Hello ports@,I was pleasantly surprised to see that there was an umurmur port for OpenBSD - albeit being out of date - so I opt for picking it up.
This diff bumps umurmur to 0.3.1 which integrates some of the previously applied patches regarding strlcpy/snprintf and whatnot.
Still, it is a long-running network deamon, in C, so for peace of mind, I think it is worth it for it to be calling pledge and unveil. I tried to be smart about it and am thankful for any review or tests.
It works on my machine :) ok?
diff --git a/audio/umurmur/Makefile b/audio/umurmur/Makefile index d8b1e575938..287ebcf8a8d 100644 --- a/audio/umurmur/Makefile +++ b/audio/umurmur/Makefile @@ -2,16 +2,18 @@ COMMENT = minimalistic Mumble server GH_ACCOUNT = umurmur GH_PROJECT = umurmur -GH_TAGNAME = 0.2.20 -REVISION = 1 +GH_TAGNAME = v0.3.1 CATEGORIES = audio HOMEPAGE = https://umurmur.net/ +MAINTAINER = Christoph Liebender <[email protected]> + # BSD PERMIT_PACKAGE = Yes +# uses pledge() and unveil() WANTLIB = c config crypto protobuf-c>=1.0 ssl MODULES = devel/cmake diff --git a/audio/umurmur/distinfo b/audio/umurmur/distinfo index e47fe344fb0..ead2483e3ae 100644 --- a/audio/umurmur/distinfo +++ b/audio/umurmur/distinfo @@ -1,2 +1,2 @@ -SHA256 (umurmur-0.2.20.tar.gz) = t7KXjDGXrvCmUx8c8O4a67MqVa2L2kMGTOOpRO28rIM= -SIZE (umurmur-0.2.20.tar.gz) = 93152 +SHA256 (umurmur-0.3.1.tar.gz) = gyfdCyxb0YejjQmCleiWprhdaYySaCBbyyf2JE92CnM= +SIZE (umurmur-0.3.1.tar.gz) = 94742 diff --git a/audio/umurmur/patches/patch-CMakeLists_txt b/audio/umurmur/patches/patch-CMakeLists_txt index 280e1f0b956..df1a0b7b634 100644 --- a/audio/umurmur/patches/patch-CMakeLists_txt +++ b/audio/umurmur/patches/patch-CMakeLists_txt @@ -10,11 +10,11 @@ Index: CMakeLists.txt set(CMAKE_RUNTIME_OUTPUT_DIRECTORY "${UMURMUR_BINARY_DIR}") if(NOT CMAKE_BUILD_TYPE) -@@ -27,7 +27,7 @@ add_subdirectory(src) +@@ -31,7 +31,7 @@ add_subdirectory(src) install( FILES "umurmur.conf.example" -- DESTINATION "${CMAKE_INSTALL_FULL_SYSCONFDIR}/" +- DESTINATION "${CMAKE_INSTALL_FULL_SYSCONFDIR}/umurmur" + DESTINATION "share/examples/umurmur" PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ RENAME "umurmur.conf" diff --git a/audio/umurmur/patches/patch-cmake_Modules_FindLibconfig_cmake b/audio/umurmur/patches/patch-cmake_Modules_FindLibconfig_cmake deleted file mode 100644 index a251ad7c6da..00000000000 --- a/audio/umurmur/patches/patch-cmake_Modules_FindLibconfig_cmake +++ /dev/null @@ -1,16 +0,0 @@ ---- cmake/Modules/FindLibconfig.cmake.orig Fri Aug 8 08:37:03 2014 -+++ cmake/Modules/FindLibconfig.cmake Thu Sep 4 13:27:02 2014 -@@ -1,10 +1,6 @@ - include(FindPackageHandleStandardArgs) - --find_path(LIBCONFIG_INCLUDE_DIR NAMES "libconfig.h" PATHS /usr/pkg /usr/local /usr PATH_SUFFIXES "include") --find_path(LIBCONFIG_LIB_DIR NAMES "libconfig.so" "libconfig.dylib" PATHS /usr/pkg /usr/local /usr PATH_SUFFIXES "lib" "lib/${CMAKE_LIBRARY_ARCHITECTURE}") -+find_path(LIBCONFIG_INCLUDE_DIR NAMES "libconfig.h") -+find_library(LIBCONFIG_LIBRARIES NAMES "config") - --if(LIBCONFIG_INCLUDE_DIR AND LIBCONFIG_LIB_DIR) -- set(LIBCONFIG_LIBRARIES config) --endif(LIBCONFIG_INCLUDE_DIR AND LIBCONFIG_LIB_DIR) -- --find_package_handle_standard_args(Libconfig DEFAULT LIBCONFIG_INCLUDE_DIR LIBCONFIG_LIBRARIES LIBCONFIG_LIB_DIR) -+find_package_handle_standard_args(Libconfig REQUIRED_VARS LIBCONFIG_INCLUDE_DIR LIBCONFIG_LIBRARIES) diff --git a/audio/umurmur/patches/patch-cmake_Modules_FindProtobufC_cmake b/audio/umurmur/patches/patch-cmake_Modules_FindProtobufC_cmake deleted file mode 100644 index af7ffb138e0..00000000000 --- a/audio/umurmur/patches/patch-cmake_Modules_FindProtobufC_cmake +++ /dev/null @@ -1,16 +0,0 @@ ---- cmake/Modules/FindProtobufC.cmake.orig Fri Aug 8 08:37:03 2014 -+++ cmake/Modules/FindProtobufC.cmake Thu Sep 4 13:27:27 2014 -@@ -1,10 +1,6 @@ - include(FindPackageHandleStandardArgs) - --find_path(PROTOBUFC_INCLUDE_DIR NAMES "protobuf-c.h" PATHS /usr/pkg /usr/local /usr PATH_SUFFIXES "include/google/protobuf-c") --find_path(PROTOBUFC_LIB_DIR NAMES "libprotobuf-c.so" "libprotobuf-c.dylib" PATHS /usr/pkg /usr/local /usr PATH_SUFFIXES "lib" "lib/${CMAKE_LIBRARY_ARCHITECTURE}") -+find_path(PROTOBUFC_INCLUDE_DIR NAMES "protobuf-c.h" PATH_SUFFIXES "protobuf-c") -+find_library(PROTOBUFC_LIBRARIES NAMES "protobuf-c") - --if(PROTOBUFC_INCLUDE_DIR AND PROTOBUFC_LIB_DIR) -- set(PROTOBUFC_LIBRARIES protobuf-c) --endif(PROTOBUFC_INCLUDE_DIR AND PROTOBUFC_LIB_DIR) -- --find_package_handle_standard_args(ProtobufC REQUIRED_VARS PROTOBUFC_INCLUDE_DIR PROTOBUFC_LIBRARIES PROTOBUFC_LIB_DIR) -+find_package_handle_standard_args(ProtobufC REQUIRED_VARS PROTOBUFC_INCLUDE_DIR PROTOBUFC_LIBRARIES) diff --git a/audio/umurmur/patches/patch-src_CMakeLists_txt b/audio/umurmur/patches/patch-src_CMakeLists_txt deleted file mode 100644 index 90c7f439190..00000000000 --- a/audio/umurmur/patches/patch-src_CMakeLists_txt +++ /dev/null @@ -1,9 +0,0 @@ -Index: src/CMakeLists.txt ---- src/CMakeLists.txt.orig -+++ src/CMakeLists.txt -@@ -48,4 +48,4 @@ target_link_libraries(${PROJECT_NAME} - ${LIBRT} - ${CRYPTO_LIBRARIES}) - --install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION "bin") -+install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION "sbin") diff --git a/audio/umurmur/patches/patch-src_config_h_in b/audio/umurmur/patches/patch-src_config_h_in index ed5ecaea2b1..ee8a9acd8f3 100644 --- a/audio/umurmur/patches/patch-src_config_h_in +++ b/audio/umurmur/patches/patch-src_config_h_in @@ -5,7 +5,7 @@ Index: src/config.h.in #cmakedefine USE_SHAREDMEMORY_API --#define DEFAULT_CONFIG "${CMAKE_INSTALL_FULL_SYSCONFDIR}/umurmur.conf" +-#define DEFAULT_CONFIG "${CMAKE_INSTALL_FULL_SYSCONFDIR}/umurmur/umurmur.conf" +#define DEFAULT_CONFIG "${SYSCONFDIR}/umurmur/umurmur.conf" #endif // CONFIG_H diff --git a/audio/umurmur/patches/patch-src_main_c b/audio/umurmur/patches/patch-src_main_c index c39bc326120..125aa40d63c 100644 --- a/audio/umurmur/patches/patch-src_main_c +++ b/audio/umurmur/patches/patch-src_main_c @@ -1,28 +1,67 @@ -initgroups(3) invalidates the data returned by getgrnam(3) producing -bogus logs. - -Backport of <https://github.com/umurmur/umurmur/pull/183> - Index: src/main.c --- src/main.c.orig +++ src/main.c -@@ -149,6 +149,9 @@ static void switch_user(void) - Log_fatal("Unknown group '%s'", groupname); +@@ -313,7 +313,7 @@ int main(int argc, char **argv) + break; + } + } +- ++ + if (testconfig) { + if (!Conf_ok(conffile)) + exit(1); +@@ -321,6 +321,8 @@ int main(int argc, char **argv) + exit(0); + } - gid = grp->gr_gid; ++ pledge("stdio rpath wpath cpath inet id proc unveil", ""); + -+ /* initgroups() will invalidate this data */ -+ grp = NULL; - } + /* Initialize the config subsystem early; + * switch_user() will need to read some config variables as well as logging. + */ +@@ -336,6 +338,28 @@ int main(int argc, char **argv) + } + else Log_init(true); - if (initgroups(pwd->pw_name, gid)) -@@ -160,8 +163,7 @@ static void switch_user(void) - if (setuid(pwd->pw_uid)) - Log_fatal("setuid() failed: %s", strerror(errno)); ++ { ++ const char *p; ++ ++ if ((p = getStrConf(CERTIFICATE)) != NULL) ++ unveil(p, file_exists(p) ? "r" : "rwc"); ++ if ((p = getStrConf(KEY)) != NULL) ++ unveil(p, file_exists(p) ? "r" : "rwc"); ++ if ((p = getStrConf(CAPATH)) != NULL) ++ unveil(p, "r"); ++ if ((p = getStrConf(LOGFILE)) != NULL) ++ unveil(p, file_exists(p) ? "w" : "wc"); ++ if ((p = getStrConf(BANFILE)) != NULL) ++ unveil(p, file_exists(p) ? "rw" : "rwc"); ++ if (pidfile) ++ unveil(pidfile, "rwc"); ++ ++ unveil("/etc/pwd.db", "r"); ++ unveil("/etc/group", "r"); ++ } ++ ++ pledge("stdio rpath wpath cpath inet id", ""); ++ + #ifdef POSIX_PRIORITY_SCHEDULING + /* Set the scheduling policy, has to be called after daemonizing + * but before we drop privileges */ +@@ -377,12 +401,16 @@ int main(int argc, char **argv) + /* SSL and scheduling is setup, we can drop privileges now */ + switch_user(); + ++ pledge("stdio rpath wpath cpath inet", ""); ++ + if(!nodaemon) { + /* Reopen log file. If user switch results in access denied, we catch + * it early. + */ + Log_reset(); + } ++ ++ pledge(getStrConf(BANFILE) ? "stdio wpath cpath inet" : "stdio inet", ""); -- if (!grp) -- grp = getgrgid(gid); -+ grp = getgrgid(gid); - if (!grp) - Log_fatal("getgrgid() failed: %s", strerror(errno)); + Server_run(); diff --git a/audio/umurmur/patches/patch-src_ssl_h b/audio/umurmur/patches/patch-src_ssl_h new file mode 100644 index 00000000000..4eb3de01d0c --- /dev/null +++ b/audio/umurmur/patches/patch-src_ssl_h @@ -0,0 +1,12 @@ +Index: src/ssl.h +--- src/ssl.h.orig ++++ src/ssl.h +@@ -101,6 +101,8 @@ typedef gnutls_session_t SSL_handle_t; + + typedef SSL SSL_handle_t; + ++bool_t file_exists(const char *); ++ + #endif + + void SSLi_init(void); diff --git a/audio/umurmur/patches/patch-src_ssli_openssl_c b/audio/umurmur/patches/patch-src_ssli_openssl_c new file mode 100644 index 00000000000..f42abbf4ff7 --- /dev/null +++ b/audio/umurmur/patches/patch-src_ssli_openssl_c @@ -0,0 +1,12 @@ +Index: src/ssli_openssl.c +--- src/ssli_openssl.c.orig ++++ src/ssli_openssl.c +@@ -206,7 +206,7 @@ err_out: + return NULL; + } + +-static bool_t file_exists(const char *filename) ++bool_t file_exists(const char *filename) + { + return (access(filename, F_OK) == 0); + } diff --git a/audio/umurmur/patches/patch-src_version_h b/audio/umurmur/patches/patch-src_version_h new file mode 100644 index 00000000000..212b289008b --- /dev/null +++ b/audio/umurmur/patches/patch-src_version_h @@ -0,0 +1,12 @@ +Index: src/version.h +--- src/version.h.orig ++++ src/version.h +@@ -1,7 +1,7 @@ + #ifndef VERSION_H_989876 + #define VERSION_H_989876 + +-#define UMURMUR_VERSION "0.3.0" ++#define UMURMUR_VERSION "0.3.1-OpenBSD" + #define UMURMUR_CODENAME "Loopy" + + #endif diff --git a/audio/umurmur/patches/patch-umurmur_conf_example b/audio/umurmur/patches/patch-umurmur_conf_example index 7fcbcd0c4eb..e54b959e686 100644 --- a/audio/umurmur/patches/patch-umurmur_conf_example +++ b/audio/umurmur/patches/patch-umurmur_conf_example @@ -14,7 +14,7 @@ Index: umurmur.conf.example @@ -18,9 +18,9 @@ max_users = 10; # username and groupname for privilege dropping. - # Will attempt to switch user if set. + # Will attempt to switch user if set. -# username = ""; +username = "_umurmur"; # If groupname not set the user's default login group will be used diff --git a/audio/umurmur/pkg/umurmurd.rc b/audio/umurmur/pkg/umurmurd.rc index 5e36e9b7d30..f77bc746dfa 100644 --- a/audio/umurmur/pkg/umurmurd.rc +++ b/audio/umurmur/pkg/umurmurd.rc @@ -4,6 +4,10 @@ daemon="${TRUEPREFIX}/sbin/umurmurd" . /etc/rc.d/rc.subr +rc_configtest() { + rc_exec "${daemon} -t ${daemon_flags}" +} + rc_reload=NO rc_cmd $1
