update to v4.05

add chroot/privdrop from Michael Schubert
This commit is contained in:
jakob 2004-02-16 12:33:18 +00:00
parent 765d22c660
commit 0017031556
10 changed files with 195 additions and 14 deletions

View File

@ -1,18 +1,20 @@
# $OpenBSD: Makefile,v 1.28 2003/11/23 02:06:46 pvalchev Exp $
# $OpenBSD: Makefile,v 1.29 2004/02/16 12:33:18 jakob Exp $
COMMENT= "SSL encryption wrapper for standard network daemons"
DISTNAME= stunnel-4.04
VERSION= 4.05
DISTNAME= stunnel-${VERSION}
CATEGORIES= security
MAINTAINER= Jakob Schlyter <jakob@openbsd.org>
# GPL
PERMIT_PACKAGE_CDROM= Yes
PERMIT_PACKAGE_FTP= Yes
PERMIT_DISTFILES_CDROM= Yes
PERMIT_DISTFILES_FTP= Yes
HOMEPAGE= http://stunnel.mirt.net/
HOMEPAGE= http://www.stunnel.org/
MASTER_SITES= ftp://stunnel.mirt.net/stunnel/ \
http://www.stunnel.org/download/stunnel/src/ \
@ -25,9 +27,9 @@ MASTER_SITES= ftp://stunnel.mirt.net/stunnel/ \
SEPARATE_BUILD= concurrent
CONFIGURE_STYLE= gnu
CONFIGURE_ARGS+= --with-tcp-wrappers \
--with-pem-dir=${SYSCONFDIR}/ssl \
--with-random=/dev/arandom \
--with-ssl=/usr \
--sysconfdir=${SYSCONFDIR} \
--localstatedir=/var \
${CONFIGURE_SHARED}
NO_REGRESS= Yes

View File

@ -1,3 +1,3 @@
MD5 (stunnel-4.04.tar.gz) = 2fcdf0311a0ab8a3223293c706a84e97
RMD160 (stunnel-4.04.tar.gz) = cefc797f0f9cd3ebfffc5db11f1052b75435975a
SHA1 (stunnel-4.04.tar.gz) = 9f0f85eb0620ee4f4f68d833eb3f39eb31960f31
MD5 (stunnel-4.05.tar.gz) = e28a03cf694a43a7f144ec3d5c064456
RMD160 (stunnel-4.05.tar.gz) = 69ff19147d9faf721c19b56b393015632a5a30f2
SHA1 (stunnel-4.05.tar.gz) = a95b09ed88930fa432f47c5c5d3db770681fe715

View File

@ -1,4 +1,4 @@
$OpenBSD$
$OpenBSD: patch-Makefile_in,v 1.1 2004/02/16 12:33:18 jakob Exp $
--- Makefile.in.orig Mon Sep 2 11:21:17 2002
+++ Makefile.in Mon Sep 2 11:21:21 2002
@@ -78,7 +78,7 @@ VERSION = @VERSION@

View File

@ -0,0 +1,12 @@
--- src/stunnel.c.orig 2004-02-14 15:12:27.000000000 +0100
+++ src/stunnel.c 2004-02-16 13:06:48.000000000 +0100
@@ -176,8 +176,8 @@ static void daemon_loop(void) {
#if !defined (USE_WIN32) && !defined (__vms)
if(!(options.option.foreground))
daemonize();
- drop_privileges();
create_pid();
+ drop_privileges();
#endif /* !defined USE_WIN32 && !defined (__vms) */
/* create exec+connect services */

View File

@ -1,8 +1,8 @@
$OpenBSD: patch-tools_Makefile_in,v 1.1 2002/10/30 11:10:35 jakob Exp $
--- tools/Makefile.in.orig Mon Sep 2 11:18:34 2002
+++ tools/Makefile.in Mon Sep 2 11:18:43 2002
$OpenBSD: patch-tools_Makefile_in,v 1.2 2004/02/16 12:33:18 jakob Exp $
--- tools/Makefile.in.orig 2004-02-14 15:31:34.000000000 +0100
+++ tools/Makefile.in 2004-02-16 13:06:48.000000000 +0100
@@ -90,7 +90,7 @@ examplesdir = $(docdir)/examples
examples_DATA = ca.html ca.pl importCA.html importCA.sh stunnel.spec stunnel.init
examples_DATA = ca.html ca.pl importCA.html importCA.sh script.sh stunnel.spec stunnel.init
-openssl = $(ssldir)/bin/openssl

View File

@ -0,0 +1,41 @@
$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.1 2004/02/16 12:33:18 jakob Exp $
--- tools/stunnel.conf-sample.in.orig 2004-01-26 20:26:18.000000000 +0100
+++ tools/stunnel.conf-sample.in 2004-02-16 13:10:46.000000000 +0100
@@ -1,13 +1,14 @@
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002
+# Modified for OpenBSD by Michael Schubert 2003
# Comment it out on Win32
-cert = @prefix@/etc/stunnel/mail.pem
-chroot = @prefix@/var/run/stunnel/
+cert = @sysconfdir@/ssl/private/stunnel.pem
+chroot = @localstatedir@/stunnel/
# PID is created inside chroot jail
-pid = /stunnel.pid
-setuid = nobody
-setgid = nogroup
+pid = /var/run/stunnel.pid
+setuid = _stunnel
+setgid = _stunnel
# Workaround for Eudora bug
#options = DONT_INSERT_EMPTY_FRAGMENTS
@@ -16,13 +17,13 @@ setgid = nogroup
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
-#CApath = /certs
+#CApath = @sysconfdir@/ssl/certs
# or simply use CAfile instead:
-#CAfile = @prefix@/etc/stunnel/certs.pem
+#CAfile = @sysconfdir@/ssl/certs.pem
# CRL path or file (inside chroot jail):
-#CRLpath = /crls
+#CRLpath = @sysconfdir@/ssl/crls
# or simply use CAfile instead:
-#CRLfile = @prefix@/etc/stunnel/crls.pem
+#CRLfile = @sysconfdir@/ssl/crls.pem
# Some debugging stuff
#debug = 7

View File

@ -0,0 +1,26 @@
#!/bin/sh
# $OpenBSD: DEINSTALL
#
# Stunnel de-installation
PATH=/bin:/usr/bin:/sbin:/usr/sbin
CONFIG_DIR=${SYSCONFDIR}/stunnel
CHROOT_DIR=/var/stunnel
STUNNELUSER=_stunnel
STUNNELGROUP=_stunnel
echo
echo " To completely deinstall the $1 package you need to perform"
echo " these steps as root (make sure stunnel is not running!):"
echo ""
echo " userdel $STUNNELUSER"
echo " groupdel $STUNNELGROUP"
echo " rm -rf $CONFIG_DIR"
echo " rm -rf $CHROOT_DIR"
echo " rm /var/run/stunnel.pid"
echo ""
echo " Do not do this if you plan on re-installing $1"
echo " at some future time."
echo
exit 0

View File

@ -0,0 +1,95 @@
#!/bin/sh
#
# $OpenBSD: INSTALL,v 1.1 2004/02/16 12:33:18 jakob Exp $
#
# Pre/post-installation setup of stunnel
PATH=/bin:/usr/bin:/sbin:/usr/sbin
PREFIX=${PKG_PREFIX:-/usr/local}
CONFIG_DIR=${SYSCONFDIR}/stunnel
SAMPLE_CONFIG_DIR=$PREFIX/share/examples/stunnel
CHROOT_DIR=/var/stunnel
STUNNELUSER=_stunnel
STUNNELGROUP=_stunnel
STUNNELUID=528
STUNNELGID=528
do_usergroup_install()
{
# Create stunnel user and group
groupinfo -e $STUNNELGROUP
if [ $? -eq 0 ]; then
echo "===> Using $STUNNELGROUP group for stunnel"
else
echo "===> Creating $STUNNELGROUP group for stunnel"
groupadd -g $STUNNELGID $STUNNELGROUP
fi
userinfo -e $STUNNELUSER
if [ $? -eq 0 ]; then
echo "===> Using $STUNNELUSER user for stunnel"
else
echo "===> Creating $STUNNELUSER user for stunnel"
useradd -u $STUNNELUID -g $STUNNELGROUP -d $CHROOT_DIR \
-L daemon -c 'stunnel account' -s /sbin/nologin $STUNNELUSER
fi
}
do_chroot_dir_install()
{
install -d -o root -g wheel -m 755 $CHROOT_DIR
}
do_notice_conf()
{
echo
echo " The existing $1 configuration files in $CONFIG_DIR have NOT"
echo " been changed. You may want to compare them to the current samples in"
echo " $SAMPLE_CONFIG_DIR, and update your configuration"
echo " files as needed."
echo
}
do_install_conf()
{
install -d -o root -g wheel -m 755 $CONFIG_DIR
install -o root -g wheel -m 644 $SAMPLE_CONFIG_DIR/stunnel.conf-sample \
$CONFIG_DIR/stunnel.conf
echo
echo " An $1 sample configuration file has been installed in $CONFIG_DIR."
echo " Please view this file and change the configuration to meet your needs."
echo
}
# verify proper execution
#
if [ $# -ne 2 ]; then
echo "usage: $0 distname { PRE-INSTALL | POST-INSTALL }" >&2
exit 1
fi
# Verify/process the command
#
case $2 in
PRE-INSTALL)
do_usergroup_install
;;
POST-INSTALL)
if [ ! -d $CHROOT_DIR ]; then
do_chroot_dir_install
fi
if [ ! -d $CONFIG_DIR ]; then
do_install_conf $1
elif [ ! -f $CONFIG_DIR/stunnel.conf ]; then
do_install_conf $1
else
do_notice_conf $1
fi
;;
*)
echo "usage: $0 distname { PRE-INSTALL | POST-INSTALL }" >&2
exit 1
;;
esac
exit 0

View File

@ -2,3 +2,8 @@ After stunnel is installed, you have to create a server certificate and
put the result in /etc/ssl/private/stunnel.pem. For more information on
how to create certificates, read ssl(8). For more information on stunnel,
read stunnel(8).
You can edit /etc/rc.local so that stunnel is started automatically:
if [ -x ${PREFIX}/sbin/stunnel ]; then
echo -n ' stunnel'; ${PREFIX}/sbin/stunnel
fi

View File

@ -1,5 +1,5 @@
@comment $OpenBSD: PLIST,v 1.4 2002/10/31 18:02:36 jakob Exp $
share/examples/stunnel/stunnel.conf-sample
@comment $OpenBSD: PLIST,v 1.5 2004/02/16 12:33:18 jakob Exp $
man/man8/stunnel.8
sbin/stunnel
share/examples/stunnel/stunnel.conf-sample
@dirrm share/examples/stunnel