diff options
Diffstat (limited to 'net-analyzer')
-rw-r--r-- | net-analyzer/Manifest.gz | bin | 43612 -> 43603 bytes | |||
-rw-r--r-- | net-analyzer/nagios-core/Manifest | 2 | ||||
-rw-r--r-- | net-analyzer/nagios-core/nagios-core-4.5.1.ebuild | 266 | ||||
-rw-r--r-- | net-analyzer/nagios/Manifest | 1 | ||||
-rw-r--r-- | net-analyzer/nagios/nagios-4.5.1.ebuild | 14 | ||||
-rw-r--r-- | net-analyzer/ndoutils/Manifest | 3 | ||||
-rw-r--r-- | net-analyzer/ndoutils/files/secure-install-permissions.patch | 183 | ||||
-rw-r--r-- | net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild (renamed from net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild) | 28 |
8 files changed, 488 insertions, 9 deletions
diff --git a/net-analyzer/Manifest.gz b/net-analyzer/Manifest.gz Binary files differindex 6b0e89347ae7..9343fb648bda 100644 --- a/net-analyzer/Manifest.gz +++ b/net-analyzer/Manifest.gz diff --git a/net-analyzer/nagios-core/Manifest b/net-analyzer/nagios-core/Manifest index 247c2d255503..3fa22ae74798 100644 --- a/net-analyzer/nagios-core/Manifest +++ b/net-analyzer/nagios-core/Manifest @@ -1,6 +1,8 @@ AUX 99_nagios4-r1.conf 309 BLAKE2B c539330d9f100045fc02d13061dd3b8e958370c8885ef8d28c38ee380b2043d86c9b0097c158dbc5d486f1c53e22ef6f52a96286d0c50d1d47d9eb025fb6b8a9 SHA512 cb93d6af5b6f43b172cec276f669ef786268c1ba51ffda994733c98a8ad5f625229aecaed68b5cb433a66257a8eb66ec16f9569aa87b6dcecf21d8339bd5fb8f AUX lighttpd_nagios4-r1.conf 297 BLAKE2B 8976123407c47be6023c5dae57c833f7e0b43ae2c70348dcd72b754453b5a84dd335daa222b4b75e5c19b3d5c18b64496739bdb61b8f2f67f5655b80a0ffb65f SHA512 2ef5268e9ba228d12e3dabb5a23ce73e49b7149a047acd4a2daac3cd3415b5233aaaf3b972c85780e71bd5fe3eefb6755a6222b40a509104fb318e219366867f DIST nagios-4.4.14.tar.gz 11341108 BLAKE2B 254b17fdd90670701d42f4bc90c741592bc21f0813903e5cdcaa671c9b4b7eb32964ae56acf56567198bb8b6d96ce7539bf343b870a4732a46d31557d161a1c1 SHA512 dd7ddaf114ac6451b5f157f36bdba27068e94dcfe583cc217f220162b013341984622828574feda8c3c0990388a03ab886791a3188e56bf2eb6b3f8c777c3641 +DIST nagios-4.5.1.tar.gz 11540195 BLAKE2B 8fa4654a2e7f218d65c8a318418002f09b0e118f44382030900587881d9fac868e8b4416be8e9fb2ae74444aecb9555719ef29bc88fd95067d84aecca4bacf28 SHA512 71b57d4e0bd2971e8e62b7013c406888d0afd40bc23b032ee9bfdb6e2b3cb083746c5259ef997df241249d2ddaafd6ba5a6470527feddf02e03da32cc0c724b9 DIST nagios-core-gentoo-icons-20141125.tar 40960 BLAKE2B 31c1953e1160c7c7b89606b72b1a80407e4c1b7a7938b40bd1c577cd0c309dd88ca6b775d692a9b846dbf67736537fa9c91e56aa15fdd447769608ca525bff09 SHA512 bf109879cddd6136b76baba55d0b60b2596e37431dcf5ce0905d34a9fa292ebf7e4bde82d9a084362c486e8fac344c76d88f9298b1b85541ed70ffd608493766 EBUILD nagios-core-4.4.14.ebuild 9243 BLAKE2B 2fd8690fb48a0a0456f3a1e0e01ba69a70d773cfd1783960fe9bc87a50e47b8a1b52b33d26b53613b55d8917f87a5d68f9820386822ddbb6703fb25054d20252 SHA512 7d723863dc194388097789f928316c8c303298889e79700949087bd478afa8ea5b1d278ac3b6be9a118a8c6481fb32fe1a93c7ce5913e003cb3b4fa74c1ef32e +EBUILD nagios-core-4.5.1.ebuild 9247 BLAKE2B 30d8e9e805cb4733dc93eef751cd34ede96fdad4348d88ad7e9bc2cfcb8a69131d817786dee49027c4929ea772053ff0e9173d115bab81a9657d8f4080894105 SHA512 02801161e297a562a12749c73b6063a9d7ed1a45352f427c0d3e4b9ab1c9500a0f343990512ff0e6af7fe9110a5923419f2a0e3411ce8c06e7af3d96eba16b60 MISC metadata.xml 1467 BLAKE2B d5ddd6280aafd3ad3a36a408071037fa757810382761f617eb2763a20e65185b30eef94fb4cdad7d4b5e9b81b6245efacf57d4ec0003406d66ef2053f09f3708 SHA512 25d3d4d19c18b416a0902d2ff39c0ca71b2e7bcc2bac61119b9636c6462391e65b2767d8b0e794abb318b19fe1c2bcbf2c80ee8d1ea6faec3f6eb9cddf60a9cd diff --git a/net-analyzer/nagios-core/nagios-core-4.5.1.ebuild b/net-analyzer/nagios-core/nagios-core-4.5.1.ebuild new file mode 100644 index 000000000000..8e54a1b53013 --- /dev/null +++ b/net-analyzer/nagios-core/nagios-core-4.5.1.ebuild @@ -0,0 +1,266 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit systemd toolchain-funcs + +MY_P="${PN/-core}-${PV}" +DESCRIPTION="Nagios core - monitoring daemon, web GUI, and documentation" +HOMEPAGE="https://www.nagios.org/" + +# The name of the directory into which our Gentoo icons will be +# extracted, and also the basename of the archive containing it. +GENTOO_ICONS="${PN}-gentoo-icons-20141125" +SRC_URI="mirror://sourceforge/nagios/${MY_P}.tar.gz + web? ( https://dev.gentoo.org/~mjo/distfiles/${GENTOO_ICONS}.tar )" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86" +IUSE="apache2 classicui lighttpd +web vim-syntax" + +# In pkg_postinst(), we change the group of the Nagios configuration +# directory to that of the web server user. It can't belong to both +# apache/lighttpd groups at the same time, so we block this combination +# for our own sanity. +# +# This could be made to work, but we would need a better way to allow +# the web user read-only access to Nagios's configuration directory. +# +REQUIRED_USE="apache2? ( !lighttpd )" + +# +# Note, we require one of the apache2 CGI modules: +# +# * mod_cgi (USE=apache2_modules_cgi) +# * mod_cgid (USE=apache2_modules_cgid) +# * mod_fcgid (www-apache/mod_fcgid) +# +# We just don't care /which/ one. And of course PHP supports both CGI +# (USE=cgi) and FastCGI (USE=fpm). We're pretty lenient with the +# dependencies, and expect the user not to do anything /too/ +# stupid. (For example, installing Apache with only FastCGI support, and +# PHP with only CGI support.) +# +# Another annoyance is that the upstream Makefile uses app-arch/unzip to +# extract a snapshot of AngularJS, but that's only needed when USE=web. +# +MOD_ALIAS=apache2_modules_alias + +# The dependencies checked by the configure script. All of these are +# also runtime dependencies; that's why ./configure checks for them. +CONFIGURE_DEPEND="acct-group/nagios + acct-user/nagios + virtual/mailx + dev-lang/perl:=" + +# In addition to the things that the ./configure script checks for, +# we also need to be able to unzip stuff on the build host. +# +# We need the apache/lighttpd groups in src_install() for the things +# installed as the --with-command-group argument, so they go here too. +# The groups are also needed at runtime, but that is ensured by apache +# and lighttpd themselves being in RDEPEND. +BDEPEND="${CONFIGURE_DEPEND} + apache2? ( acct-group/apache ) + lighttpd? ( acct-group/lighttpd ) + web? ( app-arch/unzip )" + +# This is linked into /usr/bin/nagios{,tats} +DEPEND="dev-libs/libltdl:0" + +RDEPEND="${CONFIGURE_DEPEND} + ${DEPEND} + web? ( + media-libs/gd[jpeg,png] + lighttpd? ( www-servers/lighttpd[php] ) + apache2? ( + || ( + www-servers/apache[${MOD_ALIAS},apache2_modules_cgi] + www-servers/apache[${MOD_ALIAS},apache2_modules_cgid] + ( www-servers/apache[${MOD_ALIAS}] www-apache/mod_fcgid ) ) + || ( + dev-lang/php:*[apache2] + dev-lang/php:*[cgi] + dev-lang/php:*[fpm] ) + ) + ) + vim-syntax? ( app-vim/nagios-syntax )" + +S="${WORKDIR}/${MY_P}" + +src_configure() { + local myconf + + if use !apache2 && use !lighttpd ; then + myconf="${myconf} --with-command-group=nagios" + else + if use apache2 ; then + myconf="${myconf} --with-command-group=apache" + myconf="${myconf} --with-httpd-conf=/etc/apache2/conf.d" + elif use lighttpd ; then + myconf="${myconf} --with-command-group=lighttpd" + fi + fi + + # We pass "unknown" as the init type because we don't want it to + # guess. Later on, we'll manually install both OpenRC and systemd + # services. + econf ${myconf} \ + --prefix="${EPREFIX}/usr" \ + --bindir="${EPREFIX}/usr/sbin" \ + --localstatedir="${EPREFIX}/var/lib/nagios" \ + --sysconfdir="${EPREFIX}/etc/nagios" \ + --libexecdir="${EPREFIX}/usr/$(get_libdir)/nagios/plugins" \ + --with-cgibindir="${EPREFIX}/usr/$(get_libdir)/nagios/cgi-bin" \ + --with-webdir="${EPREFIX}/usr/share/nagios/htdocs" \ + --with-init-type="unknown" + + # The paths in the web server configuration files need to match + # those passed to econf above. + cp "${FILESDIR}/99_nagios4-r1.conf" \ + "${FILESDIR}/lighttpd_nagios4-r1.conf" \ + "${T}/" || die "failed to create copies of web server conf files" + + sed -e "s|@CGIBINDIR@|${EPREFIX}/usr/$(get_libdir)/nagios/cgi-bin|g" \ + -e "s|@WEBDIR@|${EPREFIX}/usr/share/nagios/htdocs|" \ + -i "${T}/99_nagios4-r1.conf" \ + -i "${T}/lighttpd_nagios4-r1.conf" \ + || die "failed to substitute paths into web server conf files" + +} + +src_compile() { + emake CC="$(tc-getCC)" nagios + + if use web; then + # Only compile the CGIs/HTML when USE=web is set. + emake CC="$(tc-getCC)" cgis html + fi +} + +src_install() { + dodoc Changelog CONTRIBUTING.md README.md THANKS UPGRADING + + # There is no way to install the CGIs unstripped from the top-level + # makefile, so descend into base/ here. The empty INSTALL_OPTS + # ensures that root:root: owns the nagios executables. + cd "${S}/base" || die + emake INSTALL_OPTS="" DESTDIR="${D}" install-unstripped + cd "${S}" || die + + # Otherwise this gets installed as 770 and you get "access denied" + # for some reason or other when starting nagios. The permissions + # on nagiostats are just for consistency (these should both get + # fixed upstream). + fperms 775 /usr/sbin/nagios /usr/sbin/nagiostats + + # INSTALL_OPTS are needed for most of install-basic, but we don't + # want them on the LIBEXECDIR, argh. + emake DESTDIR="${D}" install-basic + fowners root:root /usr/$(get_libdir)/nagios/plugins + + # Don't make the configuration owned by the nagios user, because + # then he can edit nagios.cfg and trick nagios into running as root + # and doing his bidding. + emake INSTALL_OPTS="" DESTDIR="${D}" install-config + + # No INSTALL_OPTS used in install-commandmode, thankfully. + emake DESTDIR="${D}" install-commandmode + + # The build system installs these directories, but portage assumes + # that the build system doesn't know what it's doing so we have to + # keepdir them, too. I guess you'll have to manually re-check the + # upstream build system forever to see if this is still necessary. + keepdir /var/lib/nagios{,/archives,/rw,/spool,/spool/checkresults} + + if use web; then + # There is no way to install the CGIs unstripped from the + # top-level makefile, so descend into cgi/ here. The empty + # INSTALL_OPTS ensures that root:root: owns the CGI executables. + cd "${S}/cgi" || die + emake INSTALL_OPTS="" DESTDIR="${D}" install-unstripped + cd "${S}" || die + + # install-html installs the new exfoliation theme + emake INSTALL_OPTS="" DESTDIR="${D}" install-html + + if use classicui; then + # This overwrites the already-installed exfoliation theme + emake INSTALL_OPTS="" DESTDIR="${D}" install-classicui + fi + + # Install cute Gentoo icons (bug #388323), setting their + # owner, group, and mode to match those of the rest of Nagios's + # images. + insinto /usr/share/nagios/htdocs/images/logos + doins "${WORKDIR}/${GENTOO_ICONS}"/*.* + fi + + # The ./configure script for nagios detects the init system on the + # build host, which is wrong for all sorts of reasons. We've gone + # to great lengths above to avoid running "install-init" -- even + # indirectly -- and so now we must install whatever service files + # we need by hand. + newinitd startup/openrc-init nagios + systemd_newunit startup/default-service nagios.service + + if use web ; then + if use apache2 ; then + # Install the Nagios configuration file for Apache. + insinto "/etc/apache2/modules.d" + newins "${T}/99_nagios4-r1.conf" "99_nagios4.conf" + elif use lighttpd ; then + # Install the Nagios configuration file for Lighttpd. + insinto /etc/lighttpd + newins "${T}/lighttpd_nagios4-r1.conf" nagios.conf + else + ewarn "${CATEGORY}/${PF} only supports apache or lighttpd" + ewarn "out of the box. Since you are not using one of them, you" + ewarn "will have to configure your webserver yourself." + fi + fi +} + +pkg_postinst() { + + if use web; then + if use apache2 || use lighttpd ; then + if use apache2; then + elog "To enable the Nagios web front-end, please edit" + elog "${ROOT}/etc/conf.d/apache2 and add \"-D NAGIOS -D PHP\"" + elog "to APACHE2_OPTS. Then Nagios will be available at," + elog + elif use lighttpd; then + elog "To enable the Nagios web front-end, please add" + elog "'include \"nagios.conf\"' to the lighttpd configuration" + elog "file at ${ROOT}/etc/lighttpd/lighttpd.conf. Then Nagios" + elog "will be available at," + elog + fi + + elog " http://localhost/nagios/" + fi + fi + + elog + elog "If your kernel has /proc protection, nagios" + elog "will not be happy as it relies on accessing the proc" + elog "filesystem. You can fix this by adding nagios into" + elog "the group wheel, but this is not recomended." + elog + + if [ -n "${REPLACING_VERSIONS}" ]; then + ewarn "The local state directory for nagios has changed in v4.4.5," + ewarn "from ${EROOT}/var/nagios to ${EROOT}/var/lib/nagios. If you" + ewarn "wish to migrate your state to the new location, first stop" + ewarn "nagios and then run" + ewarn "" + ewarn " diff --recursive --brief ${EROOT}/var/nagios ${EROOT}/var/lib/nagios" + ewarn "" + ewarn "to identify any files that should be moved to the new" + ewarn "location. They can simply be moved with \"mv\" before" + ewarn "restarting nagios." + fi +} diff --git a/net-analyzer/nagios/Manifest b/net-analyzer/nagios/Manifest index 3f3b3c077e03..b39f91a55db1 100644 --- a/net-analyzer/nagios/Manifest +++ b/net-analyzer/nagios/Manifest @@ -1,2 +1,3 @@ EBUILD nagios-4.4.14.ebuild 393 BLAKE2B afb79982cb600f6a10729336d63bc1e18a1926f1353f3676912ee08b3e9f69a1b60a816e998959cbda7de0de313b5ed860a54e4b8d681cb7759e36c84243acf6 SHA512 f114d70ee1a0facdde3f159903454ec81dd0331ec0edd3cbb4739b6614c6665b7e1add58b0439db4f85940118a9975f752f7a621c43c94f0508af4c2954a80b8 +EBUILD nagios-4.5.1.ebuild 389 BLAKE2B fe8daa78ebe04a346d47607399325fdac61ec8eee29e13430f3432e9b0578121d58cb93dea42180d3497b01c1bbda004b6369ebafac5419362b8092ec360d867 SHA512 ea35e3170cf137e895971048e810b5611fca47d2f2989b4cb291889f4ccca3713bb0b4a94d55765f51e5453a069c11cc058e89a10ffda7c6b21497f754c3f60e MISC metadata.xml 1111 BLAKE2B d2c8f269fe7ef92c656219c0c93efca6083c09ea1ea402ccab7cf37f415931ad5abdf46a20b568ec82883a574005a4788617c0786c20c2d326b2d481195261e0 SHA512 e6c32f8405e79a4a3cf03d21dce3539c28454d75929348efb30f5c7c2b55f5346e3cd39f9d64f4e276aaad12f1fbf274f2fc08c255c03df1a5a7f0356031d66e diff --git a/net-analyzer/nagios/nagios-4.5.1.ebuild b/net-analyzer/nagios/nagios-4.5.1.ebuild new file mode 100644 index 000000000000..371d0ad43626 --- /dev/null +++ b/net-analyzer/nagios/nagios-4.5.1.ebuild @@ -0,0 +1,14 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="The Nagios metapackage" +HOMEPAGE="https://www.nagios.org/" + +LICENSE="metapackage" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86" + +RDEPEND="~net-analyzer/nagios-core-${PV} + || ( net-analyzer/nagios-plugins net-analyzer/monitoring-plugins )" diff --git a/net-analyzer/ndoutils/Manifest b/net-analyzer/ndoutils/Manifest index 1270180b58fd..3c206de98ee9 100644 --- a/net-analyzer/ndoutils/Manifest +++ b/net-analyzer/ndoutils/Manifest @@ -2,6 +2,7 @@ AUX format-security.patch 3858 BLAKE2B 97170827cc167ec2c1377dd99fff562cbe717dd90 AUX ndoutils-2.0.0-asprintf.patch 438 BLAKE2B 2d32a25467123281f8593b464362a66345ce1c138b897a2ddf4597770f3ae4897efb19765ca81ef29c6e3bd5079b14ec34f36138ce3853c4749b7adccc1404bb SHA512 78fe5b2004bba81b3956a96ad569b6e05e2eb20e203020d2c07e780dfc78f5f68450fb20a62388ec7ccdc37544cd896f29238dd9590cd474db1f73e101dcb9e6 AUX openrc-init.patch 3296 BLAKE2B f07c1c0fda7a0d2e1c3f2b9cbae60568f743d82454179bcb3ee367d8a022a406dd1bf0c775fc9b339524cc5c64e4af6aacb8df8a866809104e39f39d11531f26 SHA512 4beb0e72712909554deaa93aa3fe959e80bed3465f4f0a2153f8b4e994538e6d508e303451cc14425ecb5210845308e9a113f491900a977526327a2701b00eb7 AUX sample-config-piddir.patch 1098 BLAKE2B 467fab110ef030010acf8e130d91ba1f97424c611ef75ed0a7806d5034f1c8a5ecce2c64832a295347fb3e323342f3afc5f5d1fbbc3584f26bd2f3b226cbf3af SHA512 bae06d6571aa55c5b9f0103d9af861f50b31668f06dc9b9a29cdf961741455384d8c762338dbfb3c75e10bacba360ac5a706b6251a6ef5cec8fa0def4c679344 +AUX secure-install-permissions.patch 6866 BLAKE2B fbc323daf1152226ea94bc99059be9ab4893f2d011b8cac187a0bced78152815516a7a3b822a26035015f9440cb27a47db106be88e5df50aeb6856fb36011182 SHA512 a1e00ebb805cb0c4e3606477f1dd494447177863065a50aff43bdfbeddf5a9335c29529691805fe0bdc0b3ee459896324c43dc80a32caa7ac523ac048a8809d0 DIST ndoutils-2.1.3.tar.gz 2182999 BLAKE2B 390548b9018d4434d5d0f69abee1d1a11f4e240150941f7f2f9e2662eb2cdb2f29b24244e094d5bdf8bfaf6c3be7bc8ebd9e6d510d66edad8bc9cf3245d5c2c3 SHA512 727f2051876ff32cafaf9993a69b721ae4ea81031fade12262dbb4c5399c601f3c1af362d9d550e1d6d56fac8fe044d515dc10fc43e7d4d3e981bc9a89db88de -EBUILD ndoutils-2.1.3-r3.ebuild 2573 BLAKE2B 7bcd8d99544612439dc7d29b6b92d3d6acb9171031132171a49af359622d9b332cbb6bdb858c8fa888699ebc911af5e072e31735aa795f7c817082b51984b896 SHA512 9fe667c562f1602c50ca10bf98d3d18a7979031dc3e065b51d17f0fd4f24c7c6d06dfd828c16bbecbf80f2b7f410a5286cb621d3be6f640230cbdcd8e3620f5e +EBUILD ndoutils-2.1.3-r4.ebuild 2892 BLAKE2B 00989cb0d6e01252c85df3d7cdaf6c1e452863b5e3bd2da009ddf084e8f59849a1a5136b5e15ad1f331f85395170e44a72621b4cb749384eb404b34740335793 SHA512 0858596f9532446717f657818bc90d7d1e2cbb26fa8bb9103d9257dea7d2cec48cc64550f1636d0858dc8e27007e68f321eea4018cb510d18b59805b28c8f847 MISC metadata.xml 447 BLAKE2B be8b56cbd5627725f06feabb9438129f934e90ee93448dd3154edabc9a32cbe65d0b64c1c2f8c1b9d102b20d21d0a1fb0e10ee5ba96965c239f13439f7ca88b6 SHA512 c712854168abe638e5bbcd7c135ccc2906fe665bc8062fd11caa0a3003c5b6d5ec3e959c8295a74cf471025b0c6b88186261e32d37778222fcb3d72d78badb43 diff --git a/net-analyzer/ndoutils/files/secure-install-permissions.patch b/net-analyzer/ndoutils/files/secure-install-permissions.patch new file mode 100644 index 000000000000..a4c50ab6cedc --- /dev/null +++ b/net-analyzer/ndoutils/files/secure-install-permissions.patch @@ -0,0 +1,183 @@ +From 18ef12037f4a68772d6840cbaa08aa2da07d2891 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Sat, 2 Mar 2024 19:30:54 -0500 +Subject: [PATCH 1/2] configure.ac: don't install binaries as + ndo2db_user:ndo2db_group + +In configure.ac we were adding two flags to INSTALL_OPTS that change +the owner:group of all installed files to ndo2db_user:ndo2db_group. +This is often a security vulnerability, since executables (we have a +few) are typically installed into everyone's PATH. If root ever +executes them, the ndo2db_user can take advantage of the situation to +run malicious code as root. + +Fortunately the change in ownership is not really needed. We simply +drop the INSTALL_OPTS, which are used for nothing else, allowing our +files to be installed as the user who is doing the installing. When +installing to one of the system PATHs, that will almost always be +root. +--- + Makefile.in | 9 ++++----- + configure.ac | 2 -- + docs/docbook/en-en/Makefile.in | 1 - + src/Makefile.in | 31 +++++++++++++++---------------- + 4 files changed, 19 insertions(+), 24 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 58c9f0f..68774c2 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -37,7 +37,6 @@ INSTALL=@INSTALL@ + GREP=@GREP@ + EGREP=@EGREP@ + +-INSTALL_OPTS=@INSTALL_OPTS@ + OPSYS=@opsys@ + DIST=@dist_type@ + +@@ -98,10 +97,10 @@ install: + @echo "" + + install-config: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 644 $(INSTALL_OPTS) config/ndo2db.cfg-sample $(DESTDIR)$(CFGDIR) +- $(INSTALL) -m 644 $(INSTALL_OPTS) config/ndomod.cfg-sample $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 644 config/ndo2db.cfg-sample $(DESTDIR)$(CFGDIR) ++ $(INSTALL) -m 644 config/ndomod.cfg-sample $(DESTDIR)$(CFGDIR) + @echo "" + @echo "*** Config files installed ***" + @echo "" +diff --git a/configure.ac b/configure.ac +index 58b47a4..3279397 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -317,8 +317,6 @@ AC_ARG_WITH(ndo2db_user,AC_HELP_STRING([--with-ndo2db-user=<user>],[sets user na + AC_ARG_WITH(ndo2db_group,AC_HELP_STRING([--with-ndo2db-group=<group>],[sets group name to run NDO2DB]),ndo2db_group=$withval,ndo2db_group=nagios) + AC_SUBST(ndo2db_user) + AC_SUBST(ndo2db_group) +-INSTALL_OPTS="-o $ndo2db_user -g $ndo2db_group" +-AC_SUBST(INSTALL_OPTS) + + + dnl Does the user want to check for systemd? +diff --git a/docs/docbook/en-en/Makefile.in b/docs/docbook/en-en/Makefile.in +index d72b68c..29e1e1e 100644 +--- a/docs/docbook/en-en/Makefile.in ++++ b/docs/docbook/en-en/Makefile.in +@@ -13,7 +13,6 @@ BINDIR=@bindir@ + LIBEXECDIR=@libexecdir@
+ DATAROOTDIR=@datarootdir@
+ INSTALL=@INSTALL@
+-INSTALL_OPTS=@INSTALL_OPTS@
+
+
+ all:
+diff --git a/src/Makefile.in b/src/Makefile.in +index 532cc82..352a768 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -26,7 +26,6 @@ exec_prefix=@exec_prefix@ + PIPEDIR=@localstatedir@ + BINDIR=@bindir@ + INSTALL=@INSTALL@ +-INSTALL_OPTS=@INSTALL_OPTS@ + + CC=@CC@ + +@@ -126,9 +125,9 @@ distclean: clean + devclean: distclean + + install: install-4x +- $(INSTALL) -m 774 $(INSTALL_OPTS) file2sock $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 $(INSTALL_OPTS) log2ndo $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 $(INSTALL_OPTS) sockdebug $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 774 file2sock $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 774 log2ndo $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 774 sockdebug $(DESTDIR)$(BINDIR) + @echo "" + @echo " Hint: NDOUtils Installation against Nagios v4.x" + @echo " completed." +@@ -147,20 +146,20 @@ install: install-4x + @echo "" + + install-2x: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-2x $(DESTDIR)$(BINDIR)/ndo2db +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-2x.o $(DESTDIR)$(BINDIR)/ndomod.o ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 ndo2db-2x $(DESTDIR)$(BINDIR)/ndo2db ++ $(INSTALL) -m 755 ndomod-2x.o $(DESTDIR)$(BINDIR)/ndomod.o + + install-3x: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-3x $(DESTDIR)$(BINDIR)/ndo2db +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-3x.o $(DESTDIR)$(BINDIR)/ndomod.o ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 ndo2db-3x $(DESTDIR)$(BINDIR)/ndo2db ++ $(INSTALL) -m 755 ndomod-3x.o $(DESTDIR)$(BINDIR)/ndomod.o + + install-4x: +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR) +- $(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-4x $(DESTDIR)$(BINDIR)/ndo2db +- $(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-4x.o $(DESTDIR)$(BINDIR)/ndomod.o ++ $(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR) ++ $(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 ndo2db-4x $(DESTDIR)$(BINDIR)/ndo2db ++ $(INSTALL) -m 755 ndomod-4x.o $(DESTDIR)$(BINDIR)/ndomod.o + +-- +2.43.0 + +From 69a80d6a9bf1196ffcfffa7f756633bb13a62b5f Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Sat, 2 Mar 2024 19:52:47 -0500 +Subject: [PATCH 2/2] src/Makefile.in: install all executables with mode 0755 + +Three executables -- file2sock, log2ndo, and sockdebug -- are +currently being installed group-writable but not +world-executable. This is in contrast with the other two executables, +ndo2db and ndomod.o, that are installed mode 0755. + +Having recently removed the INSTALL_OPTS that were altering the +owner:group of these files, there is no longer any security risk to +mode 0774. However, 0755 is more consistent with both the rest of our +executables, and with the typical permissions on /usr/bin that arise +from the (extremely common) umask of 0022. + +We change these three to 0755 for a little bit of extra peace of mind. + +changes. Lines starting # with '#' will be ignored, and an empty +message aborts the commit. # # Date: Sat Mar 2 19:52:47 2024 -0500 # +src/Makefile.in # +--- + src/Makefile.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.in b/src/Makefile.in +index 352a768..e6a1816 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -125,9 +125,9 @@ distclean: clean + devclean: distclean + + install: install-4x +- $(INSTALL) -m 774 file2sock $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 log2ndo $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 774 sockdebug $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 file2sock $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 log2ndo $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 755 sockdebug $(DESTDIR)$(BINDIR) + @echo "" + @echo " Hint: NDOUtils Installation against Nagios v4.x" + @echo " completed." +-- +2.43.0 + diff --git a/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild b/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild index 044cb36975f4..32d8d3bd8c57 100644 --- a/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild +++ b/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild @@ -1,12 +1,12 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 -inherit systemd +inherit autotools systemd -DESCRIPTION="Nagios addon to store Nagios data in a MySQL database" -HOMEPAGE="https://www.nagios.org/" +DESCRIPTION="Nagios addon to store Nagios data in a database" +HOMEPAGE="https://github.com/NagiosEnterprises/ndoutils" SRC_URI="https://github.com/NagiosEnterprises/${PN}/archive/${P}.tar.gz" S="${WORKDIR}/${PN}-${P}" @@ -14,14 +14,17 @@ LICENSE="GPL-2" SLOT="0" KEYWORDS="~amd64 ~ppc ~x86" -# We require the "nagios" user from net-analyzer/nagios-core at build -# time. DEPEND=" dev-db/mysql-connector-c dev-perl/DBD-mysql - dev-perl/DBI - >=net-analyzer/nagios-core-4.4.5" + dev-perl/DBI" + +# The default value of the --with-ndo2db-{user,group} flag is "nagios". +# For unrelated reasons, we actually patch out the build-time dependency +# on the user/group, but it should still be there at runtime. RDEPEND="${DEPEND} + acct-user/nagios + acct-group/nagios virtual/mysql" PATCHES=( @@ -29,8 +32,14 @@ PATCHES=( "${FILESDIR}"/ndoutils-2.0.0-asprintf.patch "${FILESDIR}"/sample-config-piddir.patch "${FILESDIR}"/openrc-init.patch + "${FILESDIR}"/secure-install-permissions.patch ) +src_prepare() { + default + eautoreconf +} + src_configure() { # The localstatedir is where our socket will be created by the # nagios daemon, so we put it in /var/lib/nagios where the "nagios" @@ -39,6 +48,9 @@ src_configure() { # And normally, we would use /run for the pid file, but the daemon # drops permissions before creating it, so the piddir also needs # to be writable by the nagios user. + # + # Oh, and the build fails without --enable-mysql, so don't try. + # econf --enable-mysql \ --localstatedir=/var/lib/nagios \ --sysconfdir=/etc/nagios \ |