Thu Apr 16 15:49:30 2020 UTC ()
freeradius: Fix SMF initialisation.

Ensures the user/group are correctly substituted into the config file so that
the daemon can run as root then drop privileges appropriately, as well as
creating the rundir as necessary.

Submitted by Jorge Schrauwen in NetBSD/pkgsrc#58.  Bump PKGREVISION.


(jperkin)
diff -r1.106 -r1.107 pkgsrc/net/freeradius/Makefile
diff -r1.40 -r1.41 pkgsrc/net/freeradius/distinfo
diff -r1.1 -r1.2 pkgsrc/net/freeradius/files/smf/manifest.xml
diff -r0 -r1.1 pkgsrc/net/freeradius/files/smf/radiusd.sh
diff -r0 -r1.1 pkgsrc/net/freeradius/patches/patch-raddb_radiusd.conf.in
cvs diff -r1.106 -r1.107 pkgsrc/net/freeradius/Makefile (expand / switch to unified diff)

--- pkgsrc/net/freeradius/Makefile 2020/04/08 09:42:05 1.106
+++ pkgsrc/net/freeradius/Makefile 2020/04/16 15:49:30 1.107
@@ -1,57 +1,65 @@ @@ -1,57 +1,65 @@
1# $NetBSD: Makefile,v 1.106 2020/04/08 09:42:05 adam Exp $ 1# $NetBSD: Makefile,v 1.107 2020/04/16 15:49:30 jperkin Exp $
2 2
3.include "Makefile.common" 3.include "Makefile.common"
4 4
5PKGNAME= ${DISTNAME:S/-server//} 5PKGNAME= ${DISTNAME:S/-server//}
 6PKGREVISION= 1
6COMMENT= Free RADIUS server implementation 7COMMENT= Free RADIUS server implementation
7 8
8BUILD_DEFS+= VARBASE 9BUILD_DEFS+= VARBASE
9CONFIGURE_ARGS+= --localstatedir=${VARBASE} 10CONFIGURE_ARGS+= --localstatedir=${VARBASE}
10CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFBASEDIR} 11CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFBASEDIR}
11CONFIGURE_ARGS+= --with-logdir=${VARBASE}/log/radiusd 12CONFIGURE_ARGS+= --with-logdir=${VARBASE}/log/radiusd
12CONFIGURE_ARGS+= --without-rlm_eap_ikev2 13CONFIGURE_ARGS+= --without-rlm_eap_ikev2
13CONFIGURE_ARGS+= --without-rlm_eap_tnc 14CONFIGURE_ARGS+= --without-rlm_eap_tnc
14CONFIGURE_ARGS+= --without-rlm_sql_freetds 15CONFIGURE_ARGS+= --without-rlm_sql_freetds
15CONFIGURE_ARGS+= --without-rlm_sql_sqlite 16CONFIGURE_ARGS+= --without-rlm_sql_sqlite
16CONFIGURE_ARGS+= --without-rlm_cache_memcached 17CONFIGURE_ARGS+= --without-rlm_cache_memcached
17CONFIGURE_ARGS+= --without-rlm_krb5 18CONFIGURE_ARGS+= --without-rlm_krb5
18CONFIGURE_ARGS+= --without-rlm_ldap 19CONFIGURE_ARGS+= --without-rlm_ldap
19CONFIGURE_ARGS+= --without-rlm_perl 20CONFIGURE_ARGS+= --without-rlm_perl
20CONFIGURE_ARGS+= --without-rlm_python 21CONFIGURE_ARGS+= --without-rlm_python
21CONFIGURE_ARGS+= --without-rlm_redis 22CONFIGURE_ARGS+= --without-rlm_redis
22CONFIGURE_ARGS+= --without-rlm_rediswho 23CONFIGURE_ARGS+= --without-rlm_rediswho
23CONFIGURE_ARGS+= --without-rlm_rest 24CONFIGURE_ARGS+= --without-rlm_rest
24CONFIGURE_ARGS+= --without-rlm_ruby 25CONFIGURE_ARGS+= --without-rlm_ruby
25CONFIGURE_ARGS+= --without-rlm_sql_iodbc 26CONFIGURE_ARGS+= --without-rlm_sql_iodbc
26CONFIGURE_ARGS+= --without-rlm_sql_mysql 27CONFIGURE_ARGS+= --without-rlm_sql_mysql
27CONFIGURE_ARGS+= --without-rlm_sql_oracle 28CONFIGURE_ARGS+= --without-rlm_sql_oracle
28CONFIGURE_ARGS+= --without-rlm_sql_postgresql 29CONFIGURE_ARGS+= --without-rlm_sql_postgresql
29CONFIGURE_ARGS+= --without-rlm_sql_unixodbc 30CONFIGURE_ARGS+= --without-rlm_sql_unixodbc
30 31
31RCD_SCRIPTS= radiusd 32RCD_SCRIPTS= radiusd
 33SMF_METHODS= radiusd
32RADIUS_GROUP?= radiusd 34RADIUS_GROUP?= radiusd
33RADIUS_USER?= radiusd 35RADIUS_USER?= radiusd
34PKG_GROUPS= ${RADIUS_GROUP} 36PKG_GROUPS= ${RADIUS_GROUP}
35PKG_USERS= ${RADIUS_USER}:${RADIUS_GROUP} 37PKG_USERS= ${RADIUS_USER}:${RADIUS_GROUP}
36PKG_HOME.${RADIUS_USER}= ${VARBASE}/log/radiusd 38PKG_HOME.${RADIUS_USER}= ${VARBASE}/log/radiusd
37 39
38OWN_DIRS_PERMS+= ${VARBASE}/log/radiusd \ 40OWN_DIRS_PERMS+= ${VARBASE}/log/radiusd \
39 ${RADIUS_USER} ${RADIUS_GROUP} 0750 41 ${RADIUS_USER} ${RADIUS_GROUP} 0750
40OWN_DIRS_PERMS+= ${VARBASE}/run/radiusd \ 42OWN_DIRS_PERMS+= ${VARBASE}/run/radiusd \
41 ${RADIUS_USER} ${RADIUS_GROUP} 0750 43 ${RADIUS_USER} ${RADIUS_GROUP} 0750
42 44
43PKG_SYSCONFSUBDIR= raddb 45PKG_SYSCONFSUBDIR= raddb
44 46
 47SUBST_CLASSES+= secconf
 48SUBST_STAGE.secconf= post-configure
 49SUBST_MESSAGE.secconf= Substituting user and group in radiusd.conf
 50SUBST_FILES.secconf= raddb/radiusd.conf
 51SUBST_VARS.secconf= RADIUS_USER RADIUS_GROUP
 52
45FILES_SUBST+= RADIUS_USER=${RADIUS_USER} RADIUS_GROUP=${RADIUS_GROUP} 53FILES_SUBST+= RADIUS_USER=${RADIUS_USER} RADIUS_GROUP=${RADIUS_GROUP}
46MESSAGE_SUBST+= BOOTSTRAP=${PKG_SYSCONFDIR}/certs/bootstrap 54MESSAGE_SUBST+= BOOTSTRAP=${PKG_SYSCONFDIR}/certs/bootstrap
47 55
48EGDIR= ${PREFIX}/share/examples/freeradius 56EGDIR= ${PREFIX}/share/examples/freeradius
49 57
50EGFILES= certs/ca.cnf certs/client.cnf certs/inner-server.cnf \ 58EGFILES= certs/ca.cnf certs/client.cnf certs/inner-server.cnf \
51 certs/Makefile certs/README certs/server.cnf \ 59 certs/Makefile certs/README certs/server.cnf \
52 certs/xpextensions \ 60 certs/xpextensions \
53 clients.conf dictionary experimental.conf \ 61 clients.conf dictionary experimental.conf \
54 mods-available/abfab_psk_sql mods-available/always \ 62 mods-available/abfab_psk_sql mods-available/always \
55 mods-available/attr_filter mods-available/cache \ 63 mods-available/attr_filter mods-available/cache \
56 mods-available/cache_eap mods-available/chap \ 64 mods-available/cache_eap mods-available/chap \
57 mods-available/couchbase mods-available/counter \ 65 mods-available/couchbase mods-available/counter \
@@ -165,39 +173,39 @@ EGFILES= certs/ca.cnf certs/client.cnf  @@ -165,39 +173,39 @@ EGFILES= certs/ca.cnf certs/client.cnf
165 sites-available/example \ 173 sites-available/example \
166 sites-available/inner-tunnel \ 174 sites-available/inner-tunnel \
167 sites-available/originate-coa \ 175 sites-available/originate-coa \
168 sites-available/proxy-inner-tunnel \ 176 sites-available/proxy-inner-tunnel \
169 sites-available/README \ 177 sites-available/README \
170 sites-available/robust-proxy-accounting \ 178 sites-available/robust-proxy-accounting \
171 sites-available/soh \ 179 sites-available/soh \
172 sites-available/status \ 180 sites-available/status \
173 sites-available/tls \ 181 sites-available/tls \
174 sites-available/virtual.example.com \ 182 sites-available/virtual.example.com \
175 users templates.conf trigger.conf 183 users templates.conf trigger.conf
176 184
177EGDIRS= certs mods-available mods-config mods-config/attr_filter mods-config/files \ 185EGDIRS= certs mods-available mods-config mods-config/attr_filter mods-config/files \
178 mods-config/perl mods-config/preprocess mods-config/sql mods-config/sql/counter \ 186 mods-config/perl mods-config/preprocess mods-config/sql mods-config/sql/counter \
179 mods-config/sql/counter/mysql mods-config/sql/counter/postgresql \ 187 mods-config/sql/counter/mysql mods-config/sql/counter/postgresql \
180 mods-config/sql/counter/sqlite mods-config/sql/cui mods-config/sql/cui/mysql \ 188 mods-config/sql/counter/sqlite mods-config/sql/cui mods-config/sql/cui/mysql \
181 mods-config/sql/cui/postgresql mods-config/sql/cui/sqlite mods-config/sql/ippool \ 189 mods-config/sql/cui/postgresql mods-config/sql/cui/sqlite mods-config/sql/ippool \
182 mods-config/sql/ippool-dhcp mods-config/sql/ippool-dhcp/mysql \ 190 mods-config/sql/ippool-dhcp mods-config/sql/ippool-dhcp/mysql \
183 mods-config/sql/ippool-dhcp/oracle mods-config/sql/ippool-dhcp/sqlite \ 191 mods-config/sql/ippool-dhcp/oracle mods-config/sql/ippool-dhcp/sqlite \
184 mods-config/sql/ippool/mysql mods-config/sql/ippool/oracle \ 192 mods-config/sql/ippool/mysql mods-config/sql/ippool/oracle \
185 mods-config/sql/ippool/postgresql mods-config/sql/ippool/sqlite \ 193 mods-config/sql/ippool/postgresql mods-config/sql/ippool/sqlite \
186 mods-config/sql/main mods-config/sql/main/mssql mods-config/sql/main/mysql \ 194 mods-config/sql/main mods-config/sql/main/mssql mods-config/sql/main/mysql \
187 mods-config/sql/main/mysql/extras mods-config/sql/main/mysql/extras/wimax \ 195 mods-config/sql/main/mysql/extras mods-config/sql/main/mysql/extras/wimax \
188 mods-config/sql/main/ndb mods-config/sql/main/oracle \ 196 mods-config/sql/main/ndb mods-config/sql/main/oracle \
189 mods-config/sql/main/postgresql mods-config/sql/main/postgresql/extras \ 197 mods-config/sql/main/postgresql mods-config/sql/main/postgresql/extras \
190 mods-config/sql/main/sqlite mods-config/unbound mods-enabled \ 198 mods-config/sql/main/sqlite mods-config/unbound mods-enabled \
191 policy.d sites-available sites-enabled 199 policy.d sites-available sites-enabled
192 200
193REPLACE_PERL+= scripts/sql/radsqlrelay \ 201REPLACE_PERL+= scripts/sql/radsqlrelay \
194 src/modules/rlm_counter/rad_counter 202 src/modules/rlm_counter/rad_counter
195 203
196.for f in ${EGFILES} 204.for f in ${EGFILES}
197CONF_FILES_PERMS+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} \ 205CONF_FILES_PERMS+= ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f} \
198 ${RADIUS_USER} ${RADIUS_GROUP} 0640 206 ${RADIUS_USER} ${RADIUS_GROUP} 0640
199.endfor 207.endfor
200CONF_FILES_PERMS+= ${EGDIR}/certs/bootstrap ${PKG_SYSCONFDIR}/certs/bootstrap \ 208CONF_FILES_PERMS+= ${EGDIR}/certs/bootstrap ${PKG_SYSCONFDIR}/certs/bootstrap \
201 ${RADIUS_USER} ${RADIUS_GROUP} 0750 209 ${RADIUS_USER} ${RADIUS_GROUP} 0750
202 210
203.for d in ${EGDIRS} 211.for d in ${EGDIRS}
cvs diff -r1.40 -r1.41 pkgsrc/net/freeradius/distinfo (expand / switch to unified diff)

--- pkgsrc/net/freeradius/distinfo 2020/04/08 09:42:05 1.40
+++ pkgsrc/net/freeradius/distinfo 2020/04/16 15:49:30 1.41
@@ -1,11 +1,12 @@ @@ -1,11 +1,12 @@
1$NetBSD: distinfo,v 1.40 2020/04/08 09:42:05 adam Exp $ 1$NetBSD: distinfo,v 1.41 2020/04/16 15:49:30 jperkin Exp $
2 2
3SHA1 (freeradius-server-3.0.21.tar.bz2) = 3d90d63bf1452794cf9d0b04147745a254872c3f 3SHA1 (freeradius-server-3.0.21.tar.bz2) = 3d90d63bf1452794cf9d0b04147745a254872c3f
4RMD160 (freeradius-server-3.0.21.tar.bz2) = 04a038b701f19d9c598e826a795a0cdaacd3768b 4RMD160 (freeradius-server-3.0.21.tar.bz2) = 04a038b701f19d9c598e826a795a0cdaacd3768b
5SHA512 (freeradius-server-3.0.21.tar.bz2) = 18cc142caad2143e30bc54242e3824b5f659f2f6e8f3401c71ce3b9063de0bd8d206d84822c4ad1d99457dfd7121333d4accd0c8340fcfc6b33b8fbe24a31729 5SHA512 (freeradius-server-3.0.21.tar.bz2) = 18cc142caad2143e30bc54242e3824b5f659f2f6e8f3401c71ce3b9063de0bd8d206d84822c4ad1d99457dfd7121333d4accd0c8340fcfc6b33b8fbe24a31729
6Size (freeradius-server-3.0.21.tar.bz2) = 3184588 bytes 6Size (freeradius-server-3.0.21.tar.bz2) = 3184588 bytes
7SHA1 (patch-ai) = e32ffd24b93e2cef2e72ef9a8ea59d49e1571dc0 7SHA1 (patch-ai) = e32ffd24b93e2cef2e72ef9a8ea59d49e1571dc0
8SHA1 (patch-configure.ac) = ffec1f851d23f560797c12eba5092f2940e4d662 8SHA1 (patch-configure.ac) = ffec1f851d23f560797c12eba5092f2940e4d662
9SHA1 (patch-main_command.c) = 1c79b29eb13df341906c710c8dd41860a27473dd 9SHA1 (patch-main_command.c) = 1c79b29eb13df341906c710c8dd41860a27473dd
10SHA1 (patch-main_util.c) = e8814255c32c8469e81d62f2c7092e8d42744e85 10SHA1 (patch-main_util.c) = e8814255c32c8469e81d62f2c7092e8d42744e85
 11SHA1 (patch-raddb_radiusd.conf.in) = 353cbed35013777bf055a77cc610b50a637ae7b7
11SHA1 (patch-src_lib_udpfromto.c) = 2457f0a7223b1f3ef86d0af020290b26380e6319 12SHA1 (patch-src_lib_udpfromto.c) = 2457f0a7223b1f3ef86d0af020290b26380e6319
cvs diff -r1.1 -r1.2 pkgsrc/net/freeradius/files/smf/manifest.xml (expand / switch to unified diff)

--- pkgsrc/net/freeradius/files/smf/manifest.xml 2017/08/26 10:07:28 1.1
+++ pkgsrc/net/freeradius/files/smf/manifest.xml 2020/04/16 15:49:30 1.2
@@ -9,30 +9,28 @@ @@ -9,30 +9,28 @@
9 </dependency> 9 </dependency>
10 <dependency name='loopback' grouping='require_all' restart_on='error' type='service'> 10 <dependency name='loopback' grouping='require_all' restart_on='error' type='service'>
11 <service_fmri value='svc:/network/loopback:default' /> 11 <service_fmri value='svc:/network/loopback:default' />
12 </dependency> 12 </dependency>
13 <dependency name='physical' grouping='require_all' restart_on='error' type='service'> 13 <dependency name='physical' grouping='require_all' restart_on='error' type='service'>
14 <service_fmri value='svc:/network/physical:default' /> 14 <service_fmri value='svc:/network/physical:default' />
15 </dependency> 15 </dependency>
16 <dependency name='name-services' grouping='require_all' restart_on='refresh' type='service'> 16 <dependency name='name-services' grouping='require_all' restart_on='refresh' type='service'>
17 <service_fmri value='svc:/milestone/name-services' /> 17 <service_fmri value='svc:/milestone/name-services' />
18 </dependency> 18 </dependency>
19 <dependency name='system-log' grouping='optional_all' restart_on='none' type='service'> 19 <dependency name='system-log' grouping='optional_all' restart_on='none' type='service'>
20 <service_fmri value='svc:/system/system-log' /> 20 <service_fmri value='svc:/system/system-log' />
21 </dependency> 21 </dependency>
22 <method_context> 22 <method_context></method_context>
23 <method_credential user='@RADIUS_USER@' group='@RADIUS_GROUP@' /> 23 <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.radiusd@' timeout_seconds='60' />
24 </method_context> 
25 <exec_method name='start' type='method' exec='@PREFIX@/sbin/radiusd' timeout_seconds='60' /> 
26 <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60' /> 24 <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60' />
27 <property_group name='startd' type='framework'> 25 <property_group name='startd' type='framework'>
28 <propval name='ignore_error' type='astring' value='core,signal' /> 26 <propval name='ignore_error' type='astring' value='core,signal' />
29 </property_group> 27 </property_group>
30 <template> 28 <template>
31 <common_name> 29 <common_name>
32 <loctext xml:lang='C'>FreeRADIUS Server</loctext> 30 <loctext xml:lang='C'>FreeRADIUS Server</loctext>
33 </common_name> 31 </common_name>
34 <documentation> 32 <documentation>
35 <manpage title='radiusd' section='8' manpath='@PREFIX@/@PKGMANDIR@'/> 33 <manpage title='radiusd' section='8' manpath='@PREFIX@/@PKGMANDIR@'/>
36 <doc_link name='freeradius.org' uri='http://freeradius.org/doc/' /> 34 <doc_link name='freeradius.org' uri='http://freeradius.org/doc/' />
37 </documentation> 35 </documentation>
38 </template> 36 </template>
File Added: pkgsrc/net/freeradius/files/smf/radiusd.sh
#!@SMF_METHOD_SHELL@
#
# $NetBSD: radiusd.sh,v 1.1 2020/04/16 15:49:30 jperkin Exp $
#

. /lib/svc/share/smf_include.sh

if [ ! -d @VARBASE@/run/radiusd ]; then
	@MKDIR@ @VARBASE@/run/radiusd
	@CHMOD@ 0750 @VARBASE@/run/radiusd
	@CHOWN@ @RADIUS_USER@:@RADIUS_GROUP@ @VARBASE@/run/radiusd
fi

@PREFIX@/sbin/radiusd "$@"
File Added: pkgsrc/net/freeradius/patches/patch-raddb_radiusd.conf.in
$NetBSD: patch-raddb_radiusd.conf.in,v 1.1 2020/04/16 15:49:30 jperkin Exp $

Update example radiusd.conf to include the correct user/group

--- raddb/radiusd.conf.in.orig	2020-04-15 11:59:38.209113301 +0000
+++ raddb/radiusd.conf.in	2020-04-15 12:00:19.973538936 +0000
@@ -501,8 +501,8 @@
 	#  member.  This can allow for some finer-grained access
 	#  controls.
 	#
-#	user = radius
-#	group = radius
+	user = @RADIUS_USER@
+	group = @RADIUS_GROUP@
 
 	#  Core dumps are a bad thing.  This should only be set to
 	#  'yes' if you're debugging a problem with the server.