[gentoo-commits] repo/gentoo:master commit in: net-im/openfire/

["Michael Orlitzky" <mjo@gentoo.org>]

commit:     c32aef5d13c57017978860eb65c1c4f5ce88721c
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Sun Jun 23 17:13:53 2019 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sun Jun 23 17:15:16 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c32aef5d

net-im/openfire: new revision to clean up ownership handling.

The new revision (-r2) is intended to clean up some of the ownership
and group handling that led to the security issue in bug 630914. Note
that while that *particular* bug was fixed, the ebuild was still
calling "chmod" in a user-controlled directory, which is also
exploitable. The following changes hopefully eliminate all of
those problems:

  * Add /opt/openfire/conf to CONFIG_PROTECT.

  * Use insopts/diropts to create everything under /opt/openfire with
    the correct ownership and permissions to begin with.

  * Install conf/openfire.xml and conf/security.xml in src_install(),
    instead of creating (and chmod'ing) them later in pkg_postinst().

  * Drop pkg_postinst() entirely now that we install {openfire,security}.xml
    in src_install().

Bug: https://bugs.gentoo.org/630914
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
Package-Manager: Portage-2.3.66, Repoman-2.3.11

 net-im/openfire/openfire-4.2.3-r2.ebuild | 80 ++++++++++++++++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/net-im/openfire/openfire-4.2.3-r2.ebuild b/net-im/openfire/openfire-4.2.3-r2.ebuild
new file mode 100644
index 00000000000..d504e403aba
--- /dev/null
+++ b/net-im/openfire/openfire-4.2.3-r2.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit eutils java-pkg-2 java-ant-2 systemd
+
+MY_P=${PN}_src_${PV//./_}
+DESCRIPTION="Openfire (formerly wildfire) real time collaboration (RTC) server"
+HOMEPAGE="http://www.igniterealtime.org/projects/openfire/"
+SRC_URI="http://www.igniterealtime.org/builds/openfire/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="doc"
+
+RDEPEND=">=virtual/jre-1.7"
+DEPEND="net-im/jabber-base
+	~dev-java/ant-contrib-1.0_beta2
+	>=virtual/jdk-1.7"
+
+S=${WORKDIR}/${PN}_src
+
+pkg_setup() {
+	java-pkg-2_pkg_setup
+}
+
+src_compile() {
+	# Jikes doesn't support -source 1.5
+	java-pkg_filter-compiler jikes
+
+	ANT_TASKS="ant-contrib"
+	eant -f build/build.xml openfire plugins $(use_doc)
+
+	# delete nativeAuth prebuilt libs:
+	#    uses outdated unmaintained libshaj, does not support amd64
+	rm -rfv target/openfire/resources/nativeAuth || die
+}
+
+src_install() {
+	#Protect ssl key on upgrade
+	dodir /etc/env.d/
+	echo 'CONFIG_PROTECT="/opt/openfire/resources/security/"' > "${D}"/etc/env.d/98openfire
+	echo 'CONFIG_PROTECT="/opt/openfire/conf/"' > "${D}"/etc/env.d/98openfire
+
+	newinitd "${FILESDIR}"/openfire-initd openfire
+	newconfd "${FILESDIR}"/openfire-confd openfire
+	systemd_dounit "${FILESDIR}"/${PN}.service
+
+	diropts --owner=jabber --group=jabber
+	insopts --owner=jabber --group=jabber
+	dodir /opt/openfire
+
+	dodir /opt/openfire/logs
+	keepdir /opt/openfire/logs
+
+	dodir /opt/openfire/lib
+	insinto /opt/openfire/lib
+	doins target/openfire/lib/*
+
+	dodir /opt/openfire/plugins
+	insinto /opt/openfire/plugins
+	doins -r target/openfire/plugins/*
+
+	dodir /opt/openfire/resources
+	insinto /opt/openfire/resources
+	doins -r target/openfire/resources/*
+
+	if use doc; then
+		dohtml -r documentation/docs/*
+	fi
+	dodoc documentation/dist/*
+
+	dodir /opt/openfire/conf
+	insinto /opt/openfire/conf
+	insopts --mode=0600 --owner=jabber --group=jabber
+	newins target/openfire/conf/openfire.xml openfire.xml
+	newins target/openfire/conf/security.xml security.xml
+}