On Fri, Nov 15, 2013 at 4:27 PM, David Coppa <dco...@openbsd.org> wrote: > > Hi! > > An update/cleanup for security/dante. > > I've also added the required user and rc script for the daemon part > (sockd), and sampled the config files socks.conf and sockd.conf. > > patches/patch-sockd_auth_password_c is not needed anymore. > Authentication works just fine without patching (tested on my > laptop). > > Comments? OKs?
Ping... > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/dante/Makefile,v > retrieving revision 1.40 > diff -u -p -u -p -r1.40 Makefile > --- Makefile 31 Oct 2013 21:12:12 -0000 1.40 > +++ Makefile 15 Nov 2013 15:13:15 -0000 > @@ -2,12 +2,11 @@ > > COMMENT= SOCKS client and server > > -DISTNAME= dante-1.1.19 > -REVISION= 1 > +DISTNAME= dante-1.3.2 > CATEGORIES= security > > -SHARED_LIBS= dsocks 1.1 \ > - socks 1.1 > +SHARED_LIBS= dsocks 1.2 \ > + socks 1.2 > MODGNU_SHARED_LIBS=dsocks '-all-dynamic' \ > socks '' > > @@ -17,6 +16,7 @@ HOMEPAGE= http://www.inet.no/dante/ > > MAINTAINER= Jakob Schlyter <ja...@openbsd.org> > > +# BSD/CMU > PERMIT_PACKAGE_CDROM= Yes > > WANTLIB += c wrap > @@ -24,15 +24,21 @@ WANTLIB += c wrap > CONFIGURE_STYLE= gnu > CONFIGURE_ARGS+= ${CONFIGURE_SHARED} > CONFIGURE_ARGS+= --enable-static > +CONFIGURE_ARGS+= --without-ldap \ > + --without-pam \ > + --without-sasl \ > + --without-upnp > > MODGNU_CONFIG_GUESS_DIRS+= ${WRKSRC} > > +pre-configure: > + ${SUBST_CMD} ${WRKSRC}/bin/socksify.in > + > post-install: > ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/dante > ${INSTALL_DATA} ${WRKSRC}/doc/README.* ${PREFIX}/share/doc/dante > ${INSTALL_DATA} ${WRKSRC}/doc/SOCKS4.* ${PREFIX}/share/doc/dante > ${INSTALL_DATA} ${WRKSRC}/doc/rfc* ${PREFIX}/share/doc/dante > - ${INSTALL_DATA} ${WRKSRC}/doc/faq.ps ${PREFIX}/share/doc/dante > ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/dante > ${INSTALL_DATA} ${WRKSRC}/example/*.conf > ${PREFIX}/share/examples/dante > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/dante/distinfo,v > retrieving revision 1.11 > diff -u -p -u -p -r1.11 distinfo > --- distinfo 31 Oct 2013 21:12:12 -0000 1.11 > +++ distinfo 15 Nov 2013 15:13:15 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (dante-1.1.19.tar.gz) = tJ8JNigqFMQaA81wFY0aEeavNWShjUszN/KR+22uCTY= > -SIZE (dante-1.1.19.tar.gz) = 895713 > +SHA256 (dante-1.3.2.tar.gz) = a3NvMuxYuJnCTPFL4CSRoGMad444UxQ3DV3qS69ILvs= > +SIZE (dante-1.3.2.tar.gz) = 949049 > Index: patches/patch-bin_socksify_in > =================================================================== > RCS file: /cvs/ports/security/dante/patches/patch-bin_socksify_in,v > retrieving revision 1.1 > diff -u -p -u -p -r1.1 patch-bin_socksify_in > --- patches/patch-bin_socksify_in 21 May 2005 06:51:55 -0000 1.1 > +++ patches/patch-bin_socksify_in 15 Nov 2013 15:13:15 -0000 > @@ -1,12 +1,12 @@ > $OpenBSD: patch-bin_socksify_in,v 1.1 2005/05/21 06:51:55 jakob Exp $ > ---- bin/socksify.in.orig Mon Jan 24 02:24:18 2005 > -+++ bin/socksify.in Fri May 20 19:26:06 2005 > -@@ -52,7 +52,7 @@ SOCKSIFY_PRELOAD_LIBS="@SOCKSIFY_PRELOAD > - LIBDIR="@LIBRARY_PREFIX@" > +--- bin/socksify.in.orig Thu Nov 14 12:14:14 2013 > ++++ bin/socksify.in Thu Nov 14 12:15:53 2013 > +@@ -66,7 +66,7 @@ else > + fi > > - #XXX shared library name should be generated too (possibly including > version) > --LIBRARY="${SOCKS_LIBRARY-${LIBDIR}/libdsocks.@SOLIB_POSTFIX@}" > -+LIBRARY="${SOCKS_LIBRARY-${LIBDIR}/libdsocks.@SOLIB_POSTFIX@.1.0}" > + #dlib/Makefile.am libtool flags should produce a predictable library name > +-LIBRARY="${SOCKS_LIBRARY:-${FULLPATH}libdsocks.@SOLIB_POSTFIX@}" > ++LIBRARY="${SOCKS_LIBRARY:-${FULLPATH}libdsocks.@SOLIB_POSTFIX@.${LIBdsocks_VERSION}}" > > - PRELOAD_SEPERATOR="@PRELOAD_SEPERATOR@" > - PRELOAD_POSTFIX="@PRELOAD_POSTFIX@" > + if test x"$FULLPATH" != x -a ! -s "$LIBRARY" -o \ > + x"$FULLPATH" = x -a ! -s "$SOCKS_LIBDIR/$LIBRARY"; then > Index: patches/patch-example_sockd-basic_conf > =================================================================== > RCS file: patches/patch-example_sockd-basic_conf > diff -N patches/patch-example_sockd-basic_conf > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-example_sockd-basic_conf 15 Nov 2013 15:13:15 -0000 > @@ -0,0 +1,14 @@ > +$OpenBSD$ > +--- example/sockd-basic.conf.orig Tue Aug 4 19:22:21 2009 > ++++ example/sockd-basic.conf Thu Nov 14 13:58:04 2013 > +@@ -4,8 +4,8 @@ > + #external: fxp1 > + #method: username none > + #user.privileged: root > +-#user.unprivileged: sockd > +-#logoutput: stderr > ++#user.unprivileged: _sockd > ++#logoutput: syslog/user > + > + ## client access rules > + > Index: patches/patch-example_sockd_conf > =================================================================== > RCS file: patches/patch-example_sockd_conf > diff -N patches/patch-example_sockd_conf > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-example_sockd_conf 15 Nov 2013 15:13:15 -0000 > @@ -0,0 +1,28 @@ > +$OpenBSD$ > +--- example/sockd.conf.orig Wed May 18 13:27:32 2011 > ++++ example/sockd.conf Thu Nov 14 13:58:29 2013 > +@@ -40,7 +40,7 @@ > + > + # the server will log both via syslog, to stdout and to /var/log/sockd.log > + #logoutput: syslog stdout /var/log/sockd.log > +-logoutput: stderr > ++logoutput: syslog/user > + > + # The server will bind to the address 10.1.1.1, port 1080 and will only > + # accept connections going to that address. > +@@ -76,11 +76,11 @@ logoutput: stderr > + # > + > + # when doing something that can require privilege, it will use the > +-# userid "sockd". > +-#user.privileged: sockd > ++# userid "root". > ++#user.privileged: root > + > +-# when running as usual, it will use the unprivileged userid of "sockd". > +-#user.unprivileged: sockd > ++# when running as usual, it will use the unprivileged userid of "_sockd". > ++#user.unprivileged: _sockd > + > + # If you compiled with libwrap support, what userid should it use > + # when executing your libwrap commands? "libwrap". > Index: patches/patch-sockd_auth_password_c > =================================================================== > RCS file: patches/patch-sockd_auth_password_c > diff -N patches/patch-sockd_auth_password_c > --- patches/patch-sockd_auth_password_c 18 Sep 2007 22:15:11 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,44 +0,0 @@ > -$OpenBSD: patch-sockd_auth_password_c,v 1.1 2007/09/18 22:15:11 jakob Exp $ > ---- sockd/auth_password.c.orig Wed Jun 8 08:34:54 2005 > -+++ sockd/auth_password.c Tue Sep 18 17:27:00 2007 > -@@ -57,29 +57,33 @@ passwordcheck(name, clearpassword, emsg, > - struct passwd *pw; > - char *salt, *password; > - uid_t euid; > -+ int retval = -1; /* default return value */ > - > - socks_seteuid(&euid, sockscf.uid.privileged); > - pw = socks_getpwnam(name); > -- socks_reseteuid(sockscf.uid.privileged, euid); > - > - if (pw == NULL) { > - snprintfn(emsg, emsglen, "system username/password failed"); > -- return -1; > -+ retval = -1; > - } > - > -- if (clearpassword != NULL) { > -+ else if (clearpassword != NULL) { > - salt = pw->pw_passwd; > - password = pw->pw_passwd; > - > - if (strcmp(crypt(clearpassword, salt), password) == 0) > -- return 0; > -+ retval = 0; > - else { > - snprintfn(emsg, emsglen, "system password > userauthentication failed"); > -- return -1; > -+ retval = -1; > - } > - } > - else > -- return 0; > -+ retval = 0; > - > -- return -1; > -+ /* reset after checking pw because on OpenBSD pw->pw_passwd > -+ resets to stars after euid is no longer 0 */ > -+ socks_reseteuid(sockscf.uid.privileged, euid); > -+ > -+ return retval; > - } > Index: pkg/PFRAG.shared > =================================================================== > RCS file: pkg/PFRAG.shared > diff -N pkg/PFRAG.shared > --- pkg/PFRAG.shared 28 Jan 2006 15:59:06 -0000 1.13 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,4 +0,0 @@ > -@comment $OpenBSD: PFRAG.shared,v 1.13 2006/01/28 15:59:06 sturm Exp $ > -@conflict dsocks-* > -@lib lib/libdsocks.so.${LIBdsocks_VERSION} > -@lib lib/libsocks.so.${LIBsocks_VERSION} > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/dante/pkg/PLIST,v > retrieving revision 1.14 > diff -u -p -u -p -r1.14 PLIST > --- pkg/PLIST 21 Jan 2006 11:14:44 -0000 1.14 > +++ pkg/PLIST 15 Nov 2013 15:13:15 -0000 > @@ -1,28 +1,35 @@ > @comment $OpenBSD: PLIST,v 1.14 2006/01/21 11:14:44 jakob Exp $ > +@conflict dsocks-* > @conflict socks5-* > +@newgroup _sockd:727 > +@newuser _sockd:727:_sockd:daemon:sockd daemon:/nonexistent:/sbin/nologin > bin/socksify > include/socks.h > -lib/libdsocks.a > lib/libdsocks.la > +@lib lib/libdsocks.so.${LIBdsocks_VERSION} > lib/libsocks.a > lib/libsocks.la > +@lib lib/libsocks.so.${LIBsocks_VERSION} > +@man man/man1/socksify.1 > @man man/man5/sockd.conf.5 > @man man/man5/socks.conf.5 > @man man/man8/sockd.8 > -sbin/sockd > +@bin sbin/sockd > share/doc/dante/ > share/doc/dante/README.socksify > share/doc/dante/README.survey > share/doc/dante/README.usage > share/doc/dante/SOCKS4.protocol > -share/doc/dante/faq.ps > share/doc/dante/rfc1928.txt > share/doc/dante/rfc1929.txt > +share/doc/dante/rfc1961.txt > share/examples/dante/ > share/examples/dante/sockd-basic.conf > +@sample ${SYSCONFDIR}/sockd.conf > share/examples/dante/sockd-chaining.conf > share/examples/dante/sockd.conf > share/examples/dante/socks-simple-withoutnameserver.conf > share/examples/dante/socks-simple.conf > +@sample ${SYSCONFDIR}/socks.conf > share/examples/dante/socks.conf > -%%SHARED%% > +@rcscript ${RCDIR}/sockd > Index: pkg/sockd.rc > =================================================================== > RCS file: pkg/sockd.rc > diff -N pkg/sockd.rc > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ pkg/sockd.rc 15 Nov 2013 15:13:15 -0000 > @@ -0,0 +1,9 @@ > +#!/bin/sh > +# > +# $OpenBSD$ > + > +daemon="${TRUEPREFIX}/sbin/sockd -D" > + > +. /etc/rc.d/rc.subr > + > +rc_cmd $1