Update net/chrony: enable privilege separation and other minor changes.

- enables privilege separation - removes the build dependency on asciidoctor - removes the runtime dependency on makeinfo and readline - add a runtime dependency on libedit - do not install the HTML documentation (in favour of man pages) - update the post-install message (pkg-message) in light of privilege separation - set the permission of /var/db/chrony to the new "chronyd" user and group PR: 216737 Submitted by: maintainer Approved by: mat (mentor) Differential Revision: https://reviews.freebsd.org/D9570
svn path=/head/; revision=434012
2017-02-13 18:05:34 +00:00 · 2017-02-13 18:05:34 +00:00 · 5406a63de8 · 2021-03-31 03:12:20 +00:00
commit 5406a63de8
parent e6dd86cdc5
5 changed files with 15 additions and 14 deletions
--- a/2
+++ b/2
@ -790,7 +790,7 @@ subsonic:*:844:
 sogod:*:846:
 domoticz:*:847:
 graylog:*:848:
-# free: 849
+chronyd:*:849:
 # free: 850
 # free: 851
 # free: 852
--- a/2
+++ b/2
@ -795,7 +795,7 @@ subsonic:*:844:844::0:0:Subsonic standalone-server:/nonexistent:/usr/sbin/nologi
 sogod:*:846:846::0:0:SOGo groupware:/nonexistent:/usr/sbin/nologin
 domoticz:*:847:847::0:0:domoticz user:/nonexistent:/usr/sbin/nologin
 graylog:*:848:848::0:0:Graylog user:/nonexistent:/usr/sbin/nologin
-# free: 849
+chronyd:*:849:849::0:0:chronyd user:/nonexistent:/usr/sbin/nologin
 # free: 850
 # free: 851
 # free: 852
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@ -12,23 +12,24 @@ COMMENT=	System clock synchronization client and server
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/COPYING

-BUILD_DEPENDS=	rubygem-asciidoctor>=0:textproc/rubygem-asciidoctor
+USERS=		chronyd
+GROUPS=		chronyd

-USES=		cpe gmake makeinfo readline
+USES=		cpe gmake libedit
 CPE_VENDOR=	tuxfamily
 HAS_CONFIGURE=	yes
 CONFIGURE_ARGS=	--prefix=${PREFIX} \
 		--chronyvardir=/var/db/${PORTNAME} \
 		--infodir=${PREFIX}/info \
 		--sysconfdir=${PREFIX}/etc --mandir=${MANPREFIX}/man \
-		--datarootdir=${DATADIR} --docdir=${DOCSDIR}
+		--datarootdir=${DATADIR} --docdir=${DOCSDIR} \
+		--with-user=chronyd
+LDFLAGS+=	-L${LOCALBASE}/lib
 USE_RC_SUBR=	chronyd

-ALL_TARGET=	all docs
-INSTALL_TARGET=	install install-docs
-EXTRAPORTDOCS=	FAQ NEWS README
-PORTDOCS=	chrony.conf.html chronyc.html chronyd.html faq.html \
-		installation.html ${EXTRAPORTDOCS}
+ALL_TARGET=	all
+INSTALL_TARGET=	install
+PORTDOCS=	FAQ NEWS README
 PORTEXAMPLES=	chrony.conf.example1 chrony.conf.example2 \
 		chrony.conf.example3 chrony.keys.example

@ -46,7 +47,8 @@ BROKEN_aarch64=		Fails to compile: invalid operands to binary expression (double
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/chronyc
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/chronyd
-	${INSTALL_DATA} ${EXTRAPORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	${INSTALL_DATA} ${PORTEXAMPLES:S,^,${WRKSRC}/examples/,} \
 		${STAGEDIR}${EXAMPLESDIR}
--- a/net/chrony/pkg-message
+++ b/net/chrony/pkg-message
@ -1,5 +1,4 @@
 Unfortunately, this software has shameful history of several vulnerabilities
 previously discovered.  FreeBSD Project cannot guarantee that this spree had
-come to an end.  It is further complicated, as chronyd(8) requires superuser
-permissions to operate; please type ``make deinstall'' to deinstall the port
+come to an end.  Please type ``pkg delete chrony'' to deinstall the port
 if tight security is a concern.
--- a/net/chrony/pkg-plist
+++ b/net/chrony/pkg-plist
@ -4,4 +4,4 @@ man/man1/chronyc.1.gz
 man/man5/chrony.conf.5.gz
 man/man8/chronyd.8.gz
 sbin/chronyd
-@dir /var/db/chrony
+@dir(chronyd,chronyd) /var/db/chrony