On Sun, Feb 05, 2023 at 04:58:58PM -0500, A Tammy wrote: > > On 2/5/23 06:05, Michael wrote: > > Ping. > > > > On Fri, Jan 20, 2023 at 11:26:12AM +0100, Michael wrote: > >> Ping. > >> > >> On Fri, Jan 13, 2023 at 11:42:33AM +0100, Michael wrote: > >>> Ping. > >>> > >>> On Fri, Jan 06, 2023 at 02:40:35PM +0100, Michael wrote: > >>>> On Fri, Jan 06, 2023 at 01:22:23PM +0000, Stuart Henderson wrote: > >>>>> On 2023/01/06 14:02, Michael wrote: > >>>>>> Hi ports@, > >>>>>> > >>>>>> a few people have asked me off list to enable IDENT support for > >>>>>> ngircd. > >>>>>> As this is not something everybody will need I added a FLAVOR "ident" > >>>>>> for this. > >>>>> Seems that ident support is disabled by default and you need to enable > >>>>> it > >>>>> in config; if that's the case then I would recommend just building with > >>>>> it enabled anyway, it's not a big dependency, and adding flavours means > >>>>> extra work when testing updates. > >>>>> > >>>>> (If that's not the case, then please add a note to pkg/DESCR describing > >>>>> the flavour). > >>>>> [...] > >>>> Hi Sturart, > >>>> > >>>> Thanks for the feedback. > >>>> > >>>> From ngircd.conf(5): > >>>> > >>>> Ident (boolean) > >>>> If ngIRCd is compiled with IDENT support this can be used to > >>>> disable IDENT lookups at run time. Users identified using IDENT > >>>> are registered without the "~" character prepended to their user > >>>> name. Default: yes. > >>>> > >>>> So ident is enabled by default if compiled in. Updated patch below. > > To re-iterate what Stuart said about enabling ident by default, in > general we would want to add flavors if (a) the dependencies are really > heavy (like mysql vs postgresql) or (b) adding this flavor increases the > attack surface (like adding a new authentication module). > I am not a huge/current user of ngircd so I am unable to comment on the > usefulness of this feature but it does not seem like a security risk. Am > I correct in this assumption? If so just enable it by default. > > Aisha
Hi Aisha, libident is ancient and has not been updated for years (decades?). It still does its job but I personally would not want to have it enabled by default (which would be the case if compiled in) in my ngircd installation. It also should not be relevant for most ngircd users but IDENT support is still in use with IRC in general and as I said, people have asked me off list about it more than once. So given those two choices I would still go with the security reason to have it as an extra flavor. > > >>>> > >>>> Index: Makefile > >>>> =================================================================== > >>>> RCS file: /cvs/ports/net/ngircd/Makefile,v > >>>> retrieving revision 1.23 > >>>> diff -u -p -r1.23 Makefile > >>>> --- Makefile 8 Nov 2022 11:16:58 -0000 1.23 > >>>> +++ Makefile 6 Jan 2023 13:37:33 -0000 > >>>> @@ -1,7 +1,7 @@ > >>>> COMMENT = lightweight irc server > >>>> > >>>> DISTNAME = ngircd-26.1 > >>>> -REVISION = 0 > >>>> +REVISION = 1 > >>>> > >>>> CATEGORIES = net > >>>> > >>>> @@ -15,8 +15,11 @@ PERMIT_PACKAGE = Yes > >>>> # use pledge() > >>>> WANTLIB = c crypto iconv ssl z > >>>> > >>>> +FLAVORS = ident > >>>> +FLAVOR ?= > >>>> + > >>>> MASTER_SITES = https://ngircd.barton.de/pub/ngircd/ \ > >>>> - https://ngircd.mirror.3rz.org/pub/ngircd/ \ > >>>> + https://ngircd.mirror.3rz.de/pub/ngircd/ \ > >>>> https://ngircd.sourceforge.io/pub/ngircd/ > >>>> > >>>> LIB_DEPENDS = converters/libiconv > >>>> @@ -29,5 +32,11 @@ CONFIGURE_STYLE = gnu > >>>> CONFIGURE_ARGS += --with-iconv=${LOCALBASE} \ > >>>> --with-openssl \ > >>>> --enable-ipv6 > >>>> + > >>>> +.if ${FLAVOR:Mident} > >>>> +LIB_DEPENDS += security/libident > >>>> +WANTLIB += ident > >>>> +CONFIGURE_ARGS += --with-ident=${LOCALBASE} > >>>> +.endif > >>>> > >>>> .include <bsd.port.mk> > >>>> Index: patches/patch-doc_Makefile_in > >>>> =================================================================== > >>>> RCS file: /cvs/ports/net/ngircd/patches/patch-doc_Makefile_in,v > >>>> retrieving revision 1.7 > >>>> diff -u -p -r1.7 patch-doc_Makefile_in > >>>> --- patches/patch-doc_Makefile_in 11 Mar 2022 19:46:30 -0000 > >>>> 1.7 > >>>> +++ patches/patch-doc_Makefile_in 6 Jan 2023 13:37:33 -0000 > >>>> @@ -1,7 +1,7 @@ > >>>> Index: doc/Makefile.in > >>>> --- doc/Makefile.in.orig > >>>> +++ doc/Makefile.in > >>>> -@@ -648,16 +648,13 @@ maintainer-clean-local: > >>>> +@@ -617,16 +617,13 @@ maintainer-clean-local: > >>>> all: $(generated_docs) > >>>> > >>>> install-data-hook: $(static_docs) $(toplevel_docs) $(generated_docs) > >>>> Index: patches/patch-src_ngircd_ngircd_c > >>>> =================================================================== > >>>> RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_ngircd_c,v > >>>> retrieving revision 1.7 > >>>> diff -u -p -r1.7 patch-src_ngircd_ngircd_c > >>>> --- patches/patch-src_ngircd_ngircd_c 11 Mar 2022 19:46:30 -0000 > >>>> 1.7 > >>>> +++ patches/patch-src_ngircd_ngircd_c 6 Jan 2023 13:37:33 -0000 > >>>> @@ -1,7 +1,15 @@ > >>>> Index: src/ngircd/ngircd.c > >>>> --- src/ngircd/ngircd.c.orig > >>>> +++ src/ngircd/ngircd.c > >>>> -@@ -261,6 +261,16 @@ main(int argc, const char *argv[]) > >>>> +@@ -30,6 +30,7 @@ > >>>> + #include <fcntl.h> > >>>> + #include <pwd.h> > >>>> + #include <grp.h> > >>>> ++#include <err.h> > >>>> + > >>>> + #if defined(DEBUG) && defined(HAVE_MTRACE) > >>>> + #include <mcheck.h> > >>>> +@@ -261,6 +262,16 @@ main(int argc, const char *argv[]) > >>>> exit(1); > >>>> } > >>>> > >>>> @@ -18,7 +26,7 @@ Index: src/ngircd/ngircd.c > >>>> if (!io_library_init(CONNECTION_POOL)) { > >>>> Log(LOG_ALERT, > >>>> "Fatal: Could not initialize IO routines: > >>>> %s", > >>>> -@@ -563,7 +573,7 @@ Setup_FDStreams(int fd) > >>>> +@@ -563,7 +574,7 @@ Setup_FDStreams(int fd) > >>>> #if !defined(SINGLE_USER_OS) > >>>> > >>>> /** > >>>> @@ -27,7 +35,7 @@ Index: src/ngircd/ngircd.c > >>>> * > >>>> * @param uid User ID > >>>> * @param gid Group ID > >>>> -@@ -587,7 +597,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid ) > >>>> +@@ -587,7 +598,7 @@ NGIRCd_getNobodyID(uid_t *uid, gid_t *gid ) > >>>> } > >>>> #endif > >>>> > >>>> @@ -36,7 +44,7 @@ Index: src/ngircd/ngircd.c > >>>> if (!pwd) > >>>> return false; > >>>> > >>>> -@@ -703,11 +713,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) > >>>> +@@ -703,11 +714,11 @@ NGIRCd_Init(bool NGIRCd_NoDaemon) > >>>> if (Conf_UID == 0) { > >>>> pwd = getpwuid(0); > >>>> Log(LOG_INFO, > >>>> Index: patches/patch-src_ngircd_proc_c > >>>> =================================================================== > >>>> RCS file: /cvs/ports/net/ngircd/patches/patch-src_ngircd_proc_c,v > >>>> retrieving revision 1.2 > >>>> diff -u -p -r1.2 patch-src_ngircd_proc_c > >>>> --- patches/patch-src_ngircd_proc_c 11 Mar 2022 19:46:30 -0000 > >>>> 1.2 > >>>> +++ patches/patch-src_ngircd_proc_c 6 Jan 2023 13:37:33 -0000 > >>>> @@ -1,7 +1,15 @@ > >>>> Index: src/ngircd/proc.c > >>>> --- src/ngircd/proc.c.orig > >>>> +++ src/ngircd/proc.c > >>>> -@@ -76,6 +76,9 @@ Proc_Fork(PROC_STAT *proc, int *pipefds, void (*cbfunc > >>>> +@@ -24,6 +24,7 @@ > >>>> + #include <sys/types.h> > >>>> + #include <unistd.h> > >>>> + #include <time.h> > >>>> ++#include <err.h> > >>>> + > >>>> + #include "log.h" > >>>> + #include "io.h" > >>>> +@@ -76,6 +77,9 @@ Proc_Fork(PROC_STAT *proc, int *pipefds, void (*cbfunc > >>>> return -1; > >>>> case 0: > >>>> /* New child process: */ > >>>> Index: pkg/DESCR > >>>> =================================================================== > >>>> RCS file: /cvs/ports/net/ngircd/pkg/DESCR,v > >>>> retrieving revision 1.1.1.1 > >>>> diff -u -p -r1.1.1.1 DESCR > >>>> --- pkg/DESCR 29 Sep 2012 12:32:01 -0000 1.1.1.1 > >>>> +++ pkg/DESCR 6 Jan 2023 13:37:33 -0000 > >>>> @@ -3,3 +3,6 @@ server for small or private networks, de > >>>> Public License (GPL). It is simple to configure, can cope with > >>>> dynamic IP addresses, and supports IPv6 as well as SSL. It is written > >>>> from scratch and not based on the original IRCd. > >>>> + > >>>> +Flavors: > >>>> +ident - Enable IDENT support. > >>>> >
