Re: FreeBSD Port: security/sshguard-pf
On Wednesday, April 9, 2014 1:55:51 PM CEST, Dr. Michael Letzgus wrote:
Hi all,
sshguard-pf won't start any more after the ports update to
1.5_3. There are no messages in auth.log.
A manual start via command line of sshguard is successful -
so maybe there is a problem with the
rc script?
Hi.
Ran into the same issue. So - what are my next steps? Filing a PR against
ports@ seems good, but .. probably the slow route.. :)
CC'd crees@ as last committer/potentially most familiar with that stuff?
Tracking down the issue:
Same issue here:
# service sshguard start
Starting sshguard.
# service sshguard status
sshguard is not running.
Thanks, Sergey. Good start, but no error:
# sh -x /usr/local/etc/rc.d/sshguard start
snip
+ eval '/usr/sbin/daemon -cf /usr/local/sbin/sshguard -b
40:/var/db/sshguard/blacklist.db -a 40 -p 1200 -s 420 -w
/usr/local/etc/sshguard.whitelist -i '
+ /usr/sbin/daemon -cf /usr/local/sbin/sshguard -b
40:/var/db/sshguard/blacklist.db -a 40 -p 1200 -s 420 -w
/usr/local/etc/sshguard.whitelist -i
Let's remove the input/output redirection (-f)
# /usr/sbin/daemon -c /usr/local/sbin/sshguard -b
40:/var/db/sshguard/blacklist.db -a 40 -p 1200 -s 420 -w
/usr/local/etc/sshguard.whitelist -i
sshguard: option requires an argument -- i
Usage:
sshguard [-b thr:file] [-w whlst]{0,n} [-a num] [-p sec] [-s sec]
[-l source] [-f srv:pidfile]{0,n} [-i pidfile] [-v]
-b Blacklist: thr = number of abuses before blacklisting, file = blacklist
filename.
-a Number of hits after which blocking an address (40)
-p Seconds after which unblocking a blocked address (420)
-w Whitelisting of addr/host/block, or take from file if starts with /
or . (repeatable)
-s Seconds after which forgetting about a cracker candidate (1200)
-l Add the given log source to Log Sucker's monitored sources (off)
-f authenticate service's logs through its process pid, as in
pidfile
-i When started, save PID in the given file; useful for startup scripts
(off)
-v Dump version message to stderr, supply this when reporting bugs
The SSHGUARD_DEBUG environment variable enables debugging mode (verbosity
+ interactivity).
I'd say this is a bug in sshguard: Failing to start shouldn't exit with 0.
That said, it first and foremost is a bug in the port.
Looking at the rc script and the diff [1] the problem's easy enough:
${sshguard_pidfile} is passed as parameter to -i, but isn't set in the
script/has no default value. Either the related line from the previous
revision should be revived or the substitution should change to use
${pidfile}, which _is_ set.
What now? To PR or not?
Regards,
Ben
1:
http://svnweb.freebsd.org/ports/head/security/sshguard/files/sshguard.in?r1=311381r2=350643
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: dovecot, init script - is this expected or PR worthy?
On Wednesday, February 12, 2014 2:56:18 AM CEST, Stephen R Guglielmo wrote: On Tue, Feb 11, 2014 at 12:24 PM, Benjamin Podszun benjamin.pods...@gmail.com wrote: service dovecot start and .. that succeeds always, if dovecot_enable=YES is missing (which totally is an error on my part, obviously). What I expect though is the typical Can't do that, Dave. Try onestart perhaps response - and some exit code that signals failure. Is that a (tiny, minor) bug? Should I submit a PR for that? Or is that totally irrelevant and people out there would never fall for that anyway..? Thanks, Ben Hey, I can't reproduce this on my system. I typically run the rc.d/ scripts myself, but I did try using the `service` command as well. It works as expected: The script returns no output when dovecot_enable is commented out or set equal to NO in my /etc/rc.conf.local file, and it does not start or stop the dovecot processes. I'm using dovecot 1.2.17 on 10.0-RELEASE. Are you using dovecot 2? Hi. I .. think my mail was probably too convoluted and messy. My point? service foo start shouldn't be silent if the service isn't starting. The default rc functions ensure that, give the 'Need foo_enable or onestart instead' message. Dovecot's rc script doesn't, because it doesn't even _invoke_ the rc functions if dovecot_enable != YES. (dovecot2 for me, btw - but you described seeing exactly what I see: Nothing, but the service isn't starting either) The whole point is that this silently fails. Is that okay? Regards, Ben ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
dovecot, init script - is this expected or PR worthy?
Hey there.
Setting up a machine with ansible, stumbling upon a couple of problems. The
current issue? Part of my automated setup calls
service dovecot start
and .. that succeeds always, if dovecot_enable=YES is missing (which
totally is an error on my part, obviously).
What I expect though is the typical Can't do that, Dave. Try onestart
perhaps response - and some exit code that signals failure.
Dovecot's init script wraps all the standard rc stuff in this if though:
if checkyesno ${name}_enable; then
for config in ${dovecot_config}; do
required_files=${config}
command_args=-c ${config}
base_dir=$(${command} ${command_args} -a | /usr/bin/awk -F
'= ' '/^base_dir =/ { print $2 }')
pidfile=${base_dir}/master.pid
run_rc_command $1
done
fi
= checkyesno returns false, script silently exits and 'service dovecot
start' seemingly succeeded, no message given. Looking at other services at
least a message appears (but the exit code is still 0):
service unbound start
Cannot 'start' unbound. Set unbound_enable to YES in /etc/rc.conf or use
'onestart' instead of 'start'.
Is that a (tiny, minor) bug? Should I submit a PR for that? Or is that
totally irrelevant and people out there would never fall for that anyway..?
Thanks,
Ben
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: FreeBSD Port: prosody-0.9.3 IPv6 status.
Hey. The lack of a newer luasocket. David already has a patch for that (luasocket 3.0rc1) and it works (with ipv6 support) on his and my server. So I'd expect to see that limitation go away Real Soon(tm). Thanks to that very responsive maintainer. Ben On Feb 11, 2014 9:19 PM, Kelly Hays kelly.h...@jkhfamily.org wrote: Hello, First I would like to thank you for the work that you put into updating this port. It is good to see it up to date again. I noticed that the pkg message says that IPv6 is not working. Do you know what the issue is? Thanks, Kelly ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
security/luasec needs bump to 0.5 - but there's no direct maintainer?
Hi.
Change of mail address, new thread with a decent title (previously: prosody
update, which is sort of independent as far as I've confirmed so far).
With the attached patch luasec-0.5 builds installs fine in my
environment.
IF (capitals used for a reason..) I understand the following output
correctly, there's just one (known) consumer for that port:
#pkg info -r lua51-luasec
lua51-luasec-0.4:
prosody-0.9.2
(where prosody in this case is already bumped to the last release, I'm
trying to push that in [1], as a follow-up to a 0.9.1 bump that never
landed)
Would it be correct to assume that therefor the risk in bumping luasec is
quite small, especially since I'm successfully _running_ prosody [2] using
that port?
Being utterly clueless: What's the right procedure to move forward,
especially without a dedicated maintainer for that thing? Hoping for a
sponsor on this list? Should I stop the discussion here and send a PR
instead - hoping that someone accepts that one?
Thanks a lot in advance,
Ben
1: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/182075
2: This instance is nothing but a 'do these ports run' deployment, but
2.1 c2s results:
https://xmpp.net/result.php?domain=dar-klajid.detype=client
2.2 s2s results:
https://xmpp.net/result.php?domain=dar-klajid.detype=server
Basically this means that client and server connections work AND encryption
(which is the whole point of using luasec in the first place) works quite
well/gets great scores w/ the right configuration. Haven't looked into PFS
support yet, but .. that's a different issue.diff -Nur luasec.orig/Makefile luasec/Makefile
--- luasec.orig/Makefile 2014-02-06 21:33:46.0 +0100
+++ luasec/Makefile 2014-02-06 23:58:40.0 +0100
@@ -1,10 +1,12 @@
# Created by: Andrew Lewis free...@gmail.com
-# $FreeBSD$
+# $FreeBSD: tags/RELEASE_10_0_0/security/luasec/Makefile 327769 2013-09-20 22:55:24Z bapt $
PORTNAME= luasec
-PORTVERSION= 0.4
+PORTVERSION= 0.5
CATEGORIES= security
-MASTER_SITES= http://www.inf.puc-rio.br/~brunoos/luasec/download/
+MASTER_SITES= https://github.com/brunoos/${PORTNAME}/archive/
+FETCH_ARGS= -Fpr
+WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTNAME}-${PORTVERSION}
PKGNAMEPREFIX= ${LUA_PKGNAMEPREFIX}
MAINTAINER= po...@freebsd.org
@@ -13,8 +15,8 @@
RUN_DEPENDS+= ${LUA_MODLIBDIR}/socket/core.so:${PORTSDIR}/net/luasocket
ALL_TARGET= bsd
-LIBDIR= -L${LUA_LIBDIR}
-MAKE_ENV+= INCDIR=-I${LUA_INCDIR} LUAPATH=${LUA_MODSHAREDIR} \
+LIBDIR= -L${LUA_LIBDIR} -L./luasocket
+MAKE_ENV+= INCDIR=-I${LUA_INCDIR} -I${WRKSRC}/src LUAPATH=${LUA_MODSHAREDIR} \
CPATH=${LUA_MODLIBDIR}
USE_LUA= 5.1
WANT_LUA_VER= 5.1
@@ -31,11 +33,12 @@
.endif
post-patch: .SILENT
- ${REINPLACE_CMD} -Ee '/^CC/s/=/?=/' \
- -e '/^LD/s/gcc/$$(CC)/' \
- -e '/^(C|LD)FLAGS/s/=/+=/' \
- -e '/^BSD/{s/-O[0-3]?//;}' \
+ ${REINPLACE_CMD} -Ee '/\(INSTALL\)/s/-D //' \
+ -e '/^LDFLAGS/s/\+=/=/' \
+ -e 's/LUAPATH/LUA_MODSHAREDIR/' \
+ -e 's/LUACPATH/LUA_MODLIBDIR/' \
${WRKSRC}/src/Makefile
+ ${REINPLACE_CMD} -Ee '/^(INC|LIB)DIR/s/[^?]=/?=/' \
+ ${WRKSRC}/Makefile
.include bsd.port.mk
-
diff -Nur luasec.orig/distinfo luasec/distinfo
--- luasec.orig/distinfo 2014-01-16 22:07:01.0 +0100
+++ luasec/distinfo 2014-02-06 23:58:40.0 +0100
@@ -1,2 +1,2 @@
-SHA256 (luasec-0.4.tar.gz) = 111732f0e646120a701d33e7d3a613a9a901c11c0a01d0805d73ef90c3f0abd5
-SIZE (luasec-0.4.tar.gz) = 27829
+SHA256 (luasec-0.5.tar.gz) = 6480598f7492ac479b6b608b5fb1488226bfa6ef675e29f6b24dbe9099083523
+SIZE (luasec-0.5.tar.gz) = 46738
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: security/luasec needs bump to 0.5 - but there's no direct maintainer?
On Friday, February 7, 2014 2:55:48 PM CEST, John Marino wrote: On 2/7/2014 14:43, Benjamin Podszun wrote: Hi. Change of mail address, new thread with a decent title (previously: prosody update, which is sort of independent as far as I've confirmed so far). With the attached patch luasec-0.5 builds installs fine in my ... Hi Ben, One approach is to submit this patch as a PR but add a change to make the yourself the maintainer! Then you're coming from a position of authority that the port needs bumping. :) Thanks. I submitted ports/186533 just now. I hope the discussion will continue over there. Given that you're one of the guys with the freebsd.org tag: So what are the next steps? Someone's hopefully going to chime in, look into that PR and (if it seems acceptable) commits that patch? Just works™ from here on? seriously, why not? While I offered to adopt the port in the PR, the answer to that one is easy: I'm running a FreeBSD machine for less than 24h so far (if we ignore playing with it 6-8 years ago) and I'm not sure if I should change a maintainer field _just yet_.. ;) Ben ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
FreeBSD Port: prosody-0.8.2
Hey there. Totally new to FreeBSD here, trying to migrate a piece of my infrastructure from .. Linux. One thing I'm relying on is prosody, you seem to maintain that port. 0.8.2 was released around the 20.06.2011. Starting from 20.08.2013 prosody is on 0.9, 0.9.2 was released in January 2014. Is there any chance to see an update to this port? Are you still interested in this project or is the port currently abandoned? Can I help with anything to bump this to a more current (ideally: THE current) version? Thanks a lot, Ben ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: FreeBSD Port: prosody-0.8.2
Hi. On Thu, Feb 6, 2014 at 4:06 PM, Kurt Jaeger p...@opsec.eu wrote: Hi! Starting from 20.08.2013 prosody is on 0.9, 0.9.2 was released in January 2014. Have a look at http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/182075 there is an update to 0.9.1 as a patch and one open question someone has to solve. Thanks for the link. I .. didn't know better to search there first. Sorry about that. So I guess I want that bug to be resolved, with a bump to 0.9.2 ideally :) Is there any chance to see an update to this port? Are you still interested in this project or is the port currently abandoned? Can I help with anything to bump this to a more current (ideally: THE current) version? If you can try to coordinate with the luasec and luasocket maintainers ? Actually I think that's a non-issue (now). The comment from lx/the maintainer of prosody claims that s2s is broken (no idea, haven't tried the patch just yet) and wonders if we'd need the forked lua dependencies. Looking at the prosody project page [1] even THEY don't realize that the situation has changed and they still point to [2] as a 'fork just to get a release out'. The luasec bug [3] was closed just a week ago - in other words: luasec proper, the official version, got a new release out and the fork should be irrelevant now. A quick chat with the prosody developers seems to confirm that. That said: The luasec changes _shouldn't_ break s2s (merely disable some features, such as PFS for TLS for example). So .. this probably now needs a bump for lua51-luasec (which lists no individual maintainer, points to po...@freebsd.org only) from 0.4 to 0.5. How would I approach that? Looking at the port myself and giving it a try? Attaching that to a bug of sorts (similar to the prosody one)? Thanks a lot/regards, Ben 1: https://prosody.im/doc/depends#luasec 2: https://prosody.im/doc/depends/luasec/prosody 3: https://github.com/brunoos/luasec/issues/3 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: FreeBSD Port: prosody-0.8.2
On Thu, Feb 6, 2014 at 7:55 PM, David Thiel l...@freebsd.org wrote: On 02/06, Benjamin Podszun wrote: If you can try to coordinate with the luasec and luasocket maintainers ? Actually I think that's a non-issue (now). The comment from lx/the maintainer of prosody claims that s2s is broken (no idea, haven't tried the patch just yet) and wonders if we'd need the forked lua dependencies. Looking at the prosody project page [1] even THEY don't realize that the situation has changed and they still point to [2] as a 'fork just to get a release out'. The luasec bug [3] was closed just a week ago - in other words: luasec proper, the official version, got a new release out and the fork should be irrelevant now. A quick chat with the prosody developers seems to confirm that. Well, that's good, at least. Thanks for investigating. That said: The luasec changes _shouldn't_ break s2s (merely disable some features, such as PFS for TLS for example). I agree! However, I was not able to successfully debug the issue with the Prosody developers. Things may well have changed now, I just want to get things fully in compliance with what the Prosody developers are using, as a test cycle of all of Prosody's functionality is quite time-consuming. Maybe I can help with that - since I plan to migrate/relocate and that's a core part of what I need here (which is why I'm diving into ports about 30min after my first FreeBSD installation in years). So - one tester, ready to help out. ;-) The prosody people updated their website to deprecate their luasec fork when I asked them about the new 0.5 release - so their website is now stating 'Use 0.5 if you can, we have a fork that you can use if you have no 0.5 package available just yet'. So .. this probably now needs a bump for lua51-luasec (which lists no individual maintainer, points to po...@freebsd.org only) from 0.4 to 0.5. How would I approach that? Looking at the port myself and giving it a try? Attaching that to a bug of sorts (similar to the prosody one)? Tell you what -- I'll try to tackle LuaSec. If you can take a look at the Luasocket situation and perhaps bring that up with the maintainer, that'd certainly be useful. So, I have a building luasec 0.5 here. Sortof. It fails in make package or anything _after_ make build, failing in 'install'. Obviously I'm not sure if this is just a hge hack or roughly usable.. Luasocket: Well, can you explain what you mean? Are you talking about luasec including luasocket (and again, in a prerelease 3.x version)? If you could tell me a bit more I'd be happy to invest some time/give it a go. Thanks, Ben ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: FreeBSD Port: prosody-0.8.2
On Thu, Feb 6, 2014 at 9:05 PM, David Thiel l...@redundancy.redundancy.orgwrote: On 02/06, Benjamin Podszun wrote: Maybe I can help with that - since I plan to migrate/relocate and that's a core part of what I need here (which is why I'm diving into ports about 30min after my first FreeBSD installation in years). So - one tester, ready to help out. ;-) Thanks! Depending on your progress: Attached the diff that bumps luasec as far as I can tell (builds, installs - but I haven't actually _used_ the package). Note: There might be atrocities in that diff. How can I know.. ;-) Luasocket: Well, can you explain what you mean? Are you talking about luasec including luasocket (and again, in a prerelease 3.x version)? If you could tell me a bit more I'd be happy to invest some time/give it a go. Ugh, I forgot about this part of the mess. So, Prosody says that Luasocket 2 is required, but the new Luasec includes luasocket 3. Do we update the Luasocket port to 3, hosted on its new GitHub repo? Does this mean that the updated Luasec and luasocket ports would actually conflict with each other? If you know or can find those answers, that'd be useful. I'll see what I can find out. According to the (generally lua-knowledgable) prosody folks these libraries might even be merged in the future.. For now I'll see if I can use the 0.9.1 patch (and bump it maybe?) so that I can prosody as my test application. On a different note: Is this back and forth okay on this list or .. too much spam? :) Ben luasec-update Description: Binary data ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
Re: FreeBSD Port: prosody-0.8.2
I'll see what I can find out. According to the (generally lua-knowledgable) prosody folks these libraries might even be merged in the future.. For now I'll see if I can use the 0.9.1 patch (and bump it maybe?) so that I can prosody as my test application. Sorry for replying to myself. I fixed a minor issue in the luasec patch and formatted it to apply more easily. Plus, I created a patch for prosody and sent a follow-up to ports/182075. I'd be glad to get some feedback, especially from you, David. Would be awesome to get this in somehow. Regards, Ben luasec-update Description: Binary data ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org
