Hi, I'm getting the following build error when building via portmaster or poudriere on FreeBSD 12.4 ===>>> Currently installed version: sshguard-2.4.2_2,1 ===>>> Port directory: /usr/ports/security/sshguard ===>>> Gathering distinfo list for installed ports ===>>> Launching 'make checksum' for security/sshguard in background ===>>> Gathering dependency list for security/sshguard from ports ===>>> Initial dependency check complete for security/sshguard ===>>> Starting build for security/sshguard <<<=== ===>>> All dependencies are up to date ===> Cleaning for sshguard-2.4.3,1 ===> License BSD2CLAUSE accepted by the user ===> sshguard-2.4.3,1 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by sshguard-2.4.3,1 for building ===> Extracting for sshguard-2.4.3,1 => SHA256 Checksum OK for sshguard-2.4.3.tar.gz. ===> Patching for sshguard-2.4.3,1 ===> Applying FreeBSD patches for sshguard-2.4.3,1 from /usr/ports/security/sshguard/files ===> sshguard-2.4.3,1 depends on file: /usr/local/bin/ccache - found ===> Configuring for sshguard-2.4.3,1 configure: loading site script /usr/ports/Templates/config.site checking whether to enable maintainer-specific portions of Makefiles... yes checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a race-free mkdir -p... (cached) /bin/mkdir -p checking for gawk... (cached) /usr/bin/awk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking whether make supports nested variables... (cached) yes checking whether make supports the include directive... yes (GNU style) checking for gcc... cc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether the compiler supports GNU C... yes checking whether cc accepts -g... yes checking for cc option to enable C11 features... none needed checking whether cc understands -c and -o together... yes checking dependency style of cc... gcc3 checking for stdio.h... (cached) yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for inttypes.h... (cached) yes checking for stdint.h... (cached) yes checking for strings.h... (cached) yes checking for sys/stat.h... (cached) yes checking for sys/types.h... (cached) yes checking for unistd.h... (cached) yes checking for wchar.h... (cached) yes checking for minix/config.h... (cached) no checking whether it is safe to define __EXTENSIONS__... yes checking whether _XOPEN_SOURCE should be defined... no ## -------------- ## ## Program Checks ## ## -------------- ## checking for ranlib... ranlib checking for bison... no checking for byacc... byacc checking for ar... ar checking the archiver (ar) interface... ar checking for flex... flex checking for lex output file root... lex.yy checking for lex library... none needed checking for library containing yywrap... -lfl checking whether yytext is a pointer... yes ## ----------------------------------- ## ## Headers, Types, and Compiler Checks ## ## ----------------------------------- ## checking for getopt.h... (cached) yes checking for capsicum_helpers.h... yes checking for libcasper.h... yes checking for library containing cap_init... -lcasper checking for library containing cap_getaddrinfo... no checking for rst2man... no checking for rst2man.py... no configure: WARNING: rst2man not found; using pre-built man pages ## ----------------- ## ## Library Functions ## ## ----------------- ## checking for library containing gethostbyname... none required checking for library containing pthread_create... -lpthread checking for library containing socket... none required checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating src/blocker/Makefile config.status: creating src/fw/Makefile config.status: creating src/parser/Makefile config.status: creating src/common/config.h config.status: executing depfiles commands ===> Building for sshguard-2.4.3,1 --- all-recursive --- Making all in src --- all-recursive --- Making all in blocker --- sandbox.o --- --- service_names.o --- --- simclist.o --- --- attack.o --- --- sandbox.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT sandbox.o -MD -MP -MF .deps/sandbox.Tpo -c -o sandbox.o `test -f '../common/sandbox.c' || echo './'`../common/sandbox.c --- service_names.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT service_names.o -MD -MP -MF .deps/service_names.Tpo -c -o service_names.o `test -f '../common/service_names.c' || echo './'`../common/service_names.c --- simclist.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT simclist.o -MD -MP -MF .deps/simclist.Tpo -c -o simclist.o `test -f '../common/simclist.c' || echo './'`../common/simclist.c --- attack.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT attack.o -MD -MP -MF .deps/attack.Tpo -c -o attack.o attack.c --- service_names.o --- mv -f .deps/service_names.Tpo .deps/service_names.Po --- blocker.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT blocker.o -MD -MP -MF .deps/blocker.Tpo -c -o blocker.o blocker.c --- attack.o --- mv -f .deps/attack.Tpo .deps/attack.Po --- blocklist.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT blocklist.o -MD -MP -MF .deps/blocklist.Tpo -c -o blocklist.o blocklist.c --- sandbox.o --- In file included from ../common/sandbox.c:2: ../../src/common/sandbox.h:9:10: fatal error: 'casper/cap_net.h' file not found #include <casper/cap_net.h> ^~~~~~~~~~~~~~~~~~ 1 error generated. *** [sandbox.o] Error code 1 make[3]: stopped in /usr/ports/security/sshguard/work/sshguard-2.4.3/src/blocker --- blocker.o --- In file included from blocker.c:32: ../../src/common/sandbox.h:9:10: fatal error: 'casper/cap_net.h' file not found #include <casper/cap_net.h> ^~~~~~~~~~~~~~~~~~ 1 error generated. *** [blocker.o] Error code 1 make[3]: stopped in /usr/ports/security/sshguard/work/sshguard-2.4.3/src/blocker --- blocklist.o --- mv -f .deps/blocklist.Tpo .deps/blocklist.Po --- simclist.o --- mv -f .deps/simclist.Tpo .deps/simclist.Po 2 errors make[3]: stopped in /usr/ports/security/sshguard/work/sshguard-2.4.3/src/blocker ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make: stopped in /usr/ports/security/sshguard
Thank you for the report. SSHGuard 2.4.3 uses libcasper to resolve DNS names inside the parser sandbox. It appears that FreeBSD 12.4 may not have the required libcasper sandboxing libraries that are available in 13. I'm currently investigating a fix.
Created attachment 246218 [details] Patch I have a preliminary patch that should (hopefully) fix this issue. Would you be able to test this patch on FreeBSD 12 and let me know if the build succeeds?
Hello, I've applied the patch, but I'm unfortunately still getting an error. ===>>> Currently installed version: sshguard-2.4.2_2,1 ===>>> Port directory: /usr/ports/security/sshguard ===>>> Gathering distinfo list for installed ports ===>>> Launching 'make checksum' for security/sshguard in background ===>>> Gathering dependency list for security/sshguard from ports ===>>> Initial dependency check complete for security/sshguard ===>>> Starting build for security/sshguard <<<=== ===>>> All dependencies are up to date ===> Cleaning for sshguard-2.4.3,1 ===> License BSD2CLAUSE accepted by the user ===> sshguard-2.4.3,1 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by sshguard-2.4.3,1 for building ===> Extracting for sshguard-2.4.3,1 => SHA256 Checksum OK for sshguard-2.4.3.tar.gz. ===> Patching for sshguard-2.4.3,1 ===> Applying FreeBSD patches for sshguard-2.4.3,1 from /usr/ports/security/sshguard/files ===> sshguard-2.4.3,1 depends on package: autoconf>=2.71 - found ===> sshguard-2.4.3,1 depends on package: automake>=1.16.5 - found ===> sshguard-2.4.3,1 depends on file: /usr/local/bin/ccache - found ===> Configuring for sshguard-2.4.3,1 configure.ac:6: warning: 'AM_CONFIG_HEADER': this macro is obsolete. configure.ac:6: You should use the 'AC_CONFIG_HEADERS' macro instead. ./lib/autoconf/general.m4:2434: AC_DIAGNOSE is expanded from... aclocal.m4:859: AM_CONFIG_HEADER is expanded from... configure.ac:6: the top level configure.ac:15: warning: The macro `AC_PROG_CC_C99' is obsolete. configure.ac:15: You should run autoupdate. ./lib/autoconf/c.m4:1659: AC_PROG_CC_C99 is expanded from... configure.ac:15: the top level configure.ac:19: warning: AC_PROG_LEX without either yywrap or noyywrap is obsolete ./lib/autoconf/programs.m4:716: _AC_PROG_LEX is expanded from... ./lib/autoconf/programs.m4:709: AC_PROG_LEX is expanded from... aclocal.m4:728: AM_PROG_LEX is expanded from... configure.ac:19: the top level configure.ac:41: warning: AC_OUTPUT should be used without arguments. configure.ac:41: You should run autoupdate. src/blocker/Makefile.am:5: warning: source file '../common/sandbox.c' is in a subdirectory, src/blocker/Makefile.am:5: but option 'subdir-objects' is disabled automake: warning: possible forward-incompatibility. automake: At least one source file is in a subdirectory, but the 'subdir-objects' automake: automake option hasn't been enabled. For now, the corresponding output automake: object file(s) will be placed in the top-level directory. However, this automake: behavior may change in a future Automake major version, with object automake: files being placed in the same subdirectory as the corresponding sources. automake: You are advised to start using 'subdir-objects' option throughout your automake: project, to avoid future incompatibilities. src/blocker/Makefile.am:5: warning: source file '../common/service_names.c' is in a subdirectory, src/blocker/Makefile.am:5: but option 'subdir-objects' is disabled src/blocker/Makefile.am:5: warning: source file '../common/simclist.c' is in a subdirectory, src/blocker/Makefile.am:5: but option 'subdir-objects' is disabled src/fw/Makefile.am:26: warning: source file '../common/simclist.c' is in a subdirectory, src/fw/Makefile.am:26: but option 'subdir-objects' is disabled src/parser/Makefile.am:15: warning: source file '../common/sandbox.c' is in a subdirectory, src/parser/Makefile.am:15: but option 'subdir-objects' is disabled configure: loading site script /usr/ports/Templates/config.site checking whether to enable maintainer-specific portions of Makefiles... yes checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a race-free mkdir -p... (cached) /bin/mkdir -p checking for gawk... (cached) /usr/bin/awk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking whether make supports nested variables... (cached) yes checking whether make supports the include directive... yes (GNU style) checking for gcc... cc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether the compiler supports GNU C... yes checking whether cc accepts -g... yes checking for cc option to enable C11 features... none needed checking whether cc understands -c and -o together... yes checking dependency style of cc... gcc3 checking for stdio.h... (cached) yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for inttypes.h... (cached) yes checking for stdint.h... (cached) yes checking for strings.h... (cached) yes checking for sys/stat.h... (cached) yes checking for sys/types.h... (cached) yes checking for unistd.h... (cached) yes checking for wchar.h... (cached) yes checking for minix/config.h... (cached) no checking whether it is safe to define __EXTENSIONS__... yes checking whether _XOPEN_SOURCE should be defined... no ## -------------- ## ## Program Checks ## ## -------------- ## checking for ranlib... ranlib checking for bison... no checking for byacc... byacc checking for ar... ar checking the archiver (ar) interface... ar checking for flex... flex checking for lex output file root... lex.yy checking for lex library... none needed checking for library containing yywrap... -lfl checking whether yytext is a pointer... yes ## ----------------------------------- ## ## Headers, Types, and Compiler Checks ## ## ----------------------------------- ## checking for getopt.h... (cached) yes checking for capsicum_helpers.h... yes checking for libcasper.h... yes checking for casper/cap_net.h... no checking for library containing cap_init... -lcasper checking for library containing cap_getaddrinfo... no checking for rst2man... no checking for rst2man.py... no configure: WARNING: rst2man not found; using pre-built man pages ## ----------------- ## ## Library Functions ## ## ----------------- ## checking for library containing gethostbyname... none required checking for library containing pthread_create... -lpthread checking for library containing socket... none required checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating src/blocker/Makefile config.status: creating src/fw/Makefile config.status: creating src/parser/Makefile config.status: creating src/common/config.h config.status: executing depfiles commands ===> Building for sshguard-2.4.3,1 --- all-recursive --- Making all in src --- all-recursive --- Making all in blocker --- sandbox.o --- --- service_names.o --- --- simclist.o --- --- attack.o --- --- sandbox.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT sandbox.o -MD -MP -MF .deps/sandbox.Tpo -c -o sandbox.o `test -f '../common/sandbox.c' || echo './'`../common/sandbox.c --- service_names.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT service_names.o -MD -MP -MF .deps/service_names.Tpo -c -o service_names.o `test -f '../common/service_names.c' || echo './'`../common/service_names.c --- simclist.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT simclist.o -MD -MP -MF .deps/simclist.Tpo -c -o simclist.o `test -f '../common/simclist.c' || echo './'`../common/simclist.c --- attack.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT attack.o -MD -MP -MF .deps/attack.Tpo -c -o attack.o attack.c --- service_names.o --- mv -f .deps/service_names.Tpo .deps/service_names.Po --- attack.o --- mv -f .deps/attack.Tpo .deps/attack.Po --- blocker.o --- --- blocklist.o --- --- simclist.o --- mv -f .deps/simclist.Tpo .deps/simclist.Po --- blocker.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT blocker.o -MD -MP -MF .deps/blocker.Tpo -c -o blocker.o blocker.c --- blocklist.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT blocklist.o -MD -MP -MF .deps/blocklist.Tpo -c -o blocklist.o blocklist.c --- hash_32a.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT hash_32a.o -MD -MP -MF .deps/hash_32a.Tpo -c -o hash_32a.o hash_32a.c --- blocklist.o --- mv -f .deps/blocklist.Tpo .deps/blocklist.Po --- sshguard_blacklist.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT sshguard_blacklist.o -MD -MP -MF .deps/sshguard_blacklist.Tpo -c -o sshguard_blacklist.o sshguard_blacklist.c --- sandbox.o --- In file included from ../common/sandbox.c:2: --- hash_32a.o --- mv -f .deps/hash_32a.Tpo .deps/hash_32a.Po --- sandbox.o --- ../../src/common/sandbox.h:9:10: fatal error: 'casper/cap_net.h' file not found #include <casper/cap_net.h> ^~~~~~~~~~~~~~~~~~ 1 error generated. --- sshguard_options.o --- cc -DHAVE_CONFIG_H -I. -I../../src/common -I../../src/common -DSIMCLIST_NO_DUMPRESTORE -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -MT sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o sshguard_options.o sshguard_options.c --- sandbox.o --- *** [sandbox.o] Error code 1 make[3]: stopped in /usr/ports/security/sshguard/work/sshguard-2.4.3/src/blocker --- blocker.o --- In file included from blocker.c:32: ../../src/common/sandbox.h:9:10: fatal error: 'casper/cap_net.h' file not found #include <casper/cap_net.h> ^~~~~~~~~~~~~~~~~~ 1 error generated. *** [blocker.o] Error code 1 make[3]: stopped in /usr/ports/security/sshguard/work/sshguard-2.4.3/src/blocker --- sshguard_blacklist.o --- mv -f .deps/sshguard_blacklist.Tpo .deps/sshguard_blacklist.Po --- sshguard_options.o --- mv -f .deps/sshguard_options.Tpo .deps/sshguard_options.Po 2 errors make[3]: stopped in /usr/ports/security/sshguard/work/sshguard-2.4.3/src/blocker ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make: stopped in /usr/ports/security/sshguard ===>>> make build failed for security/sshguard ===>>> Aborting update ===>>> You can restart from the point of failure with this command line: portmaster <flags> security/sshguard This command has been saved to ~/portmasterfail.txt
(In reply to Kevin Zheng from comment #2) FreeBSD 12 does not have this header available. If it's mandatory for sshguard than it probably should be marked as BROKEN on 12.x. 12.x EOL happens in Dec 31 this year so in 50 days all support for it will be dropped from ports tree.
Thanks all for the input. The patch was intended to correct the ./configure check to disable Capsicum sandboxing if it couldn't find cap_net.h. It looks like at least that part is working: checking for casper/cap_net.h... no But it looks like I still haven't gotten the configure check right. I'll do some troubleshooting and get back with an updated patch.
Created attachment 246236 [details] Updated patch Could you please try this updated patch on FreeBSD 12?
Hi, I applied the patch and it's now compiling and running without problems. Thanks
Thanks for testing. Renato, could you please apply this fix to the ports tree?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2eca5c84fab2c480693b45136f7b904a18db6a0a commit 2eca5c84fab2c480693b45136f7b904a18db6a0a Author: Kevin Zheng <kevinz5000@gmail.com> AuthorDate: 2023-11-09 19:07:44 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2023-11-13 11:34:36 +0000 security/sshguard: Fix build on FreeBSD 12 PR: 274985 Reported by: Yani Karydis <yani@pi-greece.eu> security/sshguard/Makefile | 3 +++ security/sshguard/files/patch-configure.ac (new) | 11 +++++++++++ 2 files changed, 14 insertions(+)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f59a0c57b04c285a3f4c658fcd17b5fde290cff8 commit f59a0c57b04c285a3f4c658fcd17b5fde290cff8 Author: Kevin Zheng <kevinz5000@gmail.com> AuthorDate: 2023-11-09 19:07:44 +0000 Commit: Renato Botelho <garga@FreeBSD.org> CommitDate: 2023-11-13 11:36:36 +0000 security/sshguard: Fix build on FreeBSD 12 PR: 274985 Reported by: Yani Karydis <yani@pi-greece.eu> (cherry picked from commit 2eca5c84fab2c480693b45136f7b904a18db6a0a) security/sshguard/Makefile | 3 +++ security/sshguard/files/patch-configure.ac (new) | 11 +++++++++++ 2 files changed, 14 insertions(+)
Reopening this one. I get this error on 13.2-p5 and 13-STABLE after this update: Checking all packages: 96% (sshguard-2.4.3_1,1) /usr/local/libexec/sshg-blocker - required shared library libcap_net.so.1 not found (sshguard-2.4.3_1,1) /usr/local/libexec/sshg-fw-hosts - required shared library libcap_net.so.1 not found (sshguard-2.4.3_1,1) /usr/local/libexec/sshg-parser - required shared library libcap_net.so.1 not found find.. /usr/lib32/libcap_net.so /usr/lib32/libcap_net.so.1 /usr/lib/libcap_net.so Reverting back to 2.4.2_2,1 and back in business. Do I have some old cruft breaking it or a bug?
Thanks for the report. I have reproduced the issue but am not sure why pkg check is showing this message. /usr/lib/libcap_net.so is part of the base system and so I'm really not sure why pkg is checking for this. Is your SSHGuard failing to run? If not you can ignore this.
It runs but unsure if it does it job, will have to check that tomorrow.