Attachment #249341 for bug #277832

Lines 1-7 Link Here

(-)b/security/crowdsec/Makefile (-1 / +1 lines)
1	PORTNAME= crowdsec	1	PORTNAME= crowdsec
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 1.6.0	3	DISTVERSION= 1.6.0
4	PORTREVISION= 2	4	PORTREVISION= 3
5	CATEGORIES= security	5	CATEGORIES= security
6		6
7	MAINTAINER= marco@crowdsec.net	7	MAINTAINER= marco@crowdsec.net




. /etc/rc.subr

name=crowdsec
desc="Crowdsec Agent"
rcvar=crowdsec_enable

load_rc_config "$name"

: "${crowdsec_machine_name:=localhost}"
: "${crowdsec_flags:=}"

pidfile=/var/run/${name}_daemon.pid
pidfile_crowdsec=/var/run/${name}.pid
required_files="$crowdsec_config"
command="/usr/sbin/daemon"
command_crowdsec="%%PREFIX%%/bin/crowdsec"
command_cscli="%%PREFIX%%/bin/cscli"
command_args="-P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
reload_cmd="${name}_reload"
start_precmd="${name}_precmd"
configtest_cmd="${name}_configtest"
extra_commands="configtest reload"

crowdsec_precmd() {
    cs_cli() {
        "$command_cscli" -c "$crowdsec_config" "$@"
    }

    Config() {
        cs_cli config show --key "Config.$1"
    }

    HUB_DIR=$(Config ConfigPaths.HubDir)
    if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
        echo "Fetching hub inventory"
        cs_cli hub update || :
    fi

    CONFIG_DIR=$(Config ConfigPaths.ConfigDir)

    # Is the LAPI enabled on this node?
    if [ "$(Config API.Server.Enable)" != "false" ]; then
        # There are no machines, we create one for cscli & log processor
        # There are no machines, we create the main one
        if [ "$(cs_cli machines list -o json)" = "[]" ]; then
            echo "Registering LAPI"
            cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
        fi

        CONFIG_DIR=$(Config ConfigPaths.ConfigDir)

        # Register to the central server to receive the community blocklist and more
        if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
            echo "Registering CAPI"
            cs_cli capi register || :
        fi

    fi

    # install the collection for the first time, or if it has been removed
    cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \
    #        cs_cli collections install crowdsecurity/freebsd || :

    # So we just check for the file
    if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
        cs_cli collections install crowdsecurity/freebsd || :
    fi
}

crowdsec_stop()
{
    if [ ! -f "$pidfile" ]; then
        echo "${name} is not running."
        return
    fi
    pid=$(cat "$pidfile")
    if kill -0 "$pid" >/dev/null 2>&1; then
        echo "Stopping ${name}."
        kill -s TERM "$pid" >/dev/null 2>&1
        # shellcheck disable=SC2034
        for i in $(seq 1 20); do
            sleep 1
            if ! kill -0 "$pid" >/dev/null 2>&1; then
                rm -f "$pidfile"
                return
            fi
        done
        echo "Timeout, terminating ${name} with SIGKILL."
        kill -s KILL "$pid" >/dev/null 2>&1
        rm -f "$pidfile"
    else
        echo "${name} is not running."
    fi
}

crowdsec_start()
{
    /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
        "$command" -c "$crowdsec_config" ${crowdsec_flags}
}

crowdsec_configtest()
{
    echo "Performing sanity check on ${name} configuration."
    if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
        exit 1
    fi
    echo "Configuration test OK"
}

crowdsec_reload() {
    crowdsec_configtest
    echo "Reloading configuration"
    kill -HUP "$(cat "$pidfile_crowdsec")"
}

run_rc_command "$1"




--- pkg/cwhub/dataset.go.orig	1979-11-30 00:00:00 UTC
+++ pkg/cwhub/dataset.go
@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/sirupsen/logrus"
@@ -31,19 +32,40 @@ func downloadFile(url string, destPath string) error {
 		return fmt.Errorf("bad http code %d for %s", resp.StatusCode, url)
 	}
 
-	file, err := os.Create(destPath)
+	// Download to a temporary location to avoid corrupting files
+	// that are currently in use or memory mapped.
+
+	tmpFile, err := os.CreateTemp(filepath.Dir(destPath), filepath.Base(destPath)+".*.tmp")
 	if err != nil {
 		return err
 	}
-	defer file.Close()
 
+	tmpFileName := tmpFile.Name()
+	defer func() {
+		tmpFile.Close()
+		os.Remove(tmpFileName)
+	}()
+
 	// avoid reading the whole file in memory
-	_, err = io.Copy(file, resp.Body)
+	_, err = io.Copy(tmpFile, resp.Body)
 	if err != nil {
 		return err
 	}
 
-	if err = file.Sync(); err != nil {
+	if err = tmpFile.Sync(); err != nil {
+		return err
+	}
+
+	if err = tmpFile.Close(); err != nil {
+		return err
+	}
+
+	// a check on stdout is used while scripting to know if the hub has been upgraded
+	// and a configuration reload is required
+	// TODO: use a better way to communicate this
+	fmt.Printf("updated %s\n", filepath.Base(destPath))
+
+	if err = os.Rename(tmpFileName, destPath); err != nil {
 		return err
 	}
 

Lines 1-9 Link Here

(-)b/security/crowdsec/files/pkg-deinstall.in (-2 / +4 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
		3	#shellcheck disable=SC2249
3	case $2 in	4	case $2 in
4	"DEINSTALL")	5	"DEINSTALL")
5	service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running	6	# on pfsense, the service is not "enabled" so status and stop would fail
6	service crowdsec stop 2>/dev/null \|\| :	7	service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running
		8	service crowdsec onestop 2>/dev/null \|\| :
7	;;	9	;;
8	esac	10	esac
9		11




#!/bin/sh

# shellcheck disable=SC2249
case $2 in
        "POST-INSTALL")
                echo "Updating crowdsec hub data"
                if cscli hub update -o human --error; then
                    cscli hub upgrade -o human --error
                else
                    echo "Failed to update crowdsec hub data."
                    echo "You can run 'cscli hub update; cscli hub upgrade'"
                    echo "to update manually, or let the cron job do it for you."
                fi
                if [ -e /var/run/crowdsec.running ]; then
                    service crowdsec onestart
                    rm -f /var/run/crowdsec.running
                fi
                ;;
esac




#!/bin/sh

test -x %%PREFIX%%/bin/cscli || exit 0

# splay hub upgrade and crowdsec reload
sleep "$(jot -r 1 1 300)"

# favor the opnsense plugin's cron if it's there
test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0

%%PREFIX%%/bin/cscli --error -o human hub update

upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
if [ -n "$upgraded" ]; then
    # splay initial metrics push
    sleep "$(jot -r 1 1 60)"
    service crowdsec onestatus && service crowdsec onereload
fi

- 

Return to bug 277832

Lines 20-26 Link Here

(-)b/security/crowdsec/files/crowdsec.in (-59 / +24 lines)
20	. /etc/rc.subr	20	. /etc/rc.subr
21		21
22	name=crowdsec	22	name=crowdsec
23	desc="Crowdsec Agent"
24	rcvar=crowdsec_enable	23	rcvar=crowdsec_enable
25		24
26	load_rc_config "$name"	25	load_rc_config "$name"
Lines 30-125 load_rc_config "$name" Link Here
30	: "${crowdsec_machine_name:=localhost}"	29	: "${crowdsec_machine_name:=localhost}"
31	: "${crowdsec_flags:=}"	30	: "${crowdsec_flags:=}"
32		31
33	pidfile=/var/run/${name}.pid	32	pidfile=/var/run/${name}_daemon.pid
		33	pidfile_crowdsec=/var/run/${name}.pid
34	required_files="$crowdsec_config"	34	required_files="$crowdsec_config"
35	command="%%PREFIX%%/bin/${name}"	35	command="/usr/sbin/daemon"
36	start_cmd="${name}_start"	36	command_crowdsec="%%PREFIX%%/bin/crowdsec"
37	stop_cmd="${name}_stop"	37	command_cscli="%%PREFIX%%/bin/cscli"
		38	command_args="-P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
		39	reload_cmd="${name}_reload"
38	start_precmd="${name}_precmd"	40	start_precmd="${name}_precmd"
39	configtest_cmd="${name}_configtest"	41	configtest_cmd="${name}_configtest"
40	extra_commands="configtest reload"	42	extra_commands="configtest reload"
41		43
42	crowdsec_precmd() {	44	crowdsec_precmd() {
43	cs_cli() {	45	cs_cli() {
44	"%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@"	46	"$command_cscli" -c "$crowdsec_config" "$@"
45	}	47	}
		48
46	Config() {	49	Config() {
47	cs_cli config show --key "Config.$1"	50	cs_cli config show --key "Config.$1"
48	}	51	}
49		52
50	HUB_DIR=$(Config ConfigPaths.HubDir)
51	if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
52	echo "Fetching hub inventory"
53	cs_cli hub update \|\| :
54	fi
55
56	CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
57
58	# Is the LAPI enabled on this node?	53	# Is the LAPI enabled on this node?
59	if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then	54	if [ "$(Config API.Server.Enable)" != "false" ]; then
60		55	# There are no machines, we create one for cscli & log processor
61	# There are no machines, we create the main one
62	if [ "$(cs_cli machines list -o json)" = "[]" ]; then	56	if [ "$(cs_cli machines list -o json)" = "[]" ]; then
63	echo "Registering LAPI"	57	echo "Registering LAPI"
64	cs_cli machines add "${crowdsec_machine_name}" --auto --force --error \|\| :	58	cs_cli machines add "${crowdsec_machine_name}" --auto --force --error \|\| :
65	fi	59	fi
66		60
		61	CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
		62
67	# Register to the central server to receive the community blocklist and more	63	# Register to the central server to receive the community blocklist and more
68	if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then	64	if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
69	echo "Registering CAPI"	65	echo "Registering CAPI"
70	cs_cli capi register \|\| :	66	cs_cli capi register \|\| :
71	fi	67	fi
72
73	fi	68	fi
74		69
75	# This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.	70	# install the collection for the first time, or if it has been removed
76	# cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null \| grep ^installed \| grep -q true \|\| \	71	cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null \| grep ^installed \| grep -q true \|\| \
77	# cs_cli collections install crowdsecurity/freebsd \|\| :
78
79	# So we just check for the file
80	if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
81	cs_cli collections install crowdsecurity/freebsd \|\| :	72	cs_cli collections install crowdsecurity/freebsd \|\| :
82	fi
83	}
84
85	crowdsec_stop()
86	{
87	if [ ! -f "$pidfile" ]; then
88	echo "${name} is not running."
89	return
90	fi
91	pid=$(cat "$pidfile")
92	if kill -0 "$pid" >/dev/null 2>&1; then
93	echo "Stopping ${name}."
94	kill -s TERM "$pid" >/dev/null 2>&1
95	# shellcheck disable=SC2034
96	for i in $(seq 1 20); do
97	sleep 1
98	if ! kill -0 "$pid" >/dev/null 2>&1; then
99	rm -f "$pidfile"
100	return
101	fi
102	done
103	echo "Timeout, terminating ${name} with SIGKILL."
104	kill -s KILL "$pid" >/dev/null 2>&1
105	rm -f "$pidfile"
106	else
107	echo "${name} is not running."
108	fi
109	}
110
111	crowdsec_start()
112	{
113	/usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
114	"$command" -c "$crowdsec_config" ${crowdsec_flags}
115	}	73	}
116		74
117	crowdsec_configtest()	75	crowdsec_configtest()
118	{	76	{
119	echo "Performing sanity check on ${name} configuration."	77	echo "Performing sanity check on ${name} configuration."
120	if "$command" -c "$crowdsec_config" -t -error; then	78	if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
121	echo "Configuration test OK"	79	exit 1
122	fi	80	fi
		81	echo "Configuration test OK"
		82	}
		83
		84	crowdsec_reload() {
		85	crowdsec_configtest
		86	echo "Reloading configuration"
		87	kill -HUP "$(cat "$pidfile_crowdsec")"
123	}	88	}
124		89
125	run_rc_command "$1"	90	run_rc_command "$1"

Added Link Here

(-)b/security/crowdsec/files/patch-pkg_cwhub_dataset.go (+55 lines)
1	--- pkg/cwhub/dataset.go.orig 1979-11-30 00:00:00 UTC
2	+++ pkg/cwhub/dataset.go
3	@@ -6,6 +6,7 @@ import (
4	"io"
5	"net/http"
6	"os"
7	+ "path/filepath"
8	"time"
9
10	"github.com/sirupsen/logrus"
11	@@ -31,19 +32,40 @@ func downloadFile(url string, destPath string) error {
12	return fmt.Errorf("bad http code %d for %s", resp.StatusCode, url)
13	}
14
15	- file, err := os.Create(destPath)
16	+ // Download to a temporary location to avoid corrupting files
17	+ // that are currently in use or memory mapped.
18	+
19	+ tmpFile, err := os.CreateTemp(filepath.Dir(destPath), filepath.Base(destPath)+".*.tmp")
20	if err != nil {
21	return err
22	}
23	- defer file.Close()
24
25	+ tmpFileName := tmpFile.Name()
26	+ defer func() {
27	+ tmpFile.Close()
28	+ os.Remove(tmpFileName)
29	+ }()
30	+
31	// avoid reading the whole file in memory
32	- _, err = io.Copy(file, resp.Body)
33	+ _, err = io.Copy(tmpFile, resp.Body)
34	if err != nil {
35	return err
36	}
37
38	- if err = file.Sync(); err != nil {
39	+ if err = tmpFile.Sync(); err != nil {
40	+ return err
41	+ }
42	+
43	+ if err = tmpFile.Close(); err != nil {
44	+ return err
45	+ }
46	+
47	+ // a check on stdout is used while scripting to know if the hub has been upgraded
48	+ // and a configuration reload is required
49	+ // TODO: use a better way to communicate this
50	+ fmt.Printf("updated %s\n", filepath.Base(destPath))
51	+
52	+ if err = os.Rename(tmpFileName, destPath); err != nil {
53	return err
54	}
55

Lines 1-11 Link Here

(-)b/security/crowdsec/files/pkg-install.in (-3 / +11 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
		3	# shellcheck disable=SC2249
3	case $2 in	4	case $2 in
4	"POST-INSTALL")	5	"POST-INSTALL")
5	cscli hub update -o human --error > /dev/null	6	echo "Updating crowdsec hub data"
		7	if cscli hub update -o human --error; then
		8	cscli hub upgrade -o human --error
		9	else
		10	echo "Failed to update crowdsec hub data."
		11	echo "You can run 'cscli hub update; cscli hub upgrade'"
		12	echo "to update manually, or let the cron job do it for you."
		13	fi
6	if [ -e /var/run/crowdsec.running ]; then	14	if [ -e /var/run/crowdsec.running ]; then
7	service crowdsec start	15	service crowdsec onestart
8	rm -f /var/run/crowdsec.running	16	rm -f /var/run/crowdsec.running
9	fi	17	fi
10	;;	18	;;
11	esac	19	esac

Lines 1-16 Link Here

(-)b/security/crowdsec/files/upgrade-hub.in (-6 / +6 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
3	test -x /usr/local/bin/cscli \|\| exit 0	3	test -x %%PREFIX%%/bin/cscli \|\| exit 0
		4
		5	# splay hub upgrade and crowdsec reload
		6	sleep "$(jot -r 1 1 300)"
4		7
5	# favor the opnsense plugin's cron if it's there	8	# favor the opnsense plugin's cron if it's there
6	test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0	9	test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
7		10
8	/usr/local/bin/cscli --error -o human hub update	11	%%PREFIX%%/bin/cscli --error -o human hub update
9		12
10	upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)	13	upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
11	if [ -n "$upgraded" ]; then	14	if [ -n "$upgraded" ]; then
12	# splay initial metrics push
13	sleep "$(jot -r 1 1 60)"
14	service crowdsec onestatus && service crowdsec onereload	15	service crowdsec onestatus && service crowdsec onereload
15	fi	16	fi
16		17
17	-