Skip to content

Commit

Permalink
net-analyzer/icinga: fixing CVE-2015-8010 bug 564242
Browse files Browse the repository at this point in the history 
Package-Manager: portage-2.2.20.1
  • Loading branch information
@prometheanfire
prometheanfire committed Nov 1, 2015
1 parent 188f6a2 commit 01be0da
Show file tree
Hide file tree
Showing 2 changed files with 268 additions and 0 deletions.
1 change: 1 addition & 0 deletions net-analyzer/icinga/Manifest
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,5 @@ DIST icinga-1.11.4.tar.gz 18657247 SHA256 34e923d8daac0235513ece5f54a2065b9166cc
DIST icinga-1.11.7.tar.gz 18657763 SHA256 b6526dd44d42c70e50ebfb58608f1fec8ba6d805fda4fde57f1078c248e25045 SHA512 3c06771f83257afc9096078ba5304ad9a3fbd8d75f22ca62113c45b06f1a015ef3758936dcb3376b3a18584a360ca4a629e5b071570b7215f7b199e414946af1 WHIRLPOOL 4f66389b467f77e5544239c9c1553e185e37f115f057df83330118e2e8883efa5d73b05bc1c9b3801ff522947e098f3169185b71a172bf9ac26173a033ce30d6
DIST icinga-1.12.0.tar.gz 18670338 SHA256 6bcee5605d66a00444454514baeffd8084df6097cf8ebead2b8114387d5def14 SHA512 214eece3d5545f9157c25d83f1ed65eab82ae4508e713efa2aec83d69e0621ff53618a33c266e88f67b13e4734bd62d7e55cb2cbc547946d13e691f9b24c726b WHIRLPOOL 94fd7435f113e839e1d6a71a466060ab3e2f161a64643e011acb01f1a34bfe00a7313ea47434db6f74405b1b3fe7581c39bb39fd04887e4985fcd16f0cc0c827
DIST icinga-1.12.2.tar.gz 18745366 SHA256 3eb3e623070996fffe8ba1d5c0fe8081d3074bca5109de4ee597a9515507a4cc SHA512 eac3d354fa555d8374757a07cc84f028dcead71eb611245e16597b050f8f050d4b955cf7bc70ff0230a7fa8eb004541827c2686b60ccd683a0646c1d7707b264 WHIRLPOOL fc1251966dfce7377e6f4017281b3f35cca2241ee1fb31b654126d8f045a957a6835cdb45d622efaaf0cf0cd89d45969f6a4c81dd628174dc7a9c29cef137b51
DIST icinga-1.13.3.tar.gz 18738204 SHA256 d6994bcc9e137f6639b781a78a55d29c51d74cdfce7f35c13c47e09f200acd84 SHA512 babdbb823c6d7241aa67c39c35f67bdf9a4963688b6edd1190af32e056639c1e592791071c90eae3daa44bcb63beee2ff260ce5a0d5e7edb0ed3c99d69ffdaed WHIRLPOOL 6886f98f44cf2aed3b1f2a23d905cbbf5ecf22055ba66d44b44c46942947103863e47e8ba889ba97d98a22f9364946cd3e725563d05df105be519486e2f4857d
DIST icinga-1.9.6.tar.gz 17082621 SHA256 a70a54d49813f8ea1b58688d5d2b3ecd00a0470a900c84943c044669f582274c SHA512 f2489d6c898e754ca162304651e71e071e5f1d0ce396ecd87ba9e6fd0a14343cca24fd860e661250b2723a696045d45602ebf2fc9aa16dbaf126415ba109b3ff WHIRLPOOL 599b3a257e1ef9b9d713cfbde0233ab171f46ee5f2fffaa2e5a3ab95daaad2c9ee88e61def2420d60e9262fb57dc4a18ea168c0d9b1da52dc85792d2d1389cbf
267 changes: 267 additions & 0 deletions net-analyzer/icinga/icinga-1.13.3.ebuild
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,267 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$

EAPI=5

inherit depend.apache eutils multilib pax-utils toolchain-funcs user versionator

DESCRIPTION="Nagios Fork - Check daemon, CGIs, docs, IDOutils"
HOMEPAGE="http://www.icinga.org/"
#MY_PV=$(delete_version_separator 3)
#SRC_URI="mirror://sourceforge/${PN}/${PN}-${MY_PV}.tar.gz"
#S=${WORKDIR}/${PN}-${MY_PV}
#SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
SRC_URI="https://github.com/${PN}/${PN}-core/releases/download/v${PV}/${P}.tar.gz"

LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~amd64 ~hppa ~x86"
IUSE="+apache2 contrib eventhandler +idoutils lighttpd +mysql perl +plugins postgres ssl +vim-syntax +web"
DEPEND="idoutils? ( dev-db/libdbi-drivers[mysql?,postgres?] )
perl? ( dev-lang/perl )
virtual/mailx
web? (
media-libs/gd[jpeg,png]
lighttpd? ( www-servers/lighttpd )
)
!net-analyzer/nagios-core"
RDEPEND="${DEPEND}
plugins? ( || (
net-analyzer/monitoring-plugins
net-analyzer/nagios-plugins
) )"
RESTRICT="test"

want_apache2

pkg_setup() {
depend.apache_pkg_setup
enewgroup icinga
enewgroup nagios
enewuser icinga -1 -1 /var/lib/icinga "icinga,nagios"
}

src_prepare() {
epatch "${FILESDIR}/fix-prestripped-binaries-1.7.0.patch"
}

src_configure() {
local myconf

myconf="$(use_enable perl embedded-perl)
$(use_with perl perlcache)
$(use_enable idoutils)
$(use_enable ssl)
--with-cgiurl=/icinga/cgi-bin
--with-log-dir=/var/log/icinga
--libdir=/usr/$(get_libdir)
--bindir=/usr/sbin
--sbindir=/usr/$(get_libdir)/icinga/cgi-bin
--datarootdir=/usr/share/icinga/htdocs
--localstatedir=/var/lib/icinga
--sysconfdir=/etc/icinga
--with-lockfile=/var/run/icinga/icinga.lock
--with-temp-dir=/tmp/icinga
--with-temp-file=/tmp/icinga/icinga.tmp"

if use idoutils ; then
myconf+=" --with-ido2db-lockfile=/var/run/icinga/ido2db.lock
--with-icinga-chkfile=/var/lib/icinga/icinga.chk
--with-ido-sockfile=/var/lib/icinga/ido.sock
--with-idomod-tmpfile=/tmp/icinga/idomod.tmp"
fi

if use eventhandler ; then
myconfig+=" --with-eventhandler-dir=/etc/icinga/eventhandlers"
fi

if use plugins ; then
myconf+=" --with-plugin-dir=/usr/$(get_libdir)/nagios/plugins"
else
myconf+=" --with-plugin-dir=/usr/$(get_libdir)/nagios/plugins"
fi

if use !apache2 && use !lighttpd ; then
myconf+=" --with-command-group=icinga"
else
if use apache2 ; then
myconf+=" --with-httpd-conf=/etc/apache2/conf.d"
myconf+=" --with-command-group=apache"
elif use lighttpd ; then
myconf+=" --with-command-group=lighttpd"
fi
fi

econf ${myconf}
}

src_compile() {
tc-export CC

emake icinga || die "make failed"

if use web ; then
emake DESTDIR="${D}" cgis || die
fi

if use contrib ; then
emake DESTDIR="${D}" -C contrib || die
fi

if use idoutils ; then
emake DESTDIR="${D}" idoutils || die
fi
}

src_install() {
dodoc Changelog README UPGRADING || die

if ! use web ; then
sed -i -e '/cd $(SRC_\(CGI\|HTM\))/d' Makefile || die
fi

emake DESTDIR="${D}" install{,-config,-commandmode} || die

if use idoutils ; then
emake DESTDIR="${D}" install-idoutils || die
fi

if use contrib ; then
emake DESTDIR="${D}" -C contrib install || die
fi

if use eventhandler ; then
emake DESTDIR="${D}" install-eventhandlers || die
fi

newinitd "${FILESDIR}"/icinga-init.d icinga || die
newconfd "${FILESDIR}"/icinga-conf.d icinga || die
if use idoutils ; then
newinitd "${FILESDIR}"/ido2db-init.d ido2db || die
newconfd "${FILESDIR}"/ido2db-conf.d ido2db || die
insinto /usr/share/icinga/contrib/db
doins -r module/idoutils/db/* || die
fi
# Apache Module
if use web ; then
if use apache2 ; then
insinto "${APACHE_MODULES_CONFDIR}"
newins "${FILESDIR}"/icinga-apache.conf 99_icinga.conf || die
elif use lighttpd ; then
insinto /etc/lighttpd
newins "${FILESDIR}"/icinga-lighty.conf lighttpd_icinga.conf || die
else
ewarn "${CATEGORY}/${PF} only supports Apache-2.x or Lighttpd webserver"
ewarn "out-of-the-box. Since you are not using one of them, you"
ewarn "have to configure your webserver accordingly yourself."
fi
fowners -R root:root /usr/$(get_libdir)/icinga || die
cd "${D}" || die
find usr/$(get_libdir)/icinga -type d -exec fperms 755 {} +
find usr/$(get_libdir)/icinga/cgi-bin -type f -exec fperms 755 {} +
fi

if use eventhandler ; then
dodir /etc/icinga/eventhandlers || die
fowners icinga:icinga /etc/icinga/eventhandlers || die
fi

keepdir /etc/icinga
keepdir /var/lib/icinga
keepdir /var/lib/icinga/archives
keepdir /var/lib/icinga/rw
keepdir /var/lib/icinga/spool/checkresults

if use apache2 ; then
webserver=apache
elif use lighttpd ; then
webserver=lighttpd
else
webserver=icinga
fi

fowners icinga:icinga /var/lib/icinga || die "Failed chown of /var/lib/icinga"
fowners -R icinga:${webserver} /var/lib/icinga/rw || die "Failed chown of /var/lib/icinga/rw"

fperms 6755 /var/lib/icinga/rw || die "Failed Chmod of ${D}/var/lib/icinga/rw"
fperms 0750 /etc/icinga || die "Failed chmod of ${D}/etc/icinga"

# paxmarks
if use idoutils ; then
pax-mark m usr/sbin/ido2db
fi
}

pkg_postinst() {
if use web ; then
elog "This does not include cgis that are perl-dependent"
elog "Currently traceroute.cgi is perl-dependent"
elog "Note that the user your webserver is running as needs"
elog "read-access to /etc/icinga."
elog
if use apache2 || use lighttpd ; then
elog "There are several possible solutions to accomplish this,"
elog "choose the one you are most comfortable with:"
elog
if use apache2 ; then
elog " usermod -G icinga apache"
elog "or"
elog " chown icinga:apache /etc/icinga"
elog
elog "Also edit /etc/conf.d/apache2 and add a line like"
elog "APACHE2_OPTS=\"\$APACHE2_OPTS -D ICINGA\""
elog
elog "Icinga web service needs user authentication. If you"
elog "use the base configuration, you need a password file"
elog "with a password for user \"icingaadmin\""
elog "You can create this file by executing:"
elog "htpasswd -c /etc/icinga/htpasswd.users icingaadmin"
elog
elog "you may want to also add apache to the icinga group"
elog "to allow it access to the AuthUserFile"
elog
elif use lighttpd ; then
elog " usermod -G icinga lighttpd "
elog "or"
elog " chown icinga:lighttpd /etc/icinga"
elog "Also edit /etc/lighttpd/lighttpd.conf and add 'include \"lighttpd_icinga.conf\"'"
fi
elog
elog "That will make icinga's web front end visable via"
elog "http://localhost/icinga/"
elog
else
elog "IMPORTANT: Do not forget to add the user your webserver"
elog "is running as to the icinga group!"
fi
else
ewarn "Please note that you have installed Icinga without web interface."
ewarn "Please don't file any bugs about having no web interface when you do this."
ewarn "Thank you!"
fi
elog
elog "If you want icinga to start at boot time"
elog "remember to execute:"
elog " rc-update add icinga default"
elog
elog "If your kernel has /proc protection, icinga"
elog "will not be happy as it relies on accessing the proc"
elog "filesystem. You can fix this by adding icinga into"
elog "the group wheel, but this is not recomended."
elog
if [ -d "${ROOT}"/var/icinga ] ; then
ewarn
ewarn "/var/icinga was moved to /var/lib/icinga"
ewarn "please move the files if this was an upgrade"
if use idoutils ; then
ewarn "and edit /etc/ido2db.cfg to change the location of the files"
ewarn "it accesses"
ewarn "update your db with the scripts under the directory"
ewarn "/usr/share/icinga/contrib/db/"
fi
ewarn
ewarn "The \"mv /var/icinga /var/lib/\" command works well to move the files"
ewarn "remove /var/icinga afterwards to make this warning disappear"
fi
}

0 comments on commit 01be0da

Please sign in to comment.