Re: security update: www/cgit 1.1 to 1.2.1
Typo in the subject, sorry.
Re: UPDATE: www/cgit 1.1
On Wed, Mar 01, 2017 at 11:16:34PM +0100, Hiltjo Posthuma wrote: > On Wed, Mar 01, 2017 at 09:47:12PM +0100, Rafael Sadowski wrote: > > > > Please switch HOMEPAGE and MASTER_SITES0 to https, thanks. > > > > Good point! Changed: Thanks, finally tested and commited as-is !
Re: UPDATE: www/cgit 1.1
On Thu, Mar 02, 2017 at 07:59:58PM +0100, Hiltjo Posthuma wrote: > On Thu, Mar 02, 2017 at 09:07:11AM +0100, Landry Breuil wrote: > > On Wed, Mar 01, 2017 at 09:36:53PM +0100, Hiltjo Posthuma wrote: > > > Hi, > > > > > > This bumps the version of cgit from 1.0 to 1.1. > > > > Thanks for this, i'll try to test it soonish. > > > > > Changed in the patch below: > > > - pass the option NO_GETTEXT=1 to git to disable gettext support. > > > > Any particular reason ? > > > > From git INSTALL: > > Set NO_GETTEXT to disable localization support and make Git only > use English. Under autoconf the configure script will do this > automatically if it can't find libintl on the system. > > Gettext support does not work (segmentation fault) and was also disabled by > default on cgit 1.0 I think. I think multi-language support is also not > desired by OpenBSD, but I'm not sure actually. Please correct me if I'm wrong. Not really 'against' it, but right, for static builds it doesnt help, and if it's broken > > > > - add a patch patches/patch-setup_c to not open /dev/null in the chroot. > > > alternatively the user can not use this patch and make the device node > > > in > > > $chroot/dev/null and disable the "nodev" mountpoint option if needed. > > > > Can you elaborate a bit more ? Push this upstream ? I guess upstream has > > a reason to open dev/null > > > > I don't think the code is needed by the codepaths cgit executes. It was > changed > after git 1.8.3 in the following commit: > https://github.com/git/git/commit/57f5d52a942e8bbfa82e2741faf050de0d6b3eb3 > > In my opinion it is nicer to not have device files and having to disable > "nodev" > for a chroot. Cgit runs in a chroot for OpenBSD httpd and nginx. Without this > patch and without /dev/null cgit will error out with: > "fatal: open /dev/null or dup failed: No such file or directory". I didnt see this but i dont have nodev on var/www - and i dont have var/www/dev/null - but your analysis makes sense. Can you try discussing it with upstream cgit ? I'll try to upgrade my local install.. Landry
Re: UPDATE: www/cgit 1.1
On Thu, Mar 02, 2017 at 09:07:11AM +0100, Landry Breuil wrote: > On Wed, Mar 01, 2017 at 09:36:53PM +0100, Hiltjo Posthuma wrote: > > Hi, > > > > This bumps the version of cgit from 1.0 to 1.1. > > Thanks for this, i'll try to test it soonish. > > > Changed in the patch below: > > - pass the option NO_GETTEXT=1 to git to disable gettext support. > > Any particular reason ? > >From git INSTALL: Set NO_GETTEXT to disable localization support and make Git only use English. Under autoconf the configure script will do this automatically if it can't find libintl on the system. Gettext support does not work (segmentation fault) and was also disabled by default on cgit 1.0 I think. I think multi-language support is also not desired by OpenBSD, but I'm not sure actually. Please correct me if I'm wrong. > > - add a patch patches/patch-setup_c to not open /dev/null in the chroot. > > alternatively the user can not use this patch and make the device node in > > $chroot/dev/null and disable the "nodev" mountpoint option if needed. > > Can you elaborate a bit more ? Push this upstream ? I guess upstream has > a reason to open dev/null > I don't think the code is needed by the codepaths cgit executes. It was changed after git 1.8.3 in the following commit: https://github.com/git/git/commit/57f5d52a942e8bbfa82e2741faf050de0d6b3eb3 In my opinion it is nicer to not have device files and having to disable "nodev" for a chroot. Cgit runs in a chroot for OpenBSD httpd and nginx. Without this patch and without /dev/null cgit will error out with: "fatal: open /dev/null or dup failed: No such file or directory". -- Kind regards, Hiltjo
Re: UPDATE: www/cgit 1.1
On Wed, Mar 01, 2017 at 09:36:53PM +0100, Hiltjo Posthuma wrote: > Hi, > > This bumps the version of cgit from 1.0 to 1.1. Thanks for this, i'll try to test it soonish. > Changed in the patch below: > - pass the option NO_GETTEXT=1 to git to disable gettext support. Any particular reason ? > - add a patch patches/patch-setup_c to not open /dev/null in the chroot. > alternatively the user can not use this patch and make the device node in > $chroot/dev/null and disable the "nodev" mountpoint option if needed. Can you elaborate a bit more ? Push this upstream ? I guess upstream has a reason to open dev/null Landry
Re: UPDATE: www/cgit 1.1
On Wed, Mar 01, 2017 at 09:47:12PM +0100, Rafael Sadowski wrote:
>
> Please switch HOMEPAGE and MASTER_SITES0 to https, thanks.
>
Good point! Changed:
diff --git a/www/cgit/Makefile b/www/cgit/Makefile
index a3040ebf78e..c339fbadb88 100644
--- a/www/cgit/Makefile
+++ b/www/cgit/Makefile
@@ -2,15 +2,15 @@
COMMENT = web frontend for git repositories
-DISTNAME = cgit-1.0
+DISTNAME = cgit-1.1
CATEGORIES = www devel
DISTFILES =${DISTNAME}.tar.gz:0 \
- git-2.8.3.tar.gz:1
+ git-2.10.2.tar.gz:1
-MASTER_SITES0 =http://git.zx2c4.com/cgit/snapshot/
+MASTER_SITES0 =https://git.zx2c4.com/cgit/snapshot/
MASTER_SITES1 =https://www.kernel.org/pub/software/scm/git/
-HOMEPAGE = http://git.zx2c4.com/cgit/about/
+HOMEPAGE = https://git.zx2c4.com/cgit/about/
# GPLv2
PERMIT_PACKAGE_CDROM = Yes
@@ -20,7 +20,7 @@ USE_GMAKE = yes
LIB_DEPENDS = converters/libiconv
PREFIX = ${VARBASE}/www
-MAKE_FLAGS += V=1 NO_LUA=1 LDFLAGS+='${STATIC} -L${LOCALBASE}/lib'
+MAKE_FLAGS += V=1 NO_GETTEXT=1 NO_LUA=1 LDFLAGS+='${STATIC}
-L${LOCALBASE}/lib'
post-extract:
rmdir ${WRKSRC}/git
diff --git a/www/cgit/distinfo b/www/cgit/distinfo
index d71bfacc15a..d1f527d5097 100644
--- a/www/cgit/distinfo
+++ b/www/cgit/distinfo
@@ -1,4 +1,4 @@
-SHA256 (cgit-1.0.tar.gz) = 56yIddhatPaqQc3fGB3JjAuoBI6HdFLOtEAcPucvpPQ=
-SHA256 (git-2.8.3.tar.gz) = La1Qx1gznW9SNTCdtiDlEkngAA/zSqLyrLy4TCEj7Qk=
-SIZE (cgit-1.0.tar.gz) = 105139
-SIZE (git-2.8.3.tar.gz) = 5847849
+SHA256 (cgit-1.1.tar.gz) = 9A3soz5VbJohi73Ce9nEd62ZxwhjkjCWhtIWkB3RDTs=
+SHA256 (git-2.10.2.tar.gz) = PX7yddgLl6qmHztr6dPcUWIC5vb12IXywJtZ66WS3MQ=
+SIZE (cgit-1.1.tar.gz) = 105738
+SIZE (git-2.10.2.tar.gz) = 6065116
diff --git a/www/cgit/patches/patch-Makefile b/www/cgit/patches/patch-Makefile
index a21e6ae7038..f3fc76d1edf 100644
--- a/www/cgit/patches/patch-Makefile
+++ b/www/cgit/patches/patch-Makefile
@@ -1,9 +1,8 @@
-$OpenBSD: patch-Makefile,v 1.7 2016/06/17 07:22:39 landry Exp $
Makefile.orig Tue Jun 7 14:45:04 2016
-+++ Makefile Fri Jun 17 07:30:53 2016
+--- Makefile.orig Thu Feb 23 10:40:08 2017
Makefile Thu Feb 23 10:42:15 2017
@@ -2,11 +2,11 @@ all::
- CGIT_VERSION = v1.0
+ CGIT_VERSION = v1.1
CGIT_SCRIPT_NAME = cgit.cgi
-CGIT_SCRIPT_PATH = /var/www/htdocs/cgit
-CGIT_DATA_PATH = $(CGIT_SCRIPT_PATH)
@@ -23,7 +22,7 @@ $OpenBSD: patch-Makefile,v 1.7 2016/06/17 07:22:39 landry Exp
$
$(INSTALL) -m 0644 favicon.ico $(DESTDIR)$(CGIT_DATA_PATH)/favicon.ico
$(INSTALL) -m 0644 robots.txt $(DESTDIR)$(CGIT_DATA_PATH)/robots.txt
- $(INSTALL) -m 0755 -d $(DESTDIR)$(filterdir)
-- $(COPYTREE) filters/* $(DESTDIR)$(filterdir)
+- $(COPYTREE) filters/* $(DESTDIR)$(filterdir)
install-doc: install-man install-html install-pdf
diff --git a/www/cgit/patches/patch-setup_c b/www/cgit/patches/patch-setup_c
new file mode 100644
index 000..f7985677bb1
--- /dev/null
+++ b/www/cgit/patches/patch-setup_c
@@ -0,0 +1,18 @@
+--- git/setup.c.orig Wed Mar 1 21:01:06 2017
git/setup.cWed Mar 1 21:01:56 2017
+@@ -1024,6 +1024,7 @@ const char *resolve_gitdir(const char *suspect)
+ /* if any standard file descriptor is missing open it to /dev/null */
+ void sanitize_stdfds(void)
+ {
++#if 0
+ int fd = open("/dev/null", O_RDWR, 0);
+ while (fd != -1 && fd < 2)
+ fd = dup(fd);
+@@ -1031,6 +1032,7 @@ void sanitize_stdfds(void)
+ die_errno("open /dev/null or dup failed");
+ if (fd > 2)
+ close(fd);
++#endif
+ }
+
+ int daemonize(void)
diff --git a/www/cgit/pkg/README b/www/cgit/pkg/README
index fc0ef92f4dc..29f18b8eb5a 100644
--- a/www/cgit/pkg/README
+++ b/www/cgit/pkg/README
@@ -12,6 +12,21 @@ Refer to http://git.zx2c4.com/cgit/tree/cgitrc.5.txt for the
syntax.
Webserver config
+OpenBSD httpd
+-
+ext_ip="0.0.0.0"
+server "default" {
+ listen on $ext_ip port 80
+
+ # don't serve static files from cgit CGI: cgit.css and cgit.png
+ location "/cgit.*" {
+ root "/cgit"
+ no fastcgi
+ }
+ root "/cgi-bin/cgit.cgi"
+ fastcgi socket "/run/slowcgi.sock"
+}
+
Nginx
-
An example nginx config snippet is provided below, to run with
@@ -47,3 +62,14 @@ ScriptAlias /cgit /cgi-bin/cgit.cgi
Order allow,deny
Allow from all
+
+
+snapshots
+-
+Nginx and OpenBSD httpd use chroot(2).
+
+For .tar.gz snapshot support a static binary in $chroot/bin/gzip is required.
+
+ cd /usr/src/usr.bin/compress
+ make clean && make LDFLAGS="-static -pie"
+ cp obj/compress $chroot/bin/gzip
--
Kind regards,
Hiltjo
UPDATE: www/cgit 1.1
Hi,
This bumps the version of cgit from 1.0 to 1.1.
Changed in the patch below:
- pass the option NO_GETTEXT=1 to git to disable gettext support.
- add a patch patches/patch-setup_c to not open /dev/null in the chroot.
alternatively the user can not use this patch and make the device node in
$chroot/dev/null and disable the "nodev" mountpoint option if needed.
- minor change made to patch/patch_Makefile required to patch.
- add a OpenBSD httpd (with slowcgi) example to the README.
- add an explanation a static gzip binary is required for .tar.gz snapshot
support.
tested on amd64.
Unrelated, but maybe worth mentioning:
Cgit used to output a part of the header to the client, because it uses write(2)
directly unbuffered. I'm happy to report this commit in -current fixed it:
https://github.com/openbsd/src/commit/e6c0e46b10b1ac06c178c4ee0b2e0bd058797eb4
diff --git a/www/cgit/Makefile b/www/cgit/Makefile
index a3040ebf78e..ca9e9369059 100644
--- a/www/cgit/Makefile
+++ b/www/cgit/Makefile
@@ -2,11 +2,11 @@
COMMENT = web frontend for git repositories
-DISTNAME = cgit-1.0
+DISTNAME = cgit-1.1
CATEGORIES = www devel
DISTFILES =${DISTNAME}.tar.gz:0 \
- git-2.8.3.tar.gz:1
+ git-2.10.2.tar.gz:1
MASTER_SITES0 =http://git.zx2c4.com/cgit/snapshot/
MASTER_SITES1 =https://www.kernel.org/pub/software/scm/git/
@@ -20,7 +20,7 @@ USE_GMAKE = yes
LIB_DEPENDS = converters/libiconv
PREFIX = ${VARBASE}/www
-MAKE_FLAGS += V=1 NO_LUA=1 LDFLAGS+='${STATIC} -L${LOCALBASE}/lib'
+MAKE_FLAGS += V=1 NO_GETTEXT=1 NO_LUA=1 LDFLAGS+='${STATIC}
-L${LOCALBASE}/lib'
post-extract:
rmdir ${WRKSRC}/git
diff --git a/www/cgit/distinfo b/www/cgit/distinfo
index d71bfacc15a..d1f527d5097 100644
--- a/www/cgit/distinfo
+++ b/www/cgit/distinfo
@@ -1,4 +1,4 @@
-SHA256 (cgit-1.0.tar.gz) = 56yIddhatPaqQc3fGB3JjAuoBI6HdFLOtEAcPucvpPQ=
-SHA256 (git-2.8.3.tar.gz) = La1Qx1gznW9SNTCdtiDlEkngAA/zSqLyrLy4TCEj7Qk=
-SIZE (cgit-1.0.tar.gz) = 105139
-SIZE (git-2.8.3.tar.gz) = 5847849
+SHA256 (cgit-1.1.tar.gz) = 9A3soz5VbJohi73Ce9nEd62ZxwhjkjCWhtIWkB3RDTs=
+SHA256 (git-2.10.2.tar.gz) = PX7yddgLl6qmHztr6dPcUWIC5vb12IXywJtZ66WS3MQ=
+SIZE (cgit-1.1.tar.gz) = 105738
+SIZE (git-2.10.2.tar.gz) = 6065116
diff --git a/www/cgit/patches/patch-Makefile b/www/cgit/patches/patch-Makefile
index a21e6ae7038..f3fc76d1edf 100644
--- a/www/cgit/patches/patch-Makefile
+++ b/www/cgit/patches/patch-Makefile
@@ -1,9 +1,8 @@
-$OpenBSD: patch-Makefile,v 1.7 2016/06/17 07:22:39 landry Exp $
Makefile.orig Tue Jun 7 14:45:04 2016
-+++ Makefile Fri Jun 17 07:30:53 2016
+--- Makefile.orig Thu Feb 23 10:40:08 2017
Makefile Thu Feb 23 10:42:15 2017
@@ -2,11 +2,11 @@ all::
- CGIT_VERSION = v1.0
+ CGIT_VERSION = v1.1
CGIT_SCRIPT_NAME = cgit.cgi
-CGIT_SCRIPT_PATH = /var/www/htdocs/cgit
-CGIT_DATA_PATH = $(CGIT_SCRIPT_PATH)
@@ -23,7 +22,7 @@ $OpenBSD: patch-Makefile,v 1.7 2016/06/17 07:22:39 landry Exp
$
$(INSTALL) -m 0644 favicon.ico $(DESTDIR)$(CGIT_DATA_PATH)/favicon.ico
$(INSTALL) -m 0644 robots.txt $(DESTDIR)$(CGIT_DATA_PATH)/robots.txt
- $(INSTALL) -m 0755 -d $(DESTDIR)$(filterdir)
-- $(COPYTREE) filters/* $(DESTDIR)$(filterdir)
+- $(COPYTREE) filters/* $(DESTDIR)$(filterdir)
install-doc: install-man install-html install-pdf
diff --git a/www/cgit/patches/patch-setup_c b/www/cgit/patches/patch-setup_c
new file mode 100644
index 000..f7985677bb1
--- /dev/null
+++ b/www/cgit/patches/patch-setup_c
@@ -0,0 +1,18 @@
+--- git/setup.c.orig Wed Mar 1 21:01:06 2017
git/setup.cWed Mar 1 21:01:56 2017
+@@ -1024,6 +1024,7 @@ const char *resolve_gitdir(const char *suspect)
+ /* if any standard file descriptor is missing open it to /dev/null */
+ void sanitize_stdfds(void)
+ {
++#if 0
+ int fd = open("/dev/null", O_RDWR, 0);
+ while (fd != -1 && fd < 2)
+ fd = dup(fd);
+@@ -1031,6 +1032,7 @@ void sanitize_stdfds(void)
+ die_errno("open /dev/null or dup failed");
+ if (fd > 2)
+ close(fd);
++#endif
+ }
+
+ int daemonize(void)
diff --git a/www/cgit/pkg/README b/www/cgit/pkg/README
index fc0ef92f4dc..29f18b8eb5a 100644
--- a/www/cgit/pkg/README
+++ b/www/cgit/pkg/README
@@ -12,6 +12,21 @@ Refer to http://git.zx2c4.com/cgit/tree/cgitrc.5.txt for the
syntax.
Webserver config
+OpenBSD httpd
+-
+ext_ip="0.0.0.0"
+server "default" {
+ listen on $ext_ip port 80
+
+ # don't serve static files from cgit CGI: cgit.css and cgit.png
+ location "/cgit.*" {
+ root "/cgit"
+ no fastcgi
+ }
+ root "/cgi-bin/cgit.cgi"
+ fastcgi socket "/run/slowcgi.sock"
+}
+
Nginx
-
An example nginx config snippet is provided below, to run with
@@ -47,3 +62,14 @@ ScriptAlias /cgit /cgi-bin/cgit.cgi
Order allow,deny
Allow from all
+
+
