[gentoo-commits] repo/gentoo:master commit in: net-analyzer/ndoutils/files/, net-analyzer/ndoutils/

[gentoo-commits] repo/gentoo:master commit in: net-analyzer/ndoutils/files/, net-analyzer/ndoutils/

[Michael Orlitzky]

commit:     a76473925572d2be605f50db49f33d2a19efbafd
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Tue Nov  7 00:37:59 2017 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Tue Nov  7 12:34:23 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7647392

net-analyzer/ndoutils: new version 2.1.3.

This is somewhat of a work in progress. The new version 2.1.3 is
intended mainly to fix the compatibility with modern versions of
nagios-core. However, there are still several fixes in the pipeline
that we're having to carry patches for in the meantime:

  * format-security warnings (upstream pull request 42)
  * default PID file location (upstream pull request 44)
  * asprintf compile warnings (upstream issue 43)
  * openrc service file improvements (not yet submitted)

The last patch has not been submitted because I'm waiting on a
response for upstream issue 45 that affects the init scripts.
Regardless, we might as well push out v2.1.3 now, since it has
to work better than v2.0.0.

Closes: https://bugs.gentoo.org/599452
Package-Manager: Portage-2.3.8, Repoman-2.3.3

 net-analyzer/ndoutils/Manifest                     |   2 +-
 net-analyzer/ndoutils/files/format-security.patch  | 115 +++++++++++++++++++++
 net-analyzer/ndoutils/files/ndo2db.init-nagios3    |  24 -----
 .../ndoutils/files/ndoutils-2.0.0-asprintf.patch   |   6 ++
 .../ndoutils/files/ndoutils-2.0.0-sleep.patch      |  10 --
 net-analyzer/ndoutils/files/openrc-init.patch      | 100 ++++++++++++++++++
 .../ndoutils/files/sample-config-piddir.patch      |  32 ++++++
 net-analyzer/ndoutils/ndoutils-2.0.0.ebuild        |  67 ------------
 net-analyzer/ndoutils/ndoutils-2.1.3.ebuild        |  89 ++++++++++++++++
 9 files changed, 343 insertions(+), 102 deletions(-)

diff --git a/net-analyzer/ndoutils/Manifest b/net-analyzer/ndoutils/Manifest
index 9f9ca5c4aaa..89f7e750e6a 100644
--- a/net-analyzer/ndoutils/Manifest
+++ b/net-analyzer/ndoutils/Manifest
@@ -1 +1 @@
-DIST ndoutils-2.0.0.tar.gz 2207263 SHA256 b95047c812fb61465e66a9e1a6d4a42bf00620f334f08a6faf5afe20bdd43ba1 SHA512 c899c9f9d0a14995ae7e3fc9f8566891acef9186cc53f05e4f509e9dd01a19a17d32c746a4a1c125342ebffad65946c7a3ea11da68ce0ff240bd37e85334545c WHIRLPOOL d3e41eb5e2a3ea9a5ca0d24fc8319beaa914d2bcb16c187ab6c5f5a3f133c27756ecdc2b6302a75c015294a1b2c3cc48d3c87a540ae1b9b07a21eb427b45d181
+DIST ndoutils-2.1.3.tar.gz 2182999 SHA256 2517ee737359f16d7f24b13ef2a9a41775bf7e8396a3ecaa7c45758d3ca9ce0a SHA512 727f2051876ff32cafaf9993a69b721ae4ea81031fade12262dbb4c5399c601f3c1af362d9d550e1d6d56fac8fe044d515dc10fc43e7d4d3e981bc9a89db88de WHIRLPOOL 9fb7cf6438da9baad6036b91bac62b8df1a494f0be00d3926e6603fe3783bd8722107ee63280c25f377d942f4a720d9aed04991ff24e2817b045161d142d34a7

diff --git a/net-analyzer/ndoutils/files/format-security.patch b/net-analyzer/ndoutils/files/format-security.patch
new file mode 100644
index 00000000000..75be7dc3210
--- /dev/null
+++ b/net-analyzer/ndoutils/files/format-security.patch
@@ -0,0 +1,115 @@
+From 07891e8fcf692552c57e64429fd52da9e682f6d2 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 22 Jul 2017 16:38:03 -0400
+Subject: [PATCH 1/1] src/queue.c: fix format-security warnings with explicit
+ "%s" format string.
+
+The syslog() function takes as its second argument a format string (a
+la printf), but if the third parameter is a string, then the format
+string can be omitted. This has led to security vulnerabilities in the
+past, and compilers can now warn about it. In particular, GCC has the
+-Wformat-security option, which can be made an error with
+-Werror=format-security.
+
+A few such two-argument calls were present in src/queue.c, where
+constant strings were being logged to syslog. This commit adds the
+second format string parameter (simply "%s" in this case) to avoid the
+compiler warnings.
+
+More information about format-security can be found in Fedora's FAQ:
+
+  https://fedoraproject.org/wiki/Format-Security-FAQ
+---
+ src/queue.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/src/queue.c b/src/queue.c
+index 8cb7445..50bb519 100644
+--- a/src/queue.c
++++ b/src/queue.c
+@@ -50,7 +50,7 @@ void del_queue() {
+ 	struct msqid_ds buf;
+ 
+ 	if (msgctl(queue_id,IPC_RMID,&buf) < 0) {
+-		syslog(LOG_ERR,"Error: queue remove error.\n");
++		syslog(LOG_ERR, "%s", "Error: queue remove error.\n");
+ 	}
+ }
+ 
+@@ -58,7 +58,7 @@ int get_queue_id(int id) {
+ 	key_t key = ftok(NDO_QUEUE_PATH, NDO_QUEUE_ID+id);
+ 
+ 	if ((queue_id = msgget(key, IPC_CREAT | 0600)) < 0) {
+-		syslog(LOG_ERR,"Error: queue init error.\n");
++		syslog(LOG_ERR, "%s", "Error: queue init error.\n");
+ 	}
+ }
+ 
+@@ -99,7 +99,7 @@ void log_retry( void) {
+ 		if(msgctl(queue_id, IPC_STAT, &queue_stats)) {
+ 			sprintf(curstats, "Unable to determine current message queue usage: error reading IPC_STAT: %d", errno);
+ 			sprintf(logmsg, logfmt, curstats);
+-			syslog(LOG_ERR, logmsg);
++			syslog(LOG_ERR, "%s", logmsg);
+ 			}
+ 		else {
+ #if defined( __linux__)
+@@ -108,24 +108,24 @@ void log_retry( void) {
+ 			if( msgmni < 0) {
+ 				sprintf(curstats, "Unable to determine current message queue usage: error reading IPC_INFO: %d", errno);
+ 				sprintf(logmsg, logfmt, curstats);
+-				syslog(LOG_ERR, logmsg);
++				syslog(LOG_ERR, "%s", logmsg);
+ 				}
+ 			else {
+ 				sprintf(curstats, statsfmt, queue_stats.msg_qnum,
+ 						(unsigned long)msgmni, queue_stats.__msg_cbytes,
+ 						queue_stats.msg_qbytes);
+ 				sprintf(logmsg, logfmt, curstats);
+-				syslog(LOG_ERR, logmsg);
++				syslog(LOG_ERR, "%s", logmsg);
+ 				}
+ #else
+ 			sprintf(logmsg, logfmt, "");
+-			syslog(LOG_ERR, logmsg);
++			syslog(LOG_ERR, "%s", logmsg);
+ #endif
+ 			}
+ 		last_retry_log_time = now;
+ 		}
+ 	else {
+-		syslog(LOG_ERR,"Warning: queue send error, retrying...\n");
++		syslog(LOG_ERR, "%s", "Warning: queue send error, retrying...\n");
+ 		}
+ }
+ 
+@@ -155,14 +155,14 @@ void push_into_queue (char* buf) {
+ 					#endif
+ 				}
+ 				if (retrynum < MAX_RETRIES) {
+-					syslog(LOG_ERR,"Message sent to queue.\n");
++					syslog(LOG_ERR, "%s", "Message sent to queue.\n");
+ 					}
+ 				else {
+-					syslog(LOG_ERR,"Error: max retries exceeded sending message to queue. Kernel queue parameters may need to be tuned. See README.\n");
++					syslog(LOG_ERR, "%s", "Error: max retries exceeded sending message to queue. Kernel queue parameters may need to be tuned. See README.\n");
+ 				}
+ 			}
+ 		else {
+-			syslog(LOG_ERR,"Error: queue send error.\n");
++			syslog(LOG_ERR, "%s", "Error: queue send error.\n");
+ 			}
+ 		}
+ 
+@@ -175,7 +175,7 @@ char* pop_from_queue() {
+ 	zero_string(msg.text, NDO_MAX_MSG_SIZE);
+ 
+ 	if (msgrcv(queue_id, &msg, queue_buff_size, NDO_MSG_TYPE, MSG_NOERROR) < 0) {
+-		syslog(LOG_ERR,"Error: queue recv error.\n");
++		syslog(LOG_ERR, "%s", "Error: queue recv error.\n");
+ 	}
+ 
+ 	int size = strlen(msg.text);
+-- 
+2.13.0
+

diff --git a/net-analyzer/ndoutils/files/ndo2db.init-nagios3 b/net-analyzer/ndoutils/files/ndo2db.init-nagios3
deleted file mode 100644
index 3e1e262f6e0..00000000000
--- a/net-analyzer/ndoutils/files/ndo2db.init-nagios3
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-depends() {
-	before nagios
-	need mysql
-}
-
-start() {
-	ebegin "Starting ndo2db"
-	if [ -S /var/nagios/ndo.sock ] ; then
-		rm -f /var/nagios/ndo.sock
-	fi
-	start-stop-daemon --start --quiet --exec /usr/bin/ndo2db \
-	-- -c /etc/nagios/ndo2db.cfg
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping ndo2db"
-	start-stop-daemon --stop --quiet --exec /usr/bin/ndo2db
-	eend $?
-}

diff --git a/net-analyzer/ndoutils/files/ndoutils-2.0.0-asprintf.patch b/net-analyzer/ndoutils/files/ndoutils-2.0.0-asprintf.patch
index 146132c21de..21cf837ba36 100644
--- a/net-analyzer/ndoutils/files/ndoutils-2.0.0-asprintf.patch
+++ b/net-analyzer/ndoutils/files/ndoutils-2.0.0-asprintf.patch
@@ -1,3 +1,9 @@
+This is a fix for the QA warnings that result from using asprintf()
+without defining it. That happens because asprintf() is a GNU
+extension, but somehow gets used before _GNU_SOURCE is defined.
+
+Upstream-Bug: https://github.com/NagiosEnterprises/ndoutils/issues/43
+
 --- a/include/config.h.in
 +++ b/include/config.h.in
 @@ -9,6 +9,7 @@

diff --git a/net-analyzer/ndoutils/files/ndoutils-2.0.0-sleep.patch b/net-analyzer/ndoutils/files/ndoutils-2.0.0-sleep.patch
deleted file mode 100644
index 61694baee9e..00000000000
--- a/net-analyzer/ndoutils/files/ndoutils-2.0.0-sleep.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/src/queue.c
-+++ b/src/queue.c
-@@ -8,6 +8,7 @@
- #include "../include/queue.h"
- #include <errno.h>
- #include <time.h>
-+#include <unistd.h> /* sleep() */
- 
- #define RETRY_LOG_INTERVAL	600		/* Seconds */
- #define MAX_RETRIES	20				/* Max number of times to retry sending message */

diff --git a/net-analyzer/ndoutils/files/openrc-init.patch b/net-analyzer/ndoutils/files/openrc-init.patch
new file mode 100644
index 00000000000..07fcc63b7f3
--- /dev/null
+++ b/net-analyzer/ndoutils/files/openrc-init.patch
@@ -0,0 +1,100 @@
+From 61c6e9295bae755713b403626f702b5ac90f2448 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 22 Jul 2017 17:25:29 -0400
+Subject: [PATCH 1/1] startup: simplify the OpenRC init scripts and conf file.
+
+This commit largely rewrites the OpenRC init script with the goal of
+simplifying it. The end result should be functionally the same, but is
+much shorter. The changes are as follows:
+
+ 1. Replace the deprecated /sbin/runscript shebang with /sbin/openrc-run.
+
+ 2. Replace the existing dependencies with "need mysql nagios". The
+    ndo2db daemon needs Nagios to create the TCP or Unix socket over
+    which it will communicate, and obviously it needs mysql to be
+    up and running in order to save any data. The dependencies
+    of mysql and nagios themselves will bring up whatever else is
+    required; nothing else needs to be listed as a dependency of
+    ndo2db.
+
+ 3. Use the "command", "command_args", and "pidfile" OpenRC
+    variables. OpenRC is smart enough to start and stop a well-behaved
+    daemon on its own without a custom start/stop function. By
+    specifying those three variables, we are able to eliminate much of
+    the custom start/stop code in the init script.
+
+Finally, the default value of NDO2DB_CFG in the associated conf file has
+been updated to use @sysconfdir@ instead of @pkgsysconfdir@, which wasn't
+having any effect.
+---
+ startup/openrc-conf.in |  6 ++----
+ startup/openrc-init.in | 42 +++++++++---------------------------------
+ 2 files changed, 11 insertions(+), 37 deletions(-)
+
+diff --git a/startup/openrc-conf.in b/startup/openrc-conf.in
+index d7b5474..69b15b5 100644
+--- a/startup/openrc-conf.in
++++ b/startup/openrc-conf.in
+@@ -1,4 +1,2 @@
+-# /etc/conf.d/ndo2db : config file for /etc/init.d/ndo2db
+-
+-# Configuration file - default is @sysconfdir@/ndo2db.cfg
+-NDO2DB_CFG="@pkgsysconfdir@/ndo2db.cfg"
++# The configuration file to use for ndo2db.
++NDO2DB_CFG="@sysconfdir@/ndo2db.cfg"
+diff --git a/startup/openrc-init.in b/startup/openrc-init.in
+index 119e074..7b3fb40 100644
+--- a/startup/openrc-init.in
++++ b/startup/openrc-init.in
+@@ -1,39 +1,15 @@
+-#!/sbin/runscript
++#!/sbin/openrc-run
+ #
+-# Copyright (c) 2016 Nagios(R) Core(TM) Development Team
++# Copyright (c) 2017 Nagios(R) Core(TM) Development Team
+ #
+-# Start/stop the Nagios Data Out Daemon.
+-#
+-# Goes in /etc/init.d - Config is in /etc/conf.d/ndo2db
+ 
+-NDO2DB_BIN="@sbindir@/ndo2db"
+-NDO2DB_PID="@piddir@/ndo2db.pid"
++command="@sbindir@/ndo2db"
++command_args="-c ${NDO2DB_CFG}"
++description="Nagios Data Out daemon"
++pidfile="@piddir@/ndo2db.pid"
+ 
+ depend() {
+-	use logger dns net localmount netmount nfsmount
+-}
+-
+-checkconfig() {
+-	# Make sure the config file exists
+-	if [ ! -f $NDO2DB_CFG ]; then
+-		eerror "You need to setup $NDO2DB_CFG.
+-		return 1
+-	fi
+-	return 0
+-}
+-
+-start() {
+-	checkconfig || return 1
+-	ebegin "Starting ndo2db"
+-	# Make sure we have a sane current directory
+-	cd /
+-	start-stop-daemon --start --exec $NDO2DB_BIN --pidfile $PID_FILE \
+-		-- -c $NDO2DB_CFG -f
+-	eend $?
+-}
+-
+-stop() {
+-	ebegin "Stopping ndo2db"
+-	start-stop-daemon --stop --exec $NDO2DB_BIN --pidfile $PID_FILE
+-	eend $?
++    # The Nagios core daemon creates the socket that ndo2db tries to
++    # connect to upon starting.
++    need mysql nagios
+ }
+-- 
+2.13.0
+

diff --git a/net-analyzer/ndoutils/files/sample-config-piddir.patch b/net-analyzer/ndoutils/files/sample-config-piddir.patch
new file mode 100644
index 00000000000..90203820498
--- /dev/null
+++ b/net-analyzer/ndoutils/files/sample-config-piddir.patch
@@ -0,0 +1,32 @@
+From 560db1e2bc79bb3321c5f431e149418ec3c28a98 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sun, 23 Jul 2017 07:13:46 -0400
+Subject: [PATCH 1/1] config/ndo2db.cfg-sample.in: use @piddir@ for the pid
+ file.
+
+The "lock_file" setting in ndo2db.cfg specifies where the daemon's pid
+file should be stored. In the past, it was stored in @localstatedir@,
+but @piddir@ is more appropriate. As evidence, all of the init scripts
+in the "startup" directory reference @piddir@ and not @localstatedir@
+for the location of the pid file. This commit updates the sample
+config to agree with the init scripts.
+---
+ config/ndo2db.cfg-sample.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/ndo2db.cfg-sample.in b/config/ndo2db.cfg-sample.in
+index 75266dc..5b46fc9 100644
+--- a/config/ndo2db.cfg-sample.in
++++ b/config/ndo2db.cfg-sample.in
+@@ -10,7 +10,7 @@
+ # This is the lockfile that NDO2DB will use to store its PID number
+ # in when it is running in daemon mode.
+ 
+-lock_file=@localstatedir@/ndo2db.pid
++lock_file=@piddir@/ndo2db.pid
+ 
+ 
+ 
+-- 
+2.13.0
+

diff --git a/net-analyzer/ndoutils/ndoutils-2.0.0.ebuild b/net-analyzer/ndoutils/ndoutils-2.0.0.ebuild
deleted file mode 100644
index b813b079881..00000000000
--- a/net-analyzer/ndoutils/ndoutils-2.0.0.ebuild
+++ /dev/null
@@ -1,67 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-inherit eutils user
-
-MY_P=${P/_beta/b}
-
-DESCRIPTION="Nagios addon to store Nagios data in a MySQL database"
-HOMEPAGE="http://www.nagios.org"
-SRC_URI="mirror://sourceforge/nagios/${MY_P}.tar.gz"
-
-LICENSE="GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~x86 ~ppc"
-
-DEPEND="
-	dev-perl/DBD-mysql
-	dev-perl/DBI
-	virtual/mysql
-"
-RDEPEND="
-	${DEPEND}
-	>=net-analyzer/nagios-core-3.0
-"
-
-S="${WORKDIR}/${MY_P}"
-
-pkg_setup() {
-	enewgroup nagios
-	enewuser nagios -1 /bin/bash /var/nagios/home nagios
-}
-
-src_prepare() {
-	epatch \
-		"${FILESDIR}"/${P}-asprintf.patch \
-		"${FILESDIR}"/${P}-sleep.patch
-}
-
-src_configure() {
-	econf \
-		--sysconfdir=/etc/nagios \
-		--enable-mysql
-}
-
-DOCS=(
-	'docs/NDOUTILS DB Model.pdf'
-	'docs/NDOUtils Documentation.pdf'
-	Changelog
-	README
-	REQUIREMENTS
-	TODO
-	UPGRADING
-)
-
-src_install() {
-	default
-	emake DESTDIR="${D}" install-config
-
-	newinitd "${FILESDIR}"/ndo2db.init-nagios3 ndo2db
-}
-
-pkg_postinst() {
-	elog "To include NDO in your Nagios setup you'll need to activate the NDO broker module"
-	elog "in /etc/nagios/nagios.cfg:"
-	elog "\tbroker_module=/usr/bin/ndomod-3x.o config_file=/etc/nagios/ndomod.cfg"
-}

diff --git a/net-analyzer/ndoutils/ndoutils-2.1.3.ebuild b/net-analyzer/ndoutils/ndoutils-2.1.3.ebuild
new file mode 100644
index 00000000000..1872b7849d8
--- /dev/null
+++ b/net-analyzer/ndoutils/ndoutils-2.1.3.ebuild
@@ -0,0 +1,89 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit systemd
+
+DESCRIPTION="Nagios addon to store Nagios data in a MySQL database"
+HOMEPAGE="http://www.nagios.org/"
+SRC_URI="https://github.com/NagiosEnterprises/${PN}/archive/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+# We require the "nagios" user from net-analyzer/nagios-core at build
+# time.
+DEPEND="dev-perl/DBD-mysql
+	dev-perl/DBI
+	>=net-analyzer/nagios-core-4
+	virtual/mysql"
+RDEPEND="${DEPEND}"
+
+S="${WORKDIR}/${PN}-${P}"
+
+DOCS=(
+	Changelog
+	README
+	THANKS
+	TODO
+	UPGRADING
+	"docs/NDOUTILS DB Model.pdf"
+	"docs/NDOUtils Documentation.pdf"
+)
+
+PATCHES=(
+	"${FILESDIR}/format-security.patch"
+	"${FILESDIR}/ndoutils-2.0.0-asprintf.patch"
+	"${FILESDIR}/sample-config-piddir.patch"
+	"${FILESDIR}/openrc-init.patch"
+)
+
+src_configure() {
+	# The localstatedir is where our socket will be created by the
+	# nagios daemon, so we put it in /var/nagios where the "nagios" user
+	# will be able to write.
+	#
+	# And normally, we would use /run for the pid file, but the daemon
+	# drops permissions before creating it, the the piddir also needs
+	# to be writable by the nagios user.
+	econf --enable-mysql \
+		  --localstatedir=/var/nagios \
+		  --sysconfdir=/etc/nagios \
+		  --with-piddir=/var/nagios
+}
+
+src_compile() {
+	# Avoid "emake all" so that we don't build the stuff for nagios-2.x
+	# and nagios-3.x, some of which throws QA warnings. We don't use it
+	# anyway.
+	pushd src
+	emake file2sock log2ndo ndo2db-4x ndomod-4x.o sockdebug
+	popd
+}
+
+src_install() {
+	default
+	insinto /etc/nagios
+	newins config/ndo2db.cfg-sample ndo2db.cfg
+	newins config/ndomod.cfg-sample ndomod.cfg
+	newinitd "startup/openrc-init" ndo2db
+	newconfd "startup/openrc-conf" ndo2db
+	systemd_newunit "startup/default-service" "${PN}.service"
+
+	# The documentation isn't installed by the build system
+	dodoc -r docs/html
+
+	# Use symlinks because the installdb/upgradedb scripts use relative
+	# paths to the SQL queries.
+	insinto "/usr/share/${PN}"
+	doins -r db
+	dosym "/usr/share/${PN}/db/installdb" /usr/bin/ndoutils-installdb
+	dosym "/usr/share/${PN}/db/upgradedb" /usr/bin/ndoutils-upgradedb
+}
+
+pkg_postinst() {
+	elog "To include NDO in your Nagios setup, you'll need to activate"
+	elog "the NDO broker module in /etc/nagios/nagios.cfg:"
+	elog "  broker_module=/usr/bin/ndomod.o config_file=/etc/nagios/ndomod.cfg"
+}

[gentoo-commits] repo/gentoo:master commit in: net-analyzer/ndoutils/files/, net-analyzer/ndoutils/

[Michael Orlitzky]

commit:     c7e73e064b21d7ca3acddc2b1ee145fc84929127
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Sun Mar  3 01:15:16 2024 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sun Mar  3 01:18:39 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7e73e06

net-analyzer/ndoutils: fix executable permissions and ownership

Closes: https://bugs.gentoo.org/926033
Closes: https://bugs.gentoo.org/926034
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

 .../files/secure-install-permissions.patch         | 183 +++++++++++++++++++++
 ...ls-2.1.3-r3.ebuild => ndoutils-2.1.3-r4.ebuild} |  28 +++-
 2 files changed, 203 insertions(+), 8 deletions(-)

diff --git a/net-analyzer/ndoutils/files/secure-install-permissions.patch b/net-analyzer/ndoutils/files/secure-install-permissions.patch
new file mode 100644
index 000000000000..a4c50ab6cedc
--- /dev/null
+++ b/net-analyzer/ndoutils/files/secure-install-permissions.patch
@@ -0,0 +1,183 @@
+From 18ef12037f4a68772d6840cbaa08aa2da07d2891 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 2 Mar 2024 19:30:54 -0500
+Subject: [PATCH 1/2] configure.ac: don't install binaries as
+ ndo2db_user:ndo2db_group
+
+In configure.ac we were adding two flags to INSTALL_OPTS that change
+the owner:group of all installed files to ndo2db_user:ndo2db_group.
+This is often a security vulnerability, since executables (we have a
+few) are typically installed into everyone's PATH. If root ever
+executes them, the ndo2db_user can take advantage of the situation to
+run malicious code as root.
+
+Fortunately the change in ownership is not really needed. We simply
+drop the INSTALL_OPTS, which are used for nothing else, allowing our
+files to be installed as the user who is doing the installing. When
+installing to one of the system PATHs, that will almost always be
+root.
+---
+ Makefile.in                    |  9 ++++-----
+ configure.ac                   |  2 --
+ docs/docbook/en-en/Makefile.in |  1 -
+ src/Makefile.in                | 31 +++++++++++++++----------------
+ 4 files changed, 19 insertions(+), 24 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 58c9f0f..68774c2 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -37,7 +37,6 @@ INSTALL=@INSTALL@
+ GREP=@GREP@
+ EGREP=@EGREP@
+ 
+-INSTALL_OPTS=@INSTALL_OPTS@
+ OPSYS=@opsys@
+ DIST=@dist_type@
+ 
+@@ -98,10 +97,10 @@ install:
+ 	@echo ""
+ 
+ install-config:
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(CFGDIR)
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR)
+-	$(INSTALL) -m 644 $(INSTALL_OPTS) config/ndo2db.cfg-sample $(DESTDIR)$(CFGDIR)
+-	$(INSTALL) -m 644 $(INSTALL_OPTS) config/ndomod.cfg-sample $(DESTDIR)$(CFGDIR)
++	$(INSTALL) -m 775 -d $(DESTDIR)$(CFGDIR)
++	$(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR)
++	$(INSTALL) -m 644 config/ndo2db.cfg-sample $(DESTDIR)$(CFGDIR)
++	$(INSTALL) -m 644 config/ndomod.cfg-sample $(DESTDIR)$(CFGDIR)
+ 	@echo ""
+ 	@echo "*** Config files installed ***"
+ 	@echo ""
+diff --git a/configure.ac b/configure.ac
+index 58b47a4..3279397 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -317,8 +317,6 @@ AC_ARG_WITH(ndo2db_user,AC_HELP_STRING([--with-ndo2db-user=<user>],[sets user na
+ AC_ARG_WITH(ndo2db_group,AC_HELP_STRING([--with-ndo2db-group=<group>],[sets group name to run NDO2DB]),ndo2db_group=$withval,ndo2db_group=nagios)
+ AC_SUBST(ndo2db_user)
+ AC_SUBST(ndo2db_group)
+-INSTALL_OPTS="-o $ndo2db_user -g $ndo2db_group"
+-AC_SUBST(INSTALL_OPTS)
+ 
+ 
+ dnl Does the user want to check for systemd?
+diff --git a/docs/docbook/en-en/Makefile.in b/docs/docbook/en-en/Makefile.in
+index d72b68c..29e1e1e 100644
+--- a/docs/docbook/en-en/Makefile.in
++++ b/docs/docbook/en-en/Makefile.in
+@@ -13,7 +13,6 @@ BINDIR=@bindir@
+ LIBEXECDIR=@libexecdir@
+ DATAROOTDIR=@datarootdir@
+ INSTALL=@INSTALL@
+-INSTALL_OPTS=@INSTALL_OPTS@
+ 
+ 
+ all:
+diff --git a/src/Makefile.in b/src/Makefile.in
+index 532cc82..352a768 100644
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -26,7 +26,6 @@ exec_prefix=@exec_prefix@
+ PIPEDIR=@localstatedir@
+ BINDIR=@bindir@
+ INSTALL=@INSTALL@
+-INSTALL_OPTS=@INSTALL_OPTS@
+ 
+ CC=@CC@
+ 
+@@ -126,9 +125,9 @@ distclean: clean
+ devclean: distclean
+ 
+ install: install-4x
+-	$(INSTALL) -m 774 $(INSTALL_OPTS) file2sock $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 774 $(INSTALL_OPTS) log2ndo $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 774 $(INSTALL_OPTS) sockdebug $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 774 file2sock $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 774 log2ndo $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 774 sockdebug $(DESTDIR)$(BINDIR)
+ 	@echo ""
+ 	@echo "  Hint: NDOUtils Installation against Nagios v4.x"
+ 	@echo "  completed."
+@@ -147,20 +146,20 @@ install: install-4x
+ 	@echo ""
+ 
+ install-2x:
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR)
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-2x $(DESTDIR)$(BINDIR)/ndo2db
+-	$(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-2x.o $(DESTDIR)$(BINDIR)/ndomod.o
++	$(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR)
++	$(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 755 ndo2db-2x $(DESTDIR)$(BINDIR)/ndo2db
++	$(INSTALL) -m 755 ndomod-2x.o $(DESTDIR)$(BINDIR)/ndomod.o
+ 
+ install-3x:
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR)
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-3x $(DESTDIR)$(BINDIR)/ndo2db
+-	$(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-3x.o $(DESTDIR)$(BINDIR)/ndomod.o
++	$(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR)
++	$(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 755 ndo2db-3x $(DESTDIR)$(BINDIR)/ndo2db
++	$(INSTALL) -m 755 ndomod-3x.o $(DESTDIR)$(BINDIR)/ndomod.o
+ 
+ install-4x:
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(PIPEDIR)
+-	$(INSTALL) -m 775 $(INSTALL_OPTS) -d $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 755 $(INSTALL_OPTS) ndo2db-4x $(DESTDIR)$(BINDIR)/ndo2db
+-	$(INSTALL) -m 755 $(INSTALL_OPTS) ndomod-4x.o $(DESTDIR)$(BINDIR)/ndomod.o
++	$(INSTALL) -m 775 -d $(DESTDIR)$(PIPEDIR)
++	$(INSTALL) -m 775 -d $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 755 ndo2db-4x $(DESTDIR)$(BINDIR)/ndo2db
++	$(INSTALL) -m 755 ndomod-4x.o $(DESTDIR)$(BINDIR)/ndomod.o
+ 
+-- 
+2.43.0
+
+From 69a80d6a9bf1196ffcfffa7f756633bb13a62b5f Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Sat, 2 Mar 2024 19:52:47 -0500
+Subject: [PATCH 2/2] src/Makefile.in: install all executables with mode 0755
+
+Three executables -- file2sock, log2ndo, and sockdebug -- are
+currently being installed group-writable but not
+world-executable. This is in contrast with the other two executables,
+ndo2db and ndomod.o, that are installed mode 0755.
+
+Having recently removed the INSTALL_OPTS that were altering the
+owner:group of these files, there is no longer any security risk to
+mode 0774. However, 0755 is more consistent with both the rest of our
+executables, and with the typical permissions on /usr/bin that arise
+from the (extremely common) umask of 0022.
+
+We change these three to 0755 for a little bit of extra peace of mind.
+
+changes. Lines starting # with '#' will be ignored, and an empty
+message aborts the commit.  # # Date: Sat Mar 2 19:52:47 2024 -0500 #
+src/Makefile.in #
+---
+ src/Makefile.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/Makefile.in b/src/Makefile.in
+index 352a768..e6a1816 100644
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -125,9 +125,9 @@ distclean: clean
+ devclean: distclean
+ 
+ install: install-4x
+-	$(INSTALL) -m 774 file2sock $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 774 log2ndo $(DESTDIR)$(BINDIR)
+-	$(INSTALL) -m 774 sockdebug $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 755 file2sock $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 755 log2ndo $(DESTDIR)$(BINDIR)
++	$(INSTALL) -m 755 sockdebug $(DESTDIR)$(BINDIR)
+ 	@echo ""
+ 	@echo "  Hint: NDOUtils Installation against Nagios v4.x"
+ 	@echo "  completed."
+-- 
+2.43.0
+

diff --git a/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild b/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild
similarity index 79%
rename from net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild
rename to net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild
index 044cb36975f4..32d8d3bd8c57 100644
--- a/net-analyzer/ndoutils/ndoutils-2.1.3-r3.ebuild
+++ b/net-analyzer/ndoutils/ndoutils-2.1.3-r4.ebuild
@@ -1,12 +1,12 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
 
-inherit systemd
+inherit autotools systemd
 
-DESCRIPTION="Nagios addon to store Nagios data in a MySQL database"
-HOMEPAGE="https://www.nagios.org/"
+DESCRIPTION="Nagios addon to store Nagios data in a database"
+HOMEPAGE="https://github.com/NagiosEnterprises/ndoutils"
 SRC_URI="https://github.com/NagiosEnterprises/${PN}/archive/${P}.tar.gz"
 S="${WORKDIR}/${PN}-${P}"
 
@@ -14,14 +14,17 @@ LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~amd64 ~ppc ~x86"
 
-# We require the "nagios" user from net-analyzer/nagios-core at build
-# time.
 DEPEND="
 	dev-db/mysql-connector-c
 	dev-perl/DBD-mysql
-	dev-perl/DBI
-	>=net-analyzer/nagios-core-4.4.5"
+	dev-perl/DBI"
+
+# The default value of the --with-ndo2db-{user,group} flag is "nagios".
+# For unrelated reasons, we actually patch out the build-time dependency
+# on the user/group, but it should still be there at runtime.
 RDEPEND="${DEPEND}
+	acct-user/nagios
+	acct-group/nagios
 	virtual/mysql"
 
 PATCHES=(
@@ -29,8 +32,14 @@ PATCHES=(
 	"${FILESDIR}"/ndoutils-2.0.0-asprintf.patch
 	"${FILESDIR}"/sample-config-piddir.patch
 	"${FILESDIR}"/openrc-init.patch
+	"${FILESDIR}"/secure-install-permissions.patch
 )
 
+src_prepare() {
+	default
+	eautoreconf
+}
+
 src_configure() {
 	# The localstatedir is where our socket will be created by the
 	# nagios daemon, so we put it in /var/lib/nagios where the "nagios"
@@ -39,6 +48,9 @@ src_configure() {
 	# And normally, we would use /run for the pid file, but the daemon
 	# drops permissions before creating it, so the piddir also needs
 	# to be writable by the nagios user.
+	#
+	# Oh, and the build fails without --enable-mysql, so don't try.
+	#
 	econf --enable-mysql \
 		  --localstatedir=/var/lib/nagios \
 		  --sysconfdir=/etc/nagios \