Bug 220906 - security/sshguard: Fix rc.d script, add UPDATING entry
Summary: security/sshguard: Fix rc.d script, add UPDATING entry
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ben Woods
URL:
Keywords: needs-qa, patch
Depends on:
Blocks:
 
Reported: 2017-07-21 15:56 UTC by Christos Chatzaras
Modified: 2017-07-24 10:59 UTC (History)
3 users (show)

See Also:
koobs: maintainer-feedback+
woodsb02: merge-quarterly-


Attachments
Fix up rc script (6.61 KB, patch)
2017-07-21 17:59 UTC, Dan McGregor
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christos Chatzaras 2017-07-21 15:56:44 UTC
sshguard 2.0 requires /usr/local/etc/sshguard.conf to exist to be able to start sshguard.

My /etc/rc.conf contains:

sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth.log:/var/log/maillog:/var/log/xferlog"
sshguard_blacklist=""

I remove the last 2 lines and keep only:

sshguard_enable="YES"

Then I edit sshguard.conf and replace:

#FILES="/var/log/auth.log /var/log/maillog"

with:

FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog"

The problem is that it ignores all changes in sshguard.conf and I think the only change it works is the BACKEND option.

I think the /usr/local/etc/rc.d/sshguard script needs changes to remove the /etc/rc.conf options and the configuration to be done using /usr/local/etc/sshguard.conf
Comment 1 Christos Chatzaras 2017-07-21 16:23:03 UTC
This is the reply from the SSGuard developer Kevin Zheng:

"I took a look at the rc.d script in ports. SSHGuard usually looks at
sshguard.conf for a list of files to monitor, but lets you override it
via the command line using -l arguments.

Here, the rc.d script is *always* setting the '-l' arguments even if you
don't have SSHGUARD_WATCH_LOGS set in your rc.conf.

The right thing to do might be to change the rc.d script to avoid
setting '-l' arguments if the user left SSHGUARD_WATCH_LOGS empty. Or,
if easing the transition isn't important, axing it in favor of the
configuration file."
Comment 2 Dan McGregor 2017-07-21 16:47:56 UTC
Yes, I missed this when I did the update, I'll post a fix shortly.
Comment 3 Christos Chatzaras 2017-07-21 16:48:48 UTC
Thank you for your help :-)
Comment 4 Dan McGregor 2017-07-21 17:59:23 UTC
Created attachment 184580 [details]
Fix up rc script

Patch to fix the rc.d issues of always overriding the config file. Also sets the defaults in the config file to match the former defaults in the rc script.

Add UPDATING entry.
Comment 5 commit-hook freebsd_committer freebsd_triage 2017-07-24 10:56:57 UTC
A commit references this bug:

Author: woodsb02
Date: Mon Jul 24 10:56:17 UTC 2017
New revision: 446517
URL: https://svnweb.freebsd.org/changeset/ports/446517

Log:
  security/sshguard: Fix rc script, add UPDATING entry

  sshguard usually looks at sshguard.conf for a list of files to monitor,
  but lets you override it via the command line using -l arguments.

  This change fixes an issue with the previous rc script which was
  *always* setting the '-l' arguments even if sshguard_watch_logs wasn't
  set in rc.conf.

  This change also sets the defaults in the config file to match the
  former defaults in the rc script, and adds an UPDATING entry to warn
  of the change from default configuration via rc.conf the config file.

  PR:		220906
  Submitted by:	Dan McGregor (maintainer)
  Reported by:	chris@cretaforce.gr

Changes:
  head/UPDATING
  head/security/sshguard/Makefile
  head/security/sshguard/files/patch-examples-sshguard.conf.sample
  head/security/sshguard/files/sshguard.in
Comment 6 Ben Woods freebsd_committer freebsd_triage 2017-07-24 10:59:40 UTC
Committed - thanks for reporting it Chris, and for the fix Dan!