New port for inclusion into ports tree.
State Changed From-To: open->feedback - I suggest the following patch to polish the port and make `portlint -A' happy; could you please review it? --- snortsms.diff begins here --- diff -urN security/snortsms.orig/Makefile security/snortsms/Makefile --- security/snortsms.orig/Makefile Fri May 27 22:41:31 2005 +++ security/snortsms/Makefile Fri May 27 23:09:58 2005 @@ -5,34 +5,34 @@ # $FreeBSD$ # -PORTNAME= snortsms -PORTVERSION= 0.11.2 -CATEGORIES= security -MASTER_SITES= http://snortsms.servangle.net/dnloads/ -EXTRACT_SUFX= .tgz - -MAINTAINER= snortsms@servangle.net -COMMENT= A Snort Sensor Management System web interface and monitoring console - -RUN_DEPENDS= ${LOCALBASE}/share/pear/DB.php:${PORTSDIR}/databases/pear-DB - ${LOCALBASE}/bin/curl:${PORTSDIR}/ftp/curl - ${LOCALBASE}/bin/php:${PORTSDIR}/lang/php4 - ${LOCALBASE}/include/php/ext/pcre/php_pcre.h:${PORTSDIR}/devel/php4-pcre - -WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} -USE_PHP= yes -NO_BUILD= yes +PORTNAME= snortsms +PORTVERSION= 0.11.2 +CATEGORIES= security www +MASTER_SITES= http://snortsms.servangle.net/dnloads/ +EXTRACT_SUFX= .tgz + +MAINTAINER= snortsms@servangle.net +COMMENT= A Snort Sensor Management System web interface and monitoring console + +RUN_DEPENDS= ${LOCALBASE}/share/pear/DB.php:${PORTSDIR}/databases/pear-DB + ${LOCALBASE}/bin/curl:${PORTSDIR}/ftp/curl + +USE_PHP= mysql pcre pcntl +NO_BUILD= yes + +PKGMESSAGE= ${WRKDIR}/pkg-message +SUB_FILES= pkg-message do-install: # Create directory structure - @${MKDIR} ${PREFIX}/www/snortsms + @${MKDIR} ${PREFIX}/www/snortsms # copy files - ${CP} -pr ${WRKSRC}/* ${PREFIX}/www/snortsms + ${CP} -R ${WRKSRC}/* ${PREFIX}/www/snortsms # correct permissions - ${CHMOD} 775 ${PREFIX}/www/snortsms/conf - ${CHOWN} :${WWWGRP} ${PREFIX}/www/snortsms/conf + ${CHMOD} 775 ${PREFIX}/www/snortsms/conf + ${CHOWN} -R ${WWWOWN}:${WWWGRP} ${PREFIX}/www/snortsms post-install: - @${SED} 's|%%PREFIX%%|${PREFIX}|' ${PKGMESSAGE} + @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> diff -urN security/snortsms.orig/files/pkg-message.in security/snortsms/files/pkg-message.in --- security/snortsms.orig/files/pkg-message.in Thu Jan 1 01:00:00 1970 +++ security/snortsms/files/pkg-message.in Fri May 27 22:49:08 2005 @@ -0,0 +1,24 @@ +************************************************************ + +First time installations: +-You must configure SnortSMS. + +Please browse to the SnortSMS web console and edit the +"Global Settings" in the SnortSMS Settings menu. +SnortSMS uses the following configuration file: +%%PREFIX%%/www/snortsms/conf/conf.php +which (if missing) will automatically be created - do not +edit this file directly. + +* NOTE: SnortSMS requires a local or remote database (MySQL +recommended) connection. + +For how to configure SnortSMS, please read the setup guide +located at: +http://<SnortSMS_webroot>/contrib/install_snortsms.html +-or- +%%PREFIX%%/www/snortsms/contrib/install_snortsms.html + +Thank you for using SnortSMS! + +************************************************************ diff -urN security/snortsms.orig/pkg-message security/snortsms/pkg-message --- security/snortsms.orig/pkg-message Fri May 27 22:41:31 2005 +++ security/snortsms/pkg-message Thu Jan 1 01:00:00 1970 @@ -1,28 +0,0 @@ -************************************************************ - -First time installations: --You must configure SnortSMS. - -Please browse to the SnortSMS web console and edit the -"Global Settings" in the SnortSMS Settings menu. -SnortSMS uses the following configuration file: -%%PREFIX%%/www/snortsms/conf/conf.php -which (if missing) will automatically be created - do not -edit this file directly. - - -* NOTE: SnortSMS requires a local or remote database (MySQL -recommended) connection. - - -For how to configure SnortSMS, please read the setup guide -located at: -http://<SnortSMS_webroot>/contrib/install_snortsms.html --or- -%%PREFIX%%/www/snortsms/contrib/install_snortsms.html - - -Thank you for using SnortSMS! - - -************************************************************ diff -urN security/snortsms.orig/pkg-plist security/snortsms/pkg-plist --- security/snortsms.orig/pkg-plist Fri May 27 22:41:31 2005 +++ security/snortsms/pkg-plist Fri May 27 23:11:39 2005 @@ -20,6 +20,7 @@ www/snortsms/barnyard/qry_barnyard.php www/snortsms/barnyard/qry_barnyards.php www/snortsms/barnyard/qry_selected.php +www/snortsms/changelog www/snortsms/classifications/act_AddRemove.php www/snortsms/classifications/act_Save-Update.php www/snortsms/classifications/act_action.php @@ -197,8 +198,6 @@ www/snortsms/sensorconf/act_clone.php www/snortsms/sensorconf/act_delete_sensor.php www/snortsms/sensorconf/act_getstats.php -www/snortsms/sensorconf/act_pushbarnconf.php -www/snortsms/sensorconf/act_pushsnortconf.php www/snortsms/sensorconf/act_save_update.php www/snortsms/sensorconf/act_sensor_control.php www/snortsms/sensorconf/control_sensor.php --- snortsms.diff ends here --- - there is no /usr/local/www/snortsms/contrib/install_snortsms.html (referenced by PKGMESSAGE). - it would be safer either to install .htaccess or to add entries to httpd.conf; could you please provide one of these methods?
Responsible Changed From-To: freebsd-ports-bugs->thierry Take it.
Several changes: - Fixed missing files. - Bumped port version to from 0.11.2 to 0.11.3 - Removed the recursive flag on chown operation - Merged your recommended deltas (except noted below). In 'Makefile', reverted the following section back as intended action is to give 'www' group read/write permissions to 'www/snortsms/conf' directory which is needed for auto-creation of user config file during run time. Mainly, I don't want to expose *all* the files in this directory as read/write. # correct permissions ${CHMOD} 775 ${PREFIX}/www/snortsms/conf ${CHOWN} :${WWWGRP} ${PREFIX}/www/snortsms/conf Tested port several times (good install, deinstall, reinstall, package), and 'portlint -A' looks fine. Please consider revised port submission below and we should be good. Thanks, J Randolph ---------Re-subittion of port follows---------- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # /usr/ports/security/snortsms/ # /usr/ports/security/snortsms/pkg-message # /usr/ports/security/snortsms/pkg-descr # /usr/ports/security/snortsms/distinfo # /usr/ports/security/snortsms/Makefile # /usr/ports/security/snortsms/pkg-plist # echo c - /usr/ports/security/snortsms/ mkdir -p /usr/ports/security/snortsms/ > /dev/null 2>&1 echo x - /usr/ports/security/snortsms/pkg-message sed 's/^X//' >/usr/ports/security/snortsms/pkg-message << 'END-of-/usr/ports/security/snortsms/pkg-message' X************************************************************ X XFirst time installations: X-You must configure SnortSMS. X XPlease browse to the SnortSMS web console and edit the X"Global Settings" in the SnortSMS Settings menu. XSnortSMS uses the following configuration file: X%%PREFIX%%/www/snortsms/conf/conf.php Xwhich (if missing) will automatically be created - do not Xedit this file directly. X X X* NOTE: SnortSMS requires a local or remote database (MySQL Xrecommended) connection. X X XFor how to configure SnortSMS, please read the setup guide Xlocated at: Xhttp://<SnortSMS_webroot>/contrib/install_snortsms.html X-or- X%%PREFIX%%/www/snortsms/contrib/install_snortsms.html X X XThank you for using SnortSMS! X X X************************************************************ END-of-/usr/ports/security/snortsms/pkg-message echo x - /usr/ports/security/snortsms/pkg-descr sed 's/^X//' >/usr/ports/security/snortsms/pkg-descr << 'END-of-/usr/ports/security/snortsms/pkg-descr' XSnortSMS is a highly configurable sensor management system that Xprovides the ability to remotely manage Snort [and Barnyard] based Xintrusion detection systems, push configuration files, and monitor Xsystem health and statistics all from a simple Web console. X XWWW: http://snortsms.servangle.net/ END-of-/usr/ports/security/snortsms/pkg-descr echo x - /usr/ports/security/snortsms/distinfo sed 's/^X//' >/usr/ports/security/snortsms/distinfo << 'END-of-/usr/ports/security/snortsms/distinfo' XMD5 (snortsms-0.11.3.tgz) = 1e9eac271e447283f6a7290ed884fb36 XSIZE (snortsms-0.11.3.tgz) = 292834 END-of-/usr/ports/security/snortsms/distinfo echo x - /usr/ports/security/snortsms/Makefile sed 's/^X//' >/usr/ports/security/snortsms/Makefile << 'END-of-/usr/ports/security/snortsms/Makefile' X# New ports collection makefile for: snortsms X# Date created: Mon May 28 16:05:01 CST 2005 X# Whom: J Randolph <snortsms@servangle.net> X# X# $FreeBSD$ X# X XPORTNAME= snortsms XPORTVERSION= 0.11.3 XCATEGORIES= security www XMASTER_SITES= http://snortsms.servangle.net/dnloads/ XEXTRACT_SUFX= .tgz X XMAINTAINER= snortsms@servangle.net XCOMMENT= A Snort Sensor Management System web interface and monitoring console X XRUN_DEPENDS= ${LOCALBASE}/share/pear/DB.php:${PORTSDIR}/databases/pear-DB \ X ${LOCALBASE}/bin/curl:${PORTSDIR}/ftp/curl X XUSE_PHP= mysql pcre pcntl XNO_BUILD= yes X Xdo-install: X# Create directory structure X @${MKDIR} ${PREFIX}/www/snortsms X# copy files X ${CP} -R ${WRKSRC}/* ${PREFIX}/www/snortsms X# correct permissions X ${CHMOD} 775 ${PREFIX}/www/snortsms/conf X ${CHOWN} :${WWWGRP} ${PREFIX}/www/snortsms/conf X Xpost-install: X @${CAT} ${PKGMESSAGE} X X.include <bsd.port.mk> END-of-/usr/ports/security/snortsms/Makefile echo x - /usr/ports/security/snortsms/pkg-plist sed 's/^X//' >/usr/ports/security/snortsms/pkg-plist << 'END-of-/usr/ports/security/snortsms/pkg-plist' Xwww/snortsms/COPYING Xwww/snortsms/DefaultLayout.php Xwww/snortsms/barnctrl/act_Save-Update.php Xwww/snortsms/barnctrl/act_action.php Xwww/snortsms/barnctrl/dsp_AddEdit.php Xwww/snortsms/barnctrl/dsp_home.php Xwww/snortsms/barnctrl/fbx_Switch.php Xwww/snortsms/barnctrl/index.php Xwww/snortsms/barnctrl/qry_barnctrl.php Xwww/snortsms/barnctrl/qry_barnctrls.php Xwww/snortsms/barnyard/act_AddRemove.php Xwww/snortsms/barnyard/act_Save-Update.php Xwww/snortsms/barnyard/act_action.php Xwww/snortsms/barnyard/dsp_AddEdit.php Xwww/snortsms/barnyard/dsp_home.php Xwww/snortsms/barnyard/dsp_import.php Xwww/snortsms/barnyard/dsp_selected.php Xwww/snortsms/barnyard/fbx_Switch.php Xwww/snortsms/barnyard/index.php Xwww/snortsms/barnyard/qry_barnyard.php Xwww/snortsms/barnyard/qry_barnyards.php Xwww/snortsms/barnyard/qry_selected.php Xwww/snortsms/changelog Xwww/snortsms/classifications/act_AddRemove.php Xwww/snortsms/classifications/act_Save-Update.php Xwww/snortsms/classifications/act_action.php Xwww/snortsms/classifications/dsp_AddEdit.php Xwww/snortsms/classifications/dsp_home.php Xwww/snortsms/classifications/dsp_import.php Xwww/snortsms/classifications/dsp_selected.php Xwww/snortsms/classifications/fbx_Switch.php Xwww/snortsms/classifications/index.php Xwww/snortsms/classifications/qry_classification.php Xwww/snortsms/classifications/qry_classifications.php Xwww/snortsms/classifications/qry_selected.php Xwww/snortsms/conf/act_init_vars.php Xwww/snortsms/conf/act_read_conf.php Xwww/snortsms/conf/act_save_conf.php Xwww/snortsms/conf/act_verify_install.php Xwww/snortsms/conf/dsp_conf.php Xwww/snortsms/conf/dsp_save_conf.php Xwww/snortsms/conf/fbx_Switch.php Xwww/snortsms/conf/index.php Xwww/snortsms/contrib/snortsms_install.html Xwww/snortsms/contrib/SNORTSMS.mysql Xwww/snortsms/contrib/snortsms-agent-0.7.0.tgz.gz Xwww/snortsms/css/default.css Xwww/snortsms/docs/snortsms_install.html Xwww/snortsms/dsp_main.php Xwww/snortsms/dsp_menu.php Xwww/snortsms/fbx_Circuits.php Xwww/snortsms/fbx_Fusebox3.0_PHP4.0.6.php Xwww/snortsms/fbx_Fusebox3.0_PHP4.1.x.php Xwww/snortsms/fbx_Layouts.php Xwww/snortsms/fbx_ListFunctions.php Xwww/snortsms/fbx_SaveContent.php Xwww/snortsms/fbx_Settings.php Xwww/snortsms/fbx_Switch.php Xwww/snortsms/images/btn_add.gif Xwww/snortsms/images/btn_delete.gif Xwww/snortsms/images/btn_preview.gif Xwww/snortsms/images/btn_save.gif Xwww/snortsms/images/btn_submit.gif Xwww/snortsms/images/btn_update.gif Xwww/snortsms/images/check-0.png Xwww/snortsms/images/check-1.png Xwww/snortsms/images/check-2.png Xwww/snortsms/images/conf-0.png Xwww/snortsms/images/conf-1.png Xwww/snortsms/images/conf-3.png Xwww/snortsms/images/db-0.png Xwww/snortsms/images/db-1.png Xwww/snortsms/images/db-2.png Xwww/snortsms/images/draft-1.png Xwww/snortsms/images/hdd-1.gif Xwww/snortsms/images/hdd-2.gif Xwww/snortsms/images/hdd-3.gif Xwww/snortsms/images/led-0.gif Xwww/snortsms/images/led-1.gif Xwww/snortsms/images/led-2.gif Xwww/snortsms/images/led-3.gif Xwww/snortsms/images/led2-0.gif Xwww/snortsms/images/led2-1.gif Xwww/snortsms/images/led2-2.gif Xwww/snortsms/images/led2-3.gif Xwww/snortsms/images/logo_1.png Xwww/snortsms/images/note-1.gif Xwww/snortsms/images/snortpanel.gif Xwww/snortsms/images/snortpanel2.gif Xwww/snortsms/images/trash-1.gif Xwww/snortsms/images/view.png Xwww/snortsms/import/act_extract_process.php Xwww/snortsms/import/act_process_rawtext.php Xwww/snortsms/import/act_receive_rulefile.php Xwww/snortsms/import/act_receive_snapshot.php Xwww/snortsms/import/dsp_home.php Xwww/snortsms/import/fbx_Switch.php Xwww/snortsms/import/index.php Xwww/snortsms/index.php Xwww/snortsms/java/cssmenu.js Xwww/snortsms/lib/func_DrawRepHeader.php Xwww/snortsms/lib/func_GenBarnConf.php Xwww/snortsms/lib/func_GenSnortConf.php Xwww/snortsms/lib/func_GenToken.php Xwww/snortsms/lib/func_Log.php Xwww/snortsms/lib/func_ReserveNextID.php Xwww/snortsms/lib/func_Rules.php Xwww/snortsms/lib/func_curl_error.php Xwww/snortsms/lib/func_date.php Xwww/snortsms/lib/func_gen_sid-msg.php Xwww/snortsms/lib/obj_Rule.php Xwww/snortsms/main/dsp_home.php Xwww/snortsms/main/fbx_Switch.php Xwww/snortsms/main/index.php Xwww/snortsms/monitor/act_stats.php Xwww/snortsms/monitor/fbx_Switch.php Xwww/snortsms/monitor/index.php Xwww/snortsms/monitor/query_sensor.php Xwww/snortsms/outputs/act_AddRemove.php Xwww/snortsms/outputs/act_Save-Update.php Xwww/snortsms/outputs/act_action.php Xwww/snortsms/outputs/dsp_AddEdit.php Xwww/snortsms/outputs/dsp_home.php Xwww/snortsms/outputs/dsp_selected.php Xwww/snortsms/outputs/fbx_Switch.php Xwww/snortsms/outputs/index.php Xwww/snortsms/outputs/qry_output.php Xwww/snortsms/outputs/qry_outputs.php Xwww/snortsms/outputs/qry_selected.php Xwww/snortsms/policies/act_AddRemove.php Xwww/snortsms/policies/act_Save-Update.php Xwww/snortsms/policies/act_action.php Xwww/snortsms/policies/act_delete.php Xwww/snortsms/policies/dsp_AddEdit.php Xwww/snortsms/policies/dsp_home.php Xwww/snortsms/policies/dsp_pagenate.php Xwww/snortsms/policies/dsp_policy.php Xwww/snortsms/policies/dsp_rulecats.php Xwww/snortsms/policies/dsp_select.php Xwww/snortsms/policies/dsp_selected.php Xwww/snortsms/policies/fbx_Switch.php Xwww/snortsms/policies/index.php Xwww/snortsms/policies/qry_policies.php Xwww/snortsms/policies/qry_policy.php Xwww/snortsms/policies/qry_rulecats.php Xwww/snortsms/policies/qry_rules.php Xwww/snortsms/policies/qry_selected.php Xwww/snortsms/preprocessors/act_AddRemove.php Xwww/snortsms/preprocessors/act_Save-Update.php Xwww/snortsms/preprocessors/act_action.php Xwww/snortsms/preprocessors/dsp_AddEdit.php Xwww/snortsms/preprocessors/dsp_home.php Xwww/snortsms/preprocessors/dsp_import.php Xwww/snortsms/preprocessors/dsp_selected.php Xwww/snortsms/preprocessors/fbx_Switch.php Xwww/snortsms/preprocessors/index.php Xwww/snortsms/preprocessors/qry_preprocessor.php Xwww/snortsms/preprocessors/qry_preprocessors.php Xwww/snortsms/preprocessors/qry_selected.php Xwww/snortsms/references/act_AddRemove.php Xwww/snortsms/references/act_Save-Update.php Xwww/snortsms/references/act_action.php Xwww/snortsms/references/dsp_AddEdit.php Xwww/snortsms/references/dsp_home.php Xwww/snortsms/references/dsp_import.php Xwww/snortsms/references/dsp_selected.php Xwww/snortsms/references/fbx_Switch.php Xwww/snortsms/references/index.php Xwww/snortsms/references/qry_reference.php Xwww/snortsms/references/qry_references.php Xwww/snortsms/references/qry_selected.php Xwww/snortsms/rules/act_Save-Update.php Xwww/snortsms/rules/act_action.php Xwww/snortsms/rules/dsp_edit.php Xwww/snortsms/rules/dsp_home.php Xwww/snortsms/rules/dsp_import.php Xwww/snortsms/rules/dsp_pagenate.php Xwww/snortsms/rules/dsp_queryform.php Xwww/snortsms/rules/dsp_recycle.php Xwww/snortsms/rules/dsp_results.php Xwww/snortsms/rules/dsp_view.php Xwww/snortsms/rules/fbx_Switch.php Xwww/snortsms/rules/index.php Xwww/snortsms/rules/qry_rule.php Xwww/snortsms/rules/qry_rulecats.php Xwww/snortsms/rules/qry_rules.php Xwww/snortsms/ruletypes/act_AddRemove.php Xwww/snortsms/ruletypes/act_Save-Update.php Xwww/snortsms/ruletypes/act_delete.php Xwww/snortsms/ruletypes/dsp_AddEdit.php Xwww/snortsms/ruletypes/dsp_home.php Xwww/snortsms/ruletypes/dsp_selected.php Xwww/snortsms/ruletypes/fbx_Switch.php Xwww/snortsms/ruletypes/index.php Xwww/snortsms/ruletypes/qry_ruletype.php Xwww/snortsms/ruletypes/qry_ruletypes.php Xwww/snortsms/ruletypes/qry_selected.php Xwww/snortsms/ruletypes/qry_selectedouts.php Xwww/snortsms/sensorconf/act_clone.php Xwww/snortsms/sensorconf/act_delete_sensor.php Xwww/snortsms/sensorconf/act_getstats.php Xwww/snortsms/sensorconf/act_save_update.php Xwww/snortsms/sensorconf/act_sensor_control.php Xwww/snortsms/sensorconf/control_sensor.php Xwww/snortsms/sensorconf/dsp_clone.php Xwww/snortsms/sensorconf/dsp_genbarnconf.php Xwww/snortsms/sensorconf/dsp_gensnortconf.php Xwww/snortsms/sensorconf/dsp_header.php Xwww/snortsms/sensorconf/dsp_tab_agent.php Xwww/snortsms/sensorconf/dsp_tab_barn.php Xwww/snortsms/sensorconf/dsp_tab_main.php Xwww/snortsms/sensorconf/dsp_tab_sensor.php Xwww/snortsms/sensorconf/dsp_tab_snort.php Xwww/snortsms/sensorconf/dsp_tab_status.php Xwww/snortsms/sensorconf/fbx_Switch.php Xwww/snortsms/sensorconf/index.php Xwww/snortsms/sensorconf/qry_assignments.php Xwww/snortsms/sensorconf/qry_barn_ctrls.php Xwww/snortsms/sensorconf/qry_sensor.php Xwww/snortsms/sensorconf/qry_sensor_ctrls.php Xwww/snortsms/sensorconf/qry_sensor_lite.php Xwww/snortsms/sensorconf/qry_sensors.php Xwww/snortsms/sensorconf/qry_snort_ctrls.php Xwww/snortsms/sensors/act_delete.php Xwww/snortsms/sensors/dsp_home.php Xwww/snortsms/sensors/dsp_monitor.php Xwww/snortsms/sensors/fbx_Switch.php Xwww/snortsms/sensors/index.php Xwww/snortsms/sensors/qry_barn_ctrls.php Xwww/snortsms/sensors/qry_sensor.php Xwww/snortsms/sensors/qry_sensors_active.php Xwww/snortsms/sensors/qry_snort_ctrl.php Xwww/snortsms/snortctrl/act_Save-Update.php Xwww/snortsms/snortctrl/act_action.php Xwww/snortsms/snortctrl/dsp_AddEdit.php Xwww/snortsms/snortctrl/dsp_home.php Xwww/snortsms/snortctrl/fbx_Switch.php Xwww/snortsms/snortctrl/index.php Xwww/snortsms/snortctrl/qry_snortctrl.php Xwww/snortsms/snortctrl/qry_snortctrls.php Xwww/snortsms/variables/act_AddRemove.php Xwww/snortsms/variables/act_Save-Update.php Xwww/snortsms/variables/act_action.php Xwww/snortsms/variables/dsp_AddEdit.php Xwww/snortsms/variables/dsp_home.php Xwww/snortsms/variables/dsp_selected.php Xwww/snortsms/variables/fbx_Switch.php Xwww/snortsms/variables/index.php Xwww/snortsms/variables/qry_selected.php Xwww/snortsms/variables/qry_variable.php Xwww/snortsms/variables/qry_variables.php X@dirrm www/snortsms/variables X@dirrm www/snortsms/snortctrl X@dirrm www/snortsms/sensors X@dirrm www/snortsms/sensorconf X@dirrm www/snortsms/ruletypes X@dirrm www/snortsms/rules X@dirrm www/snortsms/references X@dirrm www/snortsms/preprocessors X@dirrm www/snortsms/policies X@dirrm www/snortsms/outputs X@dirrm www/snortsms/monitor X@dirrm www/snortsms/main X@dirrm www/snortsms/lib X@dirrm www/snortsms/java X@dirrm www/snortsms/import X@dirrm www/snortsms/images X@dirrm www/snortsms/docs X@dirrm www/snortsms/css X@dirrm www/snortsms/contrib X@dirrm www/snortsms/conf X@dirrm www/snortsms/classifications X@dirrm www/snortsms/barnyard X@dirrm www/snortsms/barnctrl X@dirrm www/snortsms END-of-/usr/ports/security/snortsms/pkg-plist exit
Le Dim 29 mai 05 à 11:20:15 +0200, J Randolph <snortsms@servangle.net> écrivait : > The following reply was made to PR ports/81425; it has been noted by GNATS. > > From: J Randolph <snortsms@servangle.net> > To: bug-followup@FreeBSD.org > Cc: snortsms@servangle.net > Subject: Re: ports/81425: New port: security/snortsms A Snort Sensor Management > System web interface and monitoring console. > Date: Sat, 28 May 2005 23:18:07 -1000 > > Several changes: > - Fixed missing files. > - Bumped port version to from 0.11.2 to 0.11.3 > - Removed the recursive flag on chown operation > - Merged your recommended deltas (except noted below). > > In 'Makefile', reverted the following section back as intended action is > to give 'www' group read/write permissions to 'www/snortsms/conf' > directory which is needed for auto-creation of user config file during > run time. Mainly, I don't want to expose *all* the files in this > directory as read/write. > > # correct permissions > ${CHMOD} 775 ${PREFIX}/www/snortsms/conf > ${CHOWN} :${WWWGRP} ${PREFIX}/www/snortsms/conf OK for CHMOD, but why don't you chown everything to www:www? Also, don't you need a .htaccess in this directory? And when the operator will upgrade this port to a newer version, these files will be erased; is it not a problem? > Tested port several times (good install, deinstall, reinstall, package), > and 'portlint -A' looks fine. Please consider revised port submission > below and we should be good. Could you please check if you have send the right file? porlint -A still reports many problems here: "Makefile", line 25: Need an operator "Makefile", line 27: Need an operator "Makefile", line 29: Need an operator "Makefile", line 33: Missing dependency operator make: fatal errors encountered -- cannot continue FATAL: Makefile [8]: use a tab (not space) after a variable name FATAL: Makefile [9]: use a tab (not space) after a variable name FATAL: Makefile [10]: use a tab (not space) after a variable name FATAL: Makefile [11]: use a tab (not space) after a variable name FATAL: Makefile [12]: use a tab (not space) after a variable name FATAL: Makefile [14]: use a tab (not space) after a variable name FATAL: Makefile [15]: use a tab (not space) after a variable name FATAL: Makefile [17]: use a tab (not space) after a variable name WARN: Makefile [18]: use tab (not space) to make indentation FATAL: Makefile [20]: use a tab (not space) after a variable name FATAL: Makefile [21]: use a tab (not space) after a variable name WARN: Makefile [25]: use tab (not space) to make indentation WARN: Makefile [27]: use tab (not space) to make indentation WARN: Makefile [29]: use tab (not space) to make indentation WARN: Makefile [30]: use tab (not space) to make indentation FATAL: Makefile: CATEGORIES left blank. set it to "misc" if nothing seems apropriate. FATAL: Makefile: either PORTVERSION or DISTVERSION must be specified Syntax error: Unterminated quoted string WARN: Makefile: COMMENT should begin with a capital, and end without a period FATAL: breaks INDEX ("Makefile", line 25: Need an operator "Makefile", line 27: Need an operator "Makefile", line 29: Need an operator "Makefile", line 33: Missing dependency operator make: fatal errors encountered -- cannot continue). 13 fatal errors and 6 warnings found. Note: it might be due to your mailer which could replace tabs by spaces. If this is a case, consider using uuencode or send a tar.gz. Best regards, -- Th. Thomas.
-snip- >> >> In 'Makefile', reverted the following section back as intended action is >> to give 'www' group read/write permissions to 'www/snortsms/conf' >> directory which is needed for auto-creation of user config file during >> run time. Mainly, I don't want to expose *all* the files in this >> directory as read/write. >> >> # correct permissions >> ${CHMOD} 775 ${PREFIX}/www/snortsms/conf >> ${CHOWN} :${WWWGRP} ${PREFIX}/www/snortsms/conf >> >> > >OK for CHMOD, but why don't you chown everything to www:www? > >Also, don't you need a .htaccess in this directory? > >And when the operator will upgrade this port to a newer version, these >files will be erased; is it not a problem? > > > The 'conf' dir also contains some application files we don't want writable by the web server for security reasons. Consider the following scenario... Here's a directory listing for 'www/snortsms/conf' after the user saves their initial configuration settings via running the application: 2 drwxrwxr-x 2 root www 512 May 29 10:10 ./ 2 drwxr-xr-x 25 root wheel 1024 May 29 10:09 ../ 6 -rw-r--r-- 1 root wheel 4470 May 29 10:09 act_init_vars.php 2 -rw-r--r-- 1 root wheel 1926 May 29 10:09 act_read_conf.php 4 -rw-r--r-- 1 root wheel 2819 May 29 10:09 act_save_conf.php 4 -rw-r--r-- 1 root wheel 4011 May 29 10:09 act_verify_install.php 2 -rw-r--r-- 1 www www 758 May 29 10:10 conf.php 4 -rw-r--r-- 1 root wheel 2584 May 29 10:09 dsp_conf.php 2 -rw-r--r-- 1 root wheel 1858 May 29 10:09 dsp_save_conf.php 2 -rw-r--r-- 1 root wheel 851 May 29 10:09 fbx_Switch.php 2 -rw-r--r-- 1 root wheel 103 May 29 10:09 index.php Note the new file generated => 'conf.php' which is the actual config file. The worst damage user 'www' can do is trash the config file and/or create new files. True, .htaccess can be done, but I prefer the file permissions method, especially if we were dealing with an potential web exploit. So the resulting effect is that all application system files are still protected. I hope this is acceptable for now, but I will still consider .htaccess - just let me know. As far a upgrading the port, user settings are preserved because the config file 'conf.php' will get abandoned, while all other system files can blow in fresh. >Could you please check if you have send the right file? porlint -A still >reports many problems here: > >"Makefile", line 25: Need an operator >"Makefile", line 27: Need an operator >"Makefile", line 29: Need an operator >"Makefile", line 33: Missing dependency operator >make: fatal errors encountered -- cannot continue >FATAL: Makefile [8]: use a tab (not space) after a variable name >FATAL: Makefile [9]: use a tab (not space) after a variable name >FATAL: Makefile [10]: use a tab (not space) after a variable name >FATAL: Makefile [11]: use a tab (not space) after a variable name >FATAL: Makefile [12]: use a tab (not space) after a variable name >FATAL: Makefile [14]: use a tab (not space) after a variable name >FATAL: Makefile [15]: use a tab (not space) after a variable name >FATAL: Makefile [17]: use a tab (not space) after a variable name >WARN: Makefile [18]: use tab (not space) to make indentation >FATAL: Makefile [20]: use a tab (not space) after a variable name >FATAL: Makefile [21]: use a tab (not space) after a variable name >WARN: Makefile [25]: use tab (not space) to make indentation >WARN: Makefile [27]: use tab (not space) to make indentation >WARN: Makefile [29]: use tab (not space) to make indentation >WARN: Makefile [30]: use tab (not space) to make indentation >FATAL: Makefile: CATEGORIES left blank. set it to "misc" if nothing seems apropriate. >FATAL: Makefile: either PORTVERSION or DISTVERSION must be specified >Syntax error: Unterminated quoted string >WARN: Makefile: COMMENT should begin with a capital, and end without a period >FATAL: breaks INDEX ("Makefile", line 25: Need an operator "Makefile", line 27: Need an operator "Makefile", line 29: Need an operator "Makefile", line 33: Missing dependency operator make: fatal errors encountered -- cannot continue). >13 fatal errors and 6 warnings found. > >Note: it might be due to your mailer which could replace tabs by spaces. >If this is a case, consider using uuencode or send a tar.gz. > > > Hummm....you're right... looks like all the tabs got hosed. My apologies, let me try another method. Give this attached tarball a try. V/R, J Randolph
Le Dim 29 mai 05 à 23:22:55 +0200, J Randolph <snortsms@servangle.net> écrivait : > Note the new file generated => 'conf.php' which is the actual config > file. The worst damage user 'www' can do is trash the config file and/or > create new files. True, .htaccess can be done, but I prefer the file > permissions method, especially if we were dealing with an potential web > exploit. So the resulting effect is that all application system files > are still protected. I hope this is acceptable for now, but I will still > consider .htaccess - just let me know. OK, thanks for the explanation. Without .htaccess, anybody could run any php script directly if he knows its name; but perhaps is there no risk in this case? And I still don't understand why you don't want to ${CHOWN} -R ${WWWOWN}:${WWWGRP} ${PREFIX}/www/snortsms Anyway, there is still a problem locally: everybody can read /usr/local/www/snortsms/conf/conf.php, and it contains an unencrypted password. > As far a upgrading the port, user settings are preserved because the > config file 'conf.php' will get abandoned, while all other system files > can blow in fresh. OK, fine! Hereunder is a patch removing a warning during deinstallation if this file exists. This patch also removes the GPL, and uses pkg-message.in to expand %%PREFIX%%. Best regards, -- Th. Thomas.
Thanks for your assistance on this. Perhaps I can provide additional explanations below. >OK, thanks for the explanation. Without .htaccess, anybody could run any >php script directly if he knows its name; but perhaps is there no risk >in this case? > > Good catch, but no risk remotely, because php interprets the 'conf.php' file as a valid script rather than displaying the contents given it were directly accessed. >And I still don't understand why you don't want to >${CHOWN} -R ${WWWOWN}:${WWWGRP} ${PREFIX}/www/snortsms > > We're just not comfortable with the php scripts being writable by user/group 'www' in the event something nasty goes wrong with the web server. We had an incident last year when a phpbb site was exploited and anything that was writable by www got defaced, including other virtual sites on the same box. For this reason we prefer keeping the web application files read only. >Anyway, there is still a problem locally: everybody can read >/usr/local/www/snortsms/conf/conf.php, and it contains an unencrypted >password. > > > This is true. For that matter, the same password is also viewable via the application itself via the settings web page to whomever can access to the URI. The SnortSMS application lacks security mechanisms itself because its an administration tool, therefore it's assumed to run in an already secured administrative environment, which includes limited local users on the box, limited privileges on the mysql account, and access restrictions (ACL's) on the url. Might be worthy to note this in our documentation? I merged your patches, all looks good on this end. Attached is the revised port. Thank you again for your help and time. V/R, J Randolph
State Changed From-To: feedback->closed New port added, thanks!