On Wed, Dec 05, 2018 at 12:05:07AM +0000, Stuart Henderson wrote:
> On 2018/12/05 00:21, Andreas Kusalananda Kähäri wrote:
> > Attached is a port of sshguard-2.2.0 which appears to work, sort of. It
> > does not start at boot when started from pkg_scripts. It *does* start
> > reliably when started manually with "rcctl start sshguard" and it shuts
> > down reliably both at system shutdown and manually (and in-between, it
> > runs well).
> >
> > Any help with possible diagnoses of the startup problem would be
> > helpful. I haven't found any other port that starts a shell script as a
> > daemon, but I have only looked for "/bin/sh" in the rc scripts for that.
> >
> > The "stop" action in the rc script is a bit unorthodox:
> >
> > kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx
> > "${pexp}" )" )"
> >
> > ... and that's to send a TERM signal to all the processes in the
> > relevant process group (sshguard consists of a total of seven separate
> > processes). The main script does do something similar to this ("kill 0"
> > in a trap), but this may require bash to work (and even then it doesn't
> > seem to work reliably).
> >
> > I have attached a diff for the port as well as a tar archive of it.
>
> It may be worth removing from pkg_scripts and running from rc.local
> to see if it fails there. If so then run from there under ktrace e.g.
> "ktrace -f /tmp/ktrace.out -i /usr/sbin/rcctl start sshguard" and
> see if anything can be gleaned from running kdump on that file.
Yes, it's getting hupped. I have now patched out the installing of the
signal handler for HUP in one of the helper programs, and I'm ignoring
the same signal in the main script. The daemon now survives the boot.
Termination has also been improved (see end).
>
> A couple of porting notes,
I appreciate these. Thanks! They are all incorporated.
>
> > +CONFIGURE_STYLE=simple
> > +CONFIGURE_ARGS= --sysconfdir="${SYSCONFDIR}" \
> > + --mandir="${TRUEPREFIX}/man"
>
> This has crept back in, it should stay at CONFIGURE_STYLE=gnu and
> remove the manual setting of --sysconfdir= and --mandir.
>
> > +share/examples/sshguard/
> > +share/examples/sshguard/sshguard.conf.sample
> > +share/examples/sshguard/whitelistfile.example
> > Index: pkg/README
> > ===================================================================
> > RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
> > retrieving revision 1.3
> > diff -u -p -r1.3 README
> > --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
> > +++ pkg/README 4 Dec 2018 21:10:55 -0000
> > @@ -4,7 +4,13 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
> > | Running ${PKGSTEM} on OpenBSD
> > +-----------------------------------------------------------------------
> >
> > -To use sshguard with pf(4), add the following to /etc/pf.conf:
> > +Copy the example configuration file:
> > +
> > + cp ${PREFIX}/share/examples/sshguard/sshguard.conf.sample \
> > + ${SYSCONFDIR}/sshguard.conf
>
> Should use @sample in PLIST instead of telling people to do that by
> hand, e.g.
>
> share/examples/sshguard/
> share/examples/sshguard/sshguard.conf.sample
> @sample ${SYSCONFDIR}/sshguard.conf
>
> Simpler, and helps pkg_delete -c.
>
> > +
> > +pexp="/bin/sh $pexp"
> > +
> > +rc_stop () {
> > + # Need to send TERM to all processes in the process group not just
> > + # to the ones matching "$pexp". The main sshguard shell script does
> > + # set up a trap for doing this, but it relies on running under bash.
> > + kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx
> > "${pexp}" )" )"
> > +}
> >
> > rc_bg=YES
> > rc_reload=NO
>
> <insert see-no-evil-monkey emoji here> ;)
It was evil and have now been removed. I noticed that this way of doing
it would probably have killed the kernel relinking that happens after
boot, had anyone manually stopped the sshguard daemon with "rcctl stop
sshguard" early enough. This is not the way to do it.
Instead, I do what I believe the sshguard-devs intended people to do,
which is to kill the "sshg-blocker" process instead. This leads to the
rest of the group of processes terminating, except for a "tail" process
(but this will exit as soon as it discovers that there is nobody
reading from the pipe it's writing to).
This leads me to believe that the diff attached is an actual working
port of sshguard-2.2.0. A tar archive of the port is also attached, as
before.
I'm happy to be maintainer of this port if nobody else feels that they
should be.
Regards,
Andreas
--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.
Index: Makefile =================================================================== RCS file: /extra/cvs/ports/security/sshguard/Makefile,v retrieving revision 1.13 diff -u -p -r1.13 Makefile --- Makefile 4 Sep 2018 12:46:21 -0000 1.13 +++ Makefile 6 Dec 2018 14:12:27 -0000 @@ -2,22 +2,31 @@ COMMENT= protect against brute force attacks on sshd and others -DISTNAME= sshguard-1.5 -REVISION= 6 +DISTNAME= sshguard-2.2.0 CATEGORIES= security +HOMEPAGE= https://www.sshguard.net/ + +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} + +MAINTAINER= Andreas Kusalananda Kahari <[email protected]> + # BSD PERMIT_PACKAGE_CDROM= Yes WANTLIB+= c pthread -HOMEPAGE= https://www.sshguard.net/ -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} -EXTRACT_SUFX= .tar.bz2 - CONFIGURE_STYLE=gnu -CONFIGURE_ARGS= --with-firewall=pf NO_TEST= Yes + +post-patch: + ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \ + ${WRKSRC}/examples/sshguard.conf.sample + +post-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard + ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \ + ${PREFIX}/share/examples/sshguard .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /extra/cvs/ports/security/sshguard/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo 27 Jan 2014 15:49:15 -0000 1.3 +++ distinfo 4 Dec 2018 10:29:38 -0000 @@ -1,2 +1,2 @@ -SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk= -SIZE (sshguard-1.5.tar.bz2) = 303767 +SHA256 (sshguard-2.2.0.tar.gz) = Kv8H/ubsM+T/1UEZFrdRiZd68dd7htrF84NN06o2VsI= +SIZE (sshguard-2.2.0.tar.gz) = 737612 Index: patches/patch-configure =================================================================== RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,13 +0,0 @@ -$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $ - -Index: configure ---- configure.orig -+++ configure -@@ -5949,7 +5949,6 @@ then - STD99_CFLAGS="-xc99" - else - # other compiler (assume gcc-compatibile :( ) -- OPTIMIZER_CFLAGS="-O2" - WARNING_CFLAGS="-Wall" - STD99_CFLAGS="-std=c99" - fi Index: patches/patch-src_fwalls_command_c =================================================================== RCS file: patches/patch-src_fwalls_command_c diff -N patches/patch-src_fwalls_command_c --- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011 -+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011 -@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind, - return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR); - } - --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) { -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) { - /* block each address individually */ - int i; - Index: patches/patch-src_sshguard_fw_h =================================================================== RCS file: patches/patch-src_sshguard_fw_h diff -N patches/patch-src_sshguard_fw_h --- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011 -+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011 -@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind, - * - * @return FWALL_OK or FWALL_ERR - */ --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]); -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]); - - - /** Index: patches/patch-src_sshguard_logsuck_c =================================================================== RCS file: patches/patch-src_sshguard_logsuck_c diff -N patches/patch-src_sshguard_logsuck_c --- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $ ---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011 -+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011 -@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen, - if (ret > 0) { - if (kevs[0].filter == EVFILT_READ) { - /* got data on this one. Read from it */ -- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident); -+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident); - readentry = list_seek(& sources_list, & kevs[0].ident); - assert(readentry != NULL); - assert(readentry->active); Index: patches/patch-src_sshguard_procauth_c =================================================================== RCS file: patches/patch-src_sshguard_procauth_c diff -N patches/patch-src_sshguard_procauth_c --- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $ ---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010 -+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010 -@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren - dup2(ps2me[1], 1); - - sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'."); -- execlp("ps", "ps", "axo", "pid,ppid", NULL); -+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0); - - sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno)); - exit(-1); Index: pkg/PLIST =================================================================== RCS file: /extra/cvs/ports/security/sshguard/pkg/PLIST,v retrieving revision 1.5 diff -u -p -r1.5 PLIST --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.5 +++ pkg/PLIST 5 Dec 2018 08:15:56 -0000 @@ -1,6 +1,23 @@ @comment $OpenBSD: PLIST,v 1.5 2018/09/04 12:46:21 espie Exp $ @pkgpath security/sshguard,tcpd +@rcscript ${RCDIR}/sshguard +@bin libexec/sshg-blocker +libexec/sshg-fw-firewalld +@bin libexec/sshg-fw-hosts +libexec/sshg-fw-ipfilter +libexec/sshg-fw-ipfw +libexec/sshg-fw-ipset +libexec/sshg-fw-iptables +libexec/sshg-fw-nft-sets +libexec/sshg-fw-null +libexec/sshg-fw-pf +libexec/sshg-logtail +@bin libexec/sshg-parser +@man man/man7/sshguard-setup.7 @man man/man8/sshguard.8 -@bin sbin/sshguard +sbin/sshguard share/doc/pkg-readmes/${PKGSTEM} -@rcscript ${RCDIR}/sshguard +share/examples/sshguard/ +share/examples/sshguard/sshguard.conf.sample +@sample ${SYSCONFDIR}/sshguard.conf +share/examples/sshguard/whitelistfile.example Index: pkg/README =================================================================== RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v retrieving revision 1.3 diff -u -p -r1.3 README --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3 +++ pkg/README 5 Dec 2018 08:16:29 -0000 @@ -4,7 +4,8 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46: | Running ${PKGSTEM} on OpenBSD +----------------------------------------------------------------------- -To use sshguard with pf(4), add the following to /etc/pf.conf: +To use ${PKGSTEM} with pf(4), add something similar to the following to +${SYSCONFDIR}/pf.conf: table <sshguard> persist Index: pkg/sshguard.rc =================================================================== RCS file: /extra/cvs/ports/security/sshguard/pkg/sshguard.rc,v retrieving revision 1.4 diff -u -p -r1.4 sshguard.rc --- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4 +++ pkg/sshguard.rc 6 Dec 2018 11:44:46 -0000 @@ -3,9 +3,10 @@ # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $ daemon="${TRUEPREFIX}/sbin/sshguard" -daemon_flags="-l /var/log/authlog" . /etc/rc.d/rc.subr + +pexp="${TRUEPREFIX}/libexec/sshg-blocker .*" rc_bg=YES rc_reload=NO
sshguard.tar.gz
Description: application/tar-gz
