- Fixed logcheck script silent failure in previous commit

- Added handling for crontab installation problems - Incorported security fixes from PR opened after previous commit - Added UPDATING entry since configuration options have changed fairly significantly PR: ports/122842 Submitted by: Cezary Morga <cm@therek.net> PR: ports/127255 Submitted by: Yasuhiro KIMURA <yasu at utahime dot org> Reviewed by: glarkin Approved by: beech (mentor, implicit) Approved by: portmgr (marcus) Security: Incorrect addition of logcheck user to wheel group
svn path=/head/; revision=220326
2008-09-11 00:30:09 +00:00 · 2008-09-11 00:30:09 +00:00 · 6e60a56931 · 2021-03-31 03:12:20 +00:00
commit 6e60a56931
parent 2f6da9c8fa
8 changed files with 115 additions and 40 deletions
--- a/2
+++ b/2
@ -144,4 +144,4 @@ iserv:*:911:911::0:0:Iserv Daemon:/nonexistent:/usr/sbin/nologin
 _sj3:*:912:912::0:0:SJ3 Daemon:/nonexistent:/usr/sbin/nologin
 _relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologin
 bitlbee:*:914:914::0:0:Bitlbee pseudo-user:/nonexistent:/sbin/nologin
-logcheck:*:915:915::0:0:Logcheck system account:/var/lib/logcheck:/sbin/nologin
+logcheck:*:915:915::0:0:Logcheck system account:/var/lib/logcheck:/usr/local/bin/bash
--- a/48
+++ b/48
@ -6,6 +6,54 @@ You should get into the habit of checking this file for changes each
 time you update your ports collection, before attempting any port
 upgrades.

+20080909:
+  AFFECTS: users of security/logcheck
+  AUTHOR: glarkin@FreeBSD.org
+
+  logcheck now stores its configuration files in
+  /usr/local/etc/logcheck instead of /usr/local/etc. If you are
+  upgrading the port from version 1.1.1 to version 1.2.54, copy
+  the following files to a temporary directory, in case they are
+  removed during the upgrade:
+
+  /usr/local/etc/logcheck.hacking
+  /usr/local/etc/logcheck.ignore
+  /usr/local/etc/logcheck.violations
+  /usr/local/etc/logcheck.violations.ignore
+
+  e.g.:
+    cd /usr/local/etc
+    mkdir /tmp/logcheck.saveconf
+    cp logcheck.hacking logcheck.ignore logcheck.violations* \
+      /tmp/logcheck.saveconf
+
+  After the upgrade, integrate your local changes to the files listed
+  above into the new configuration files found in the following
+  directories:
+
+  /usr/local/etc/logcheck/cracking.d
+  /usr/local/etc/logcheck/ignore.d.paranoid
+  /usr/local/etc/logcheck/ignore.d.server
+  /usr/local/etc/logcheck/ignore.d.workstation
+  /usr/local/etc/logcheck/violations.d
+  /usr/local/etc/logcheck/violations.ignore.d
+
+  Please consult the following files for more information about
+  logcheck rules and reporting levels:
+
+  /usr/local/share/doc/logcheck/README.logcheck
+  /usr/local/share/doc/logcheck/README.logcheck-database
+
+  Also note that the upgraded port installs a crontab file for user
+  "logcheck" that executes the logcheck script every hour and emails
+  the results to root.  If the installation process cannot install
+  the crontab file, it can be installed manually from:
+
+  /usr/local/share/examples/logcheck/crontab.in
+
+  e.g.:
+    crontab -u logcheck /usr/local/share/examples/logcheck/crontab.in
+
 20080907:
  AFFECTS: users of www/mediawiki
  AUTHOR: miwi@FreeBSD.org
--- a/security/logcheck/Makefile
+++ b/security/logcheck/Makefile
@ -7,10 +7,9 @@

 PORTNAME=	logcheck
 PORTVERSION=	1.2.54
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
-MASTER_SITES=	ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \
-		http://ftp.de.debian.org/debian/pool/main/l/logcheck/
+MASTER_SITES=	${MASTER_SITE_DEBIAN_POOL}
 DISTNAME=	${PORTNAME}_${PORTVERSION}

 MAINTAINER=	glarkin@FreeBSD.org
@ -18,12 +17,23 @@ COMMENT=	Auditing tool for system logs on Unix boxes

 BUILD_DEPENDS=	docbook-to-man:${PORTSDIR}/textproc/docbook-to-man
 RUN_DEPENDS=	lockfile:${PORTSDIR}/mail/procmail \
-		bash:${PORTSDIR}/shells/bash \
-		perl:${PORTSDIR}/lang/perl5
+		bash:${PORTSDIR}/shells/bash
+
+LOGCHECK_USER=	logcheck
+LOGCHECK_UID=	915
+LOGCHECK_GROUP=	${LOGCHECK_USER}
+LOGCHECK_GID=	${LOGCHECK_UID}
+
+# Enable Perl dependency for logtail script
+USE_PERL5=	5.8.0+

 WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
 BINMODE=	755
 SHAREMODE=	640
+SUB_LIST+=	LOGCHECK_USER=${LOGCHECK_USER} \
+		LOGCHECK_UID=${LOGCHECK_UID} \
+		LOGCHECK_GROUP=${LOGCHECK_GROUP} \
+		LOGCHECK_GID=${LOGCHECK_GID}
 SUB_FILES=	pkg-install pkg-deinstall pkg-message
 CONFIG_DIRS=	cracking.d ignore.d.paranoid ignore.d.server \
 		ignore.d.workstation violations.d violations.ignore.d
@ -31,39 +41,39 @@ DOCS=		AUTHORS CHANGES CREDITS LICENSE TODO docs/README*
 PORTDOCS=	${DOCS:T}
 MAN8=		logcheck.8 logtail.8

-LOGCHECK_USER=	logcheck
-LOGCHECK_GROUP=	${LOGCHECK_USER}
-
 do-build:
 	${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
-	${WRKSRC}/etc/logcheck.logfiles
-	${REINPLACE_CMD} -e 's!/etc/logcheck!/usr/local/etc/logcheck!' \
-	-e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \
-	${WRKSRC}/docs/logcheck.sgml
+		${WRKSRC}/etc/logcheck.logfiles
+	${REINPLACE_CMD} -e 's!/etc/logcheck!${ETCDIR}!' \
+		-e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \
+		${WRKSRC}/docs/logcheck.sgml
 	docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8

 do-install:
 	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin
 	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin
 	@PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
-	@${INSTALL} -d /var/lib/logcheck
+	@${INSTALL} -d /var/db/logcheck
 	@${INSTALL} -d /var/run/logcheck
-	${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck
+	${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck
 	@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
-		/var/lib/logcheck' >> ${TMPPLIST}
+		/var/db/logcheck' >> ${TMPPLIST}
 	${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck
 	@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
 		/var/run/logcheck' >> ${TMPPLIST}
 	@${INSTALL} -d ${ETCDIR}
-	@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf ${ETCDIR}/logcheck.conf.sample
-	@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles ${ETCDIR}/logcheck.logfiles.sample
+	@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf \
+		${ETCDIR}/logcheck.conf.sample
+	@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles \
+		${ETCDIR}/logcheck.logfiles.sample
 .for i in ${CONFIG_DIRS}
 	@${INSTALL} -d ${ETCDIR}/${i}
 	@${INSTALL_DATA} ${WRKSRC}/rulefiles/linux/${i}/* ${ETCDIR}/${i}
 .endfor
 .if !defined(NOPORTEXAMPLES)
 	@${INSTALL} -d ${EXAMPLESDIR}
-	@${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d ${EXAMPLESDIR}/crontab.in
+	@${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d \
+		${EXAMPLESDIR}/crontab.in
 .endif
 	${CHOWN} -R root:${LOGCHECK_GROUP} ${ETCDIR}
 	@${ECHO_CMD} '@exec ${CHOWN} -R root:${LOGCHECK_GROUP} \
--- a/security/logcheck/files/patch-src__logcheck
+++ b/security/logcheck/files/patch-src__logcheck
@ -1,5 +1,5 @@
 --- ./src/logcheck.orig	2007-01-16 01:13:27.000000000 -0500
-+++ ./src/logcheck	2008-09-06 19:11:28.000000000 -0400
+++ ./src/logcheck	2008-09-09 18:10:02.000000000 -0400
@@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/local/bin/bash
@ -11,7 +11,7 @@
 if [ $UID == 0 ]; then
     echo "logcheck should not be run as root. Use su to invoke logcheck:"
 -    echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
-+    echo "su logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\""
+    echo "su -m logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\""
     echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
     # you may want to uncomment that hack to let logcheck invoke itself.
 -    # su -s /bin/bash -c "$0 $*" logcheck
@ -32,19 +32,20 @@
 # Set the default paths
 -RULEDIR="/etc/logcheck"
 -CONFFILE="/etc/logcheck/logcheck.conf"
-+RULEDIR="/usr/local/etc/logcheck"
-+CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
- STATEDIR="/var/lib/logcheck"
+-STATEDIR="/var/lib/logcheck"
 -LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
 -LOGFILE_FALLBACK="/var/log/syslog"
 -LOGTAIL="/usr/sbin/logtail"
+RULEDIR="/usr/local/etc/logcheck"
+CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
+STATEDIR="/var/db/logcheck"
 +LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles"
 +LOGFILE_FALLBACK="/var/log/messages"
 +LOGTAIL="/usr/local/sbin/logtail"
 CAT="/bin/cat"
 SYSLOG_SUMMARY="/usr/bin/syslog-summary"
 
-@@ -87,20 +80,15 @@
+@@ -87,26 +80,21 @@
 SORTUNIQ=0
 SUPPORT_CRACKING_IGNORE=0
 SYSLOGSUMMARY=0
@ -69,6 +70,13 @@
     fi
 
     if [ -d $TMPDIR ]; then
+         # Remove the tmp directory
+         if [ $NOCLEANUP -eq 0 ];then 
+-    	    cd /var/lib/logcheck
+    	    cd /var/db/logcheck
+     	    debug "cleanup: Removing - $TMPDIR" 
+     	    rm -r $TMPDIR
+         else
@@ -142,14 +130,9 @@
     if [ "$2" = "noclean" ]; then
 	debug "error: Not removing lockfile"
--- a/security/logcheck/files/pkg-deinstall.in
+++ b/security/logcheck/files/pkg-deinstall.in
@ -1,7 +1,7 @@
 #!/bin/sh

-user="logcheck"
-group="logcheck"
+user="%%LOGCHECK_USER%%"
+group="%%LOGCHECK_GROUP%%"
 configfiles="logcheck.conf logcheck.logfiles"

 case $2 in
--- a/security/logcheck/files/pkg-install.in
+++ b/security/logcheck/files/pkg-install.in
@ -1,10 +1,12 @@
 #!/bin/sh

-user="logcheck"
-group="logcheck"
+user="%%LOGCHECK_USER%%"
+uid="%%LOGCHECK_UID%%"
+group="%%LOGCHECK_GROUP%%"
+gid="%%LOGCHECK_GID%%"
 descr="Logcheck system account"
-homedir="/var/lib/logcheck"
-shell="/usr/bin/false"
+homedir="/var/db/logcheck"
+shell="/usr/local/bin/bash"
 configfiles="logcheck.conf logcheck.logfiles"

 case $2 in
@ -12,13 +14,13 @@ PRE-INSTALL)
 	if pw group show ${group} > /dev/null 2>&1; then
 		echo "---> You already have a group \"${group}\", so I will use it."
 	else
-		pw group add "${group}"
+		pw group add "${group}" -g "${gid}"
 		echo "---> Created group \"${group}\"."
 	fi
 	if pw user show ${user} > /dev/null 2>&1; then
 		echo "---> You already have a user \"${user}\", so I will use it."
 	else
-		pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel
+		pw user add -n ${user} -c "${descr}" -d "${homedir}" -s "${shell}" -g ${group} -u "${uid}"
 		echo "---> Created user \"${user}\"."
 	fi
 ;;
@ -34,8 +36,15 @@ POST-INSTALL)
 				echo "---> Installed crontab(5) file for user \"${user}\""
 			fi
 		else
-			/usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1
-			echo "---> Created crontab(5) file for user \"${user}\""
+			if grep -q "are not allowed to use this program" /tmp/logchecktab$$ ; then
+				echo "---> The logcheck user is not allowed to run crontab."
+				echo "---> Please check the contents of /var/cron/allow and /var/cron/deny"
+				echo "---> and grant access, if necessary."
+				exit 1
+			else
+				/usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1
+				echo "---> Created crontab(5) file for user \"${user}\""
+			fi
 		fi
 		rm -f /tmp/logchecktab$$
        fi
--- a/security/logcheck/files/pkg-message.in
+++ b/security/logcheck/files/pkg-message.in
@ -3,8 +3,8 @@ Please make sure that all files listed in

  %%PREFIX%%/etc/logcheck/logcheck.logfiles

-are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove
-them from the aforementioned logcheck configuration file.
+are readable to the '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf),
+or remove them from the aforementioned logcheck configuration file.

 For information on how to write local rulesets see

--- a/security/logcheck/pkg-plist
+++ b/security/logcheck/pkg-plist
@ -182,7 +182,7 @@ sbin/logtail
@dirrm %%ETCDIR%%/ignore.d.paranoid
@dirrm %%ETCDIR%%/cracking.d
@dirrm %%ETCDIR%%
-@exec mkdir -p /var/lib/logcheck
-@unexec rm -rf /var/lib/logcheck 2> /dev/null || true
+@exec mkdir -p /var/db/logcheck
+@dirrmtry /var/db/logcheck
@exec mkdir -p /var/run/logcheck
-@unexec rm -rf /var/run/logcheck 2> /dev/null || true
+@dirrmtry /var/run/logcheck