08:02:07.000000000 +0300 ++++ b/src/neighbors.cc 2024-05-02 13:36:27.203322463 +0300 +@@ -170,11 +170,7 @@ + return true; + + ACLFilledChecklist checklist(p->access, request, nullptr); +- checklist.al = ps->al; +- if (ps->al && ps->al->reply) { +- checklist.reply = ps->al->reply.getRaw(); +- HTTPMSGLOCK(checklist.reply); +- } ++ checklist.updateAle(ps->al); + checklist.syncAle(request, nullptr); + return checklist.fastCheck().allowed(); + } diff --git a/net-proxy/squid/files/squid.cron-r1 b/net-proxy/squid/files/squid.cron-r1 new file mode 100644 index 000000000000..f0fa84ed2cb3 --- /dev/null +++ b/net-proxy/squid/files/squid.cron-r1 @@ -0,0 +1,15 @@ +#!/bin/sh + +# OpenRC init script supports multiple Squid instances, and exposes 'rotate'. +if command -v rc-service >/dev/null; then + SQUID_SERVICES=$(rc-status | awk '/ *squid.* started /{print $1}') + for SQUID_SERVICE in $SQUID_SERVICES ; do + rc-service "${SQUID_SERVICE}" rotate + done + +# Systemd unit file supports only a single default squid instance, +# and no 'rotate' support, so call squid directly. +elif command -v systemctl >/dev/null; then + SQUID_ACTIVE=$(systemctl --type=service --state=active | awk '/^ *squid\.service / {print $1}') + [ -n "${SQUID_ACTIVE}" ] && squid -k rotate +fi diff --git a/net-proxy/squid/files/squid.initd-r7 b/net-proxy/squid/files/squid.initd-r7 new file mode 100644 index 000000000000..7215b774736d --- /dev/null +++ b/net-proxy/squid/files/squid.initd-r7 @@ -0,0 +1,133 @@ +#!/sbin/openrc-run +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +SQUID_SVCNAME=$( echo "${RC_SVCNAME}" | tr -cd '[a-zA-Z0-9]' ) + +extra_started_commands="reload rotate" + +depend() { + use dns net +} + +_getconfig() { + # Make PIDFILE, CHROOTDIR, and CACHE_SWAP visible to other functions + local CONFFILES="/etc/squid/${RC_SVCNAME}.conf /etc/squid/${RC_SVCNAME}.include /etc/squid/${RC_SVCNAME}.include.*" + if [ ! -f /etc/squid/${RC_SVCNAME}.conf ]; then + eerror "You need to create /etc/squid/${RC_SVCNAME}.conf first." + eerror "The main configuration file and all included file names should have the following format:" + eerror "${CONFFILES}" + eerror "An example can be found in /etc/squid/squid.conf.default" + return 1 + fi + PIDFILE=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*pid_filename[ \t]+/ { print $2 }') + CHROOTDIR=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*chroot[ \t]+/ { print $2 }') + if [ -n "${CHROOTDIR}" ] && [ -n "${PIDFILE}" ]; then + CHROOTDIR="${CHROOTDIR%/}" + PIDFILE="${CHROOTDIR}${PIDFILE}" + fi + [ -z ${PIDFILE} ] && PIDFILE=/run/squid.pid + if [ "${CHROOTDIR}/run/${RC_SVCNAME}.pid" != ${PIDFILE} ]; then + eerror "/etc/squid/${RC_SVCNAME}.conf must set pid_filename to" + eerror " /run/${RC_SVCNAME}.pid" + if [ -n "${CHROOTDIR}" ]; then + eerror "with chrootdir ${CHROOTDIR} set." + fi + eerror "CAUTION: http_port, cache_dir and *_log parameters must be different than" + eerror " in any other instance of squid." + eerror "Make sure the main configuration file and all included file names have the following format:" + eerror "${CONFFILES}" + return 1 + fi + CACHE_SWAP=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*cache_dir[ \t]+/ { if ( $2 == "rock" ) printf "%s/rock ", $3; else if ( $2 == "coss" ) printf "%s/stripe ", $3; else printf "%s/00 ", $3; }') + [ -z "$CACHE_SWAP" ] && CACHE_SWAP="/var/cache/squid/00" + + return 0 +} + +checkconfig() { + _getconfig || return 1 + local x + for x in $CACHE_SWAP ; do + if [ ! -e $x ] ; then + ebegin "Initializing cache directory ${x%/*}" + local ORIG_UMASK=$(umask) + umask 027 + + if ! (mkdir -p ${x%/*} && chown squid ${x%/*}) ; then + eend 1 + return 1 + fi + + local INIT_CACHE_RESPONSE="$(/usr/sbin/squid -z -N -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} 2>&1)" + if [ $? != 0 ] || echo "$INIT_CACHE_RESPONSE" | grep -q "erminated abnormally" ; then + umask $ORIG_UMASK + eend 1 + echo "$INIT_CACHE_RESPONSE" + return 1 + fi + + umask $ORIG_UMASK + eend 0 + break + fi + done + + return 0 +} + +start() { + checkconfig || return 1 + checkpath -d -q -m 0750 -o squid:squid /run/${RC_SVCNAME} + + # see https://wiki.squid-cache.org/MultipleInstances + ebegin "Starting ${RC_SVCNAME} (service name ${SQUID_SVCNAME}) with KRB5_KTNAME=\"${SQUID_KEYTAB}\" /usr/sbin/squid ${SQUID_OPTS} -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}" + KRB5_KTNAME="${SQUID_KEYTAB}" /usr/sbin/squid ${SQUID_OPTS} -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} + eend $? && sleep 1 +} + +stop() { + _getconfig || return 1 + ebegin "Stopping ${RC_SVCNAME} with /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}" + if /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} ; then + if [ "x${SQUID_FAST_SHUTDOWN}" = "xyes" ]; then + einfo "Attempting fast shutdown." + /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} + fi + # Now we have to wait until squid has _really_ stopped. + sleep 1 + if [ -f ${PIDFILE} ] ; then + einfon "Waiting for squid to shutdown ." + cnt=0 + while [ -f ${PIDFILE} ] ; do + cnt=$(expr $cnt + 1) + if [ $cnt -gt 90 ] ; then + # Waited 180 seconds now. Fail. + echo + eend 1 "Failed." + break + fi + sleep 2 + printf "." + done + echo + fi + else + eerror "Squid shutdown failed, probably service is already down." + fi + eend 0 +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${RC_SVCNAME} with /usr/sbin/squid -k reconfigure -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}" + /usr/sbin/squid -k reconfigure -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} + eend $? +} + +rotate() { + service_started ${RC_SVCNAME} || return 1 + ebegin "Rotating ${RC_SVCNAME} logs with /usr/sbin/squid -k rotate -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}" + /usr/sbin/squid -k rotate -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} + eend $? +} diff --git a/net-proxy/squid/files/squid.logrotate-r1 b/net-proxy/squid/files/squid.logrotate-r1 new file mode 100644 index 000000000000..03cbca9b5f4a --- /dev/null +++ b/net-proxy/squid/files/squid.logrotate-r1 @@ -0,0 +1,11 @@ +/var/log/squid/*.log { + copytruncate + compress + notifempty + missingok + sharedscripts + postrotate + squid -k rotate 2>/dev/null + endscript +} + diff --git a/net-proxy/squid/squid-6.9.ebuild b/net-proxy/squid/squid-6.9.ebuild new file mode 100644 index 000000000000..7f6845704afe --- /dev/null +++ b/net-proxy/squid/squid-6.9.ebuild @@ -0,0 +1,391 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/squid.gpg +inherit autotools flag-o-matic linux-info pam systemd toolchain-funcs verify-sig + +DESCRIPTION="Full-featured web proxy cache" +HOMEPAGE="https://www.squid-cache.org/"; + +MY_PV_MAJOR=$(ver_cut 1) +# Upstream patch ID for the most recent bug-fixed update to the formal release. +#r=-20181117-r0022167 +r= +if [[ -z ${r} ]]; then + SRC_URI=" + http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz + verify-sig? ( http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz.asc ) + " +else + SRC_URI="http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}${r}.tar.bz2"; + S="${S}${r}" +fi + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +IUSE="caps gnutls pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test ecap" +IUSE+=" esi ssl-crtd mysql postgres sqlite systemd perl qos tproxy +htcp valgrind +wccp +wccpv2" +RESTRICT="!test? ( test )" +REQUIRED_USE="tproxy? ( caps ) qos? ( caps ) ssl-crtd? ( ssl )" + +DEPEND=" + acct-group/squid + acct-user/squid + dev-libs/libltdl + sys-libs/tdb + virtual/libcrypt:= + caps? ( >=sys-libs/libcap-2.16 ) + ecap? ( net-libs/libecap:1 ) + esi? ( + dev-libs/expat + dev-libs/libxml2 + ) + ldap? ( net-nds/openldap:= ) + gnutls? ( >=net-libs/gnutls-3.1.5:= ) + logrotate? ( app-admin/logrotate ) + nis? ( + net-libs/libtirpc:= + net-libs/libnsl:= + ) + kerberos? ( virtual/krb5 ) + pam? ( sys-libs/pam ) + qos? ( net-libs/libnetfilter_conntrack ) + ssl? ( + dev-libs/nettle:= + !gnutls? ( + dev-libs/openssl:= + ) + ) + sasl? ( dev-libs/cyrus-sasl ) + systemd? ( sys-apps/systemd:= ) +" +RDEPEND=" + ${DEPEND} + mysql? ( dev-perl/DBD-mysql ) + postgres? ( dev-perl/DBD-Pg ) + perl? ( dev-lang/perl ) + samba? ( net-fs/samba ) + selinux? ( sec-policy/selinux-squid ) + sqlite? ( dev-perl/DBD-SQLite ) +" +DEPEND+=" valgrind? ( dev-debug/valgrind )" +BDEPEND=" + dev-lang/perl + ecap? ( virtual/pkgconfig ) + test? ( dev-util/cppunit ) + verify-sig? ( sec-keys/openpgp-keys-squid ) +" + +PATCHES=( + "${FILESDIR}"/${PN}-6.2-gentoo.patch + "${FILESDIR}"/${PN}-4.17-use-system-libltdl.patch + "${FILESDIR}"/${PN}-6.9-memleak_fix.patch +) + +pkg_pretend() { + if use tproxy; then + local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_SOCKET ~NETFILTER_XT_TARGET_TPROXY" + linux-info_pkg_setup + fi +} + +src_prepare() { + default + + # Fixup various paths + sed -i -e 's:/usr/local/squid/etc:/etc/squid:' \ + INSTALL QUICKSTART \ + scripts/fileno-to-pathname.pl \ + scripts/check_cache.pl \ + tools/cachemgr.cgi.8 \ + tools/purge/conffile.hh \ + tools/purge/purge.1 || die + sed -i -e 's:/usr/local/squid/sbin:/usr/sbin:' \ + INSTALL QUICKSTART || die + sed -i -e 's:/usr/local/squid/var/cache:/var/cache/squid:' \ + QUICKSTART || die + sed -i -e 's:/usr/local/squid/var/logs:/var/log/squid:' \ + QUICKSTART \ + src/log/access_log.cc || die + sed -i -e 's:/usr/local/squid/logs:/var/log/squid:' \ + src/log/access_log.cc || die + sed -i -e 's:/usr/local/squid/libexec:/usr/libexec/squid:' \ + src/acl/external/unix_group/ext_unix_group_acl.8 \ + src/acl/external/session/ext_session_acl.8 || die + sed -i -e 's:/usr/local/squid/cache:/var/cache/squid:' \ + scripts/check_cache.pl || die + # /var/run/squid to /run/squid + sed -i -e 's:$(localstatedir)::' \ + src/ipc/Makefile.am || die + sed -i 's:/var/run/:/run/:g' tools/systemd/squid.service || die + + sed -i -e 's:_LTDL_SETUP:LTDL_INIT([installable]):' \ + libltdl/configure.ac || die + + eautoreconf +} + +src_configure() { + local myeconfargs=( + --cache-file="${S}"/config.cache + + --datadir=/usr/share/squid + --libexecdir=/usr/libexec/squid + --localstatedir=/var + --sysconfdir=/etc/squid + --with-default-user=squid + --with-logdir=/var/log/squid + --with-pidfile=/run/squid.pid + + --enable-build-info="Gentoo ${PF} (r: ${r:-NONE})" + --enable-log-daemon-helpers + --enable-url-rewrite-helpers + --enable-cache-digests + --enable-delay-pools + --enable-disk-io + --enable-eui + --enable-icmp + --enable-ipv6 + --enable-follow-x-forwarded-for + --enable-removal-policies="lru,heap" + --disable-strict-error-checking + --disable-arch-native + + --with-large-files + --with-build-environment=default + + --with-tdb + + --without-included-ltdl + --with-ltdl-include="${ESYSROOT}"/usr/include + --with-ltdl-lib="${ESYSROOT}"/usr/$(get_libdir) + + $(use_with caps cap) + $(use_enable snmp) + $(use_with ssl openssl) + $(use_with ssl nettle) + $(use_with gnutls) + $(use_with ldap) + $(use_enable ssl-crtd) + $(use_with systemd) + $(use_with test cppunit) + $(use_enable ecap) + $(use_enable esi) + $(use_enable esi expat) + $(use_enable esi xml2) + $(use_enable htcp) + $(use_with valgrind valgrind-debug) + $(use_enable wccp) + $(use_enable wccpv2) + ) + + # Basic modules + local basic_modules=( + NCSA + POP3 + getpwnam + + $(usev samba 'SMB') + $(usev ldap 'SMB_LM LDAP') + $(usev pam 'PAM') + $(usev sasl 'SASL') + $(usev nis 'NIS') + $(usev radius 'RADIUS') + ) + + use nis && append-cppflags "-I${ESYSROOT}/usr/include/tirpc" + + if use mysql || use postgres || use sqlite; then + basic_modules+=( DB ) + fi + + # Digests + local digest_modules=( + file + + $(usev ldap 'LDAP eDirectory') + ) + + # Kerberos + local negotiate_modules=( none ) + + myeconfargs+=( --without-mit-krb5 --without-heimdal-krb5 ) + + if use kerberos; then + # We intentionally overwrite negotiate_modules here to lose + # the 'none'. + negotiate_modules=( kerberos wrapper ) + + if has_version app-crypt/heimdal; then + myeconfargs+=( + --without-mit-krb5 + --with-heimdal-krb5 + ) + else + myeconfargs+=( + --with-mit-krb5 + --without-heimdal-krb5 + ) + fi + fi + + # NTLM modules + local ntlm_modules=( none ) + + if use samba ; then + # We intentionally overwrite ntlm_modules here to lose + # the 'none'. + ntlm_modules=( SMB_LM ) + fi + + # External helpers + local ext_helpers=( + file_userip + session + unix_group + delayer + time_quota + + $(usev samba 'wbinfo_group') + $(usev ldap 'LDAP_group eDirectory_userip') + ) + + use ldap && use kerberos && ext_helpers+=( kerberos_ldap_group ) + if use mysql || use postgres || use sqlite; then + ext_helpers+=( SQL_session ) + fi + + # Storage modules + local storeio_modules=( + aufs + diskd + rock + ufs + ) + + # + local transparent + if use kernel_linux; then + myeconfargs+=( + --enable-linux-netfilter + $(usev qos '--enable-zph-qos --with-netfilter-conntrack') + ) + fi + + tc-export_build_env BUILD_CXX + export BUILDCXX="${BUILD_CXX}" + export BUILDCXXFLAGS="${BUILD_CXXFLAGS}" + tc-export CC AR + + # Should be able to drop this workaround with newer versions. + # https://bugs.squid-cache.org/show_bug.cgi?id=4224 + tc-is-cross-compiler && export squid_cv_gnu_atomics=no + + # Bug #719662 + append-atomic-flags + + print_options_without_comma() { + # IFS as ',' will cut off any trailing commas + ( + IFS=',' + options=( $(printf "%s," "${@}") ) + echo "${options[*]}" + ) + } + + myeconfargs+=( + --enable-storeio=$(print_options_without_comma "${storeio_modules[@]}") + --enable-auth-basic=$(print_options_without_comma "${basic_modules[@]}") + --enable-auth-digest=$(print_options_without_comma "${digest_modules[@]}") + --enable-auth-ntlm=$(print_options_without_comma "${ntlm_modules[@]}") + --enable-auth-negotiate=$(print_options_without_comma "${negotiate_modules[@]}") + --enable-external-acl-helpers=$(print_options_without_comma "${ext_helpers[@]}") + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + + systemd_dounit tools/systemd/squid.service + + # Need suid root for looking into /etc/shadow + fowners root:squid /usr/libexec/squid/basic_ncsa_auth + fperms 4750 /usr/libexec/squid/basic_ncsa_auth + + if use pam; then + fowners root:squid /usr/libexec/squid/basic_pam_auth + fperms 4750 /usr/libexec/squid/basic_pam_auth + fi + + # Pinger needs suid as well + fowners root:squid /usr/libexec/squid/pinger + fperms 4750 /usr/libexec/squid/pinger + + # These scripts depend on perl + if ! use perl; then + local perl_scripts=( + basic_pop3_auth ext_delayer_acl helper-mux + log_db_daemon security_fake_certverify + storeid_file_rewrite url_lfs_rewrite + ) + + local script + for script in "${perl_scripts[@]}"; do + rm "${ED}"/usr/libexec/squid/${script} || die + done + fi + + # Cleanup + rm -r "${D}"/run "${D}"/var/cache || die + + dodoc CONTRIBUTORS CREDITS ChangeLog INSTALL QUICKSTART README SPONSORS doc/*.txt + newdoc src/auth/negotiate/kerberos/README README.kerberos + newdoc src/auth/basic/RADIUS/README README.RADIUS + newdoc src/acl/external/kerberos_ldap_group/README README.kerberos_ldap_group + dodoc RELEASENOTES.html + + if use pam; then + newpamd "${FILESDIR}"/squid.pam squid + fi + + newconfd "${FILESDIR}"/squid.confd-r2 squid + newinitd "${FILESDIR}"/squid.initd-r7 squid + + if use logrotate ; then + insinto /etc/logrotate.d + newins "${FILESDIR}"/squid.logrotate-r1 squid + else + exeinto /etc/cron.weekly + newexe "${FILESDIR}"/squid.cron-r1 squid.cron + fi + + diropts -m0750 -o squid -g squid + keepdir /var/log/squid /etc/ssl/squid /var/lib/squid + + # Hack for bug #834503 (see also bug #664940) + # Please keep this for a few years until it's no longer plausible + # someone is upgrading from < squid 5.7. + mv "${ED}"/usr/share/squid/errors{,.new} || die +} + +pkg_preinst() { + # Remove file in EROOT that the directory collides with. + rm -rf "${EROOT}"/usr/share/squid/errors || die + + # Following the collision protection check, reverse + # src_install's rename in ED. + mv "${ED}"/usr/share/squid/errors{.new,} || die +} + +pkg_postinst() { + elog "A good starting point to debug Squid issues is to use 'squidclient mgr:' commands such as 'squidclient mgr:info'." + + if [[ ${#r} -gt 0 ]]; then + elog "You are using a release with the official ${r} patch! Make sure you mention that, or send the output of 'squidclient mgr:info' when asking for support." + fi +}
