Improved default security and webapp support. Thanks webapp and apache herds.

(Portage version: 2.1_pre3-r1)
author: Tom William Payne <twp@gentoo.org> 2006-01-25 19:37:10 +0000
committer: Tom William Payne <twp@gentoo.org> 2006-01-25 19:37:10 +0000
commit: 190bf5403b66134ce60d8e36e75573a2039fbfee (patch)
tree: 1a03ec220860980102e249a085538bb751903668 /www-apache/anyterm
parent: New upstream release: MonetDB 4.10.0 "Earth" (diff)
download: gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.tar.gz
gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.tar.bz2
gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.zip
8 files changed, 232 insertions, 148 deletions
diff --git a/www-apache/anyterm/ChangeLog b/www-apache/anyterm/ChangeLog
index 16b887a53ff0..dfb6a46d299f 100644
--- a/www-apache/anyterm/ChangeLog
+++ b/www-apache/anyterm/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for www-apache/anyterm
 # Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/ChangeLog,v 1.2 2006/01/24 00:03:28 twp Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/ChangeLog,v 1.3 2006/01/25 19:37:10 twp Exp $
+
+*anyterm-1.1.8-r2 (25 Jan 2006)
+
+  25 Jan 2006; Tom Payne <twp@gentoo.org>
+  +files/anyterm-1.1.8-postinst-en.txt, files/50_anyterm.conf,
+  files/anyterm-1.1.8-browser-gentoo.patch, -anyterm-1.1.8-r1.ebuild,
+  +anyterm-1.1.8-r2.ebuild:
+  Improved default security and webapp support. Thanks webapp and apache herds.
 
 *anyterm-1.1.8-r1 (24 Jan 2006)
 
diff --git a/www-apache/anyterm/Manifest b/www-apache/anyterm/Manifest
index 698767d4f009..7e921a1d5019 100644
--- a/www-apache/anyterm/Manifest
+++ b/www-apache/anyterm/Manifest
@@ -1,9 +1,10 @@
-MD5 9e300f2c25878e05c66b33279c4c47a6 ChangeLog 782
-MD5 e38f2535fa61685394b86a8661d75fad anyterm-1.1.8-r1.ebuild 3178
-MD5 a14a3081dd3f5b6827bae63d13585320 files/50_anyterm.conf 199
+MD5 9dfed76c6f17c87f91527e39595aee31 ChangeLog 1099
+MD5 5e0da5e85b6a6e0c7b9a72eec3412bed anyterm-1.1.8-r2.ebuild 2843
+MD5 5d4c363d94576d82610a3b238da8b1e4 files/50_anyterm.conf 245
 MD5 5a58f6af7f808560b821511c1e00261c files/anyterm-1.1.8-apachemod-Makefile.patch 891
-MD5 16d2edd9a6fe24882d8e5135400cac30 files/anyterm-1.1.8-browser-gentoo.patch 1249
+MD5 c9e7d1d08a12c4eccbff1002a3d5295f files/anyterm-1.1.8-browser-gentoo.patch 2086
 MD5 edfc9bd9803d9fd760243cef69b00575 files/anyterm-1.1.8-common-extern.patch 655
 MD5 a6069c73dec076f0f2c69ea2cb4b55b8 files/anyterm-1.1.8-libpbe-no-pg_config.patch 432
-MD5 1fafa77a32bc461f15aae771d3d2ea70 files/digest-anyterm-1.1.8-r1 62
+MD5 b3ff11277b2fe4d9712d2bf8ded7a6e0 files/anyterm-1.1.8-postinst-en.txt 1976
+MD5 1fafa77a32bc461f15aae771d3d2ea70 files/digest-anyterm-1.1.8-r2 62
 MD5 d992d28bec4a3bfd72b441145091a58e metadata.xml 244
diff --git a/www-apache/anyterm/anyterm-1.1.8-r1.ebuild b/www-apache/anyterm/anyterm-1.1.8-r1.ebuild
deleted file mode 100644
index f7c523f39cec..000000000000
--- a/www-apache/anyterm/anyterm-1.1.8-r1.ebuild
+++ /dev/null
@@ -1,116 +0,0 @@
-# Copyright 1999-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/anyterm-1.1.8-r1.ebuild,v 1.1 2006/01/24 00:03:28 twp Exp $
-
-inherit apache-module eutils toolchain-funcs webapp
-
-DESCRIPTION="A terminal anywhere"
-HOMEPAGE="http://anyterm.org/"
-SRC_URI="http://anyterm.org/download/${P}.tbz2"
-
-LICENSE="GPL-2"
-KEYWORDS="~x86"
-IUSE="pam ssl"
-DEPEND="
-	dev-libs/boost
-	>=dev-libs/rote-0.2.8
-	>=sys-devel/gcc-3
-	virtual/ssh
-	pam? ( net-www/mod_auth_pam )
-	"
-RDEPEND="${DEPEND}"
-
-APACHE2_MOD_CONF="50_${PN}"
-APACHE2_MOD_DEFINE="ANYTERM"
-useq ssl && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D SSL"
-useq pam && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D AUTH_PAM"
-APACHE2_MOD_FILE="${S}/apachemod/.libs/anyterm.so"
-DOCFILES="CHANGELOG README"
-
-need_apache2
-
-src_unpack() {
-	unpack ${A}
-	cp ${FILESDIR}/${APACHE2_MOD_CONF}.conf ${S} || die
-	epatch ${FILESDIR}/${P}-apachemod-Makefile.patch
-	epatch ${FILESDIR}/${P}-common-extern.patch
-	epatch ${FILESDIR}/${P}-browser-gentoo.patch
-
-	# The bundled libpbe causes lots of problems because it links to various
-	# assorted packages, without any checks. These packages may or not be
-	# installed. Here we disable all packages which are not required.
-	epatch ${FILESDIR}/${P}-libpbe-no-pg_config.patch
-	for f in Database Recoder jpegsize; do
-		rm ${S}/libpbe/src/${f}.{cc,hh}
-	done
-}
-
-src_compile() {
-	( cd apachemod && emake CC=$(tc-getCC) CXX=$(tc-getCXX) ) || die
-}
-
-src_install() {
-	apache-module_src_install
-
-	webapp_src_preinst
-	cp browser/* browser/.htaccess ${D}/${MY_HTDOCSDIR}
-	webapp_src_install
-}
-
-pkg_postinst() {
-	webapp_pkg_postinst
-
-	apache-module_pkg_postinst
-
-	if ! built_with_use 'net-www/apache' ssl || ! use pam; then
-
-		if ! built_with_use 'net-www/apache' ssl; then
-			eerror "net-www/apache is missing SSL support."
-		fi
-
-		if ! use pam; then
-			eerror "PAM support disabled."
-		fi
-
-		eerror
-		eerror "For security reasons, the default Gentoo anyterm installation"
-		eerror "requires SSL and PAM.  You will need to edit anyterm's"
-		eerror ".htaccess to suit your configuration."
-		eerror
-		eerror "For more information see:"
-		eerror "\thttp://anyterm.org/security.html"
-		eerror
-
-		sleep 5
-
-	else
-
-		eerror
-		eerror "The default Gentoo installation of Anyterm uses SSL and PAM for"
-		eerror "security.  However, you will have to disable logging yourself,"
-		eerror "otherwise anyone who can read your log files (EVERYBODY by"
-		eerror "default!) can observe all the characters you send, including"
-		eerror "passwords!"
-		eerror
-		eerror "To do this, add"
-		eerror "\tenv=!DONTLOG"
-		eerror "to the CustomLog directive in"
-		eerror "\t/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf"
-		eerror
-		eerror "If you are using a custom SSL virtual host configuration"
-		eerror "(i.e. you don't use -D SSL_DEFAULT_VHOST) then you will need"
-		eerror "to modify CustomLog directives elsewhere."
-		eerror
-		eerror "For more information see:"
-		eerror "\thttp://anyterm.org/security.html"
-		eerror
-
-		einfo
-		einfo "Anyterm is now installed at:"
-		einfo "\thttps://localhost/anyterm/anyterm.html"
-		einfo
-
-		sleep 5
-
-	fi
-}
diff --git a/www-apache/anyterm/anyterm-1.1.8-r2.ebuild b/www-apache/anyterm/anyterm-1.1.8-r2.ebuild
new file mode 100644
index 000000000000..121d9f7bdbd2
--- /dev/null
+++ b/www-apache/anyterm/anyterm-1.1.8-r2.ebuild
@@ -0,0 +1,105 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/anyterm/anyterm-1.1.8-r2.ebuild,v 1.1 2006/01/25 19:37:10 twp Exp $
+
+inherit apache-module eutils toolchain-funcs webapp
+
+DESCRIPTION="A terminal anywhere"
+HOMEPAGE="http://anyterm.org/"
+SRC_URI="http://anyterm.org/download/${P}.tbz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86"
+IUSE="pam ssl opera"
+DEPEND="
+	dev-libs/boost
+	>=dev-libs/rote-0.2.8
+	>=sys-devel/gcc-3
+	virtual/ssh
+	pam? ( net-www/mod_auth_pam )
+	"
+RDEPEND="${DEPEND}"
+
+APACHE2_MOD_CONF="50_${PN}"
+APACHE2_MOD_DEFINE="ANYTERM"
+useq ssl && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D SSL"
+useq pam && APACHE2_MOD_DEFINE="${APACHE2_MOD_DEFINE} -D AUTH_PAM"
+APACHE2_MOD_FILE="${S}/apachemod/.libs/anyterm.so"
+DOCFILES="CHANGELOG README"
+
+WEBAPP_MANUAL_SLOT="yes"
+
+need_apache2
+
+pkg_setup() {
+	webapp_pkg_setup
+
+	apache-module_pkg_setup
+
+	use ssl && ! built_with_use net-www/apache ssl && \
+		eerror "Build net-www/apache with USE=ssl."
+	use pam && ! built_with_use net-www/mod_auth_pam apache2 && \
+		eerror "Build net-www/mod_auth_pam with USE=apache2."
+}
+
+src_unpack() {
+	unpack ${A}
+
+	epatch ${FILESDIR}/${P}-apachemod-Makefile.patch
+	epatch ${FILESDIR}/${P}-common-extern.patch
+	epatch ${FILESDIR}/${P}-browser-gentoo.patch
+
+	# The bundled libpbe causes lots of problems because it links to various
+	# assorted packages, without any checks. These packages may or not be
+	# installed. Here we disable all packages which are not required.
+	epatch ${FILESDIR}/${P}-libpbe-no-pg_config.patch
+	for f in Database Recoder jpegsize; do
+		rm ${S}/libpbe/src/${f}.{cc,hh}
+	done
+}
+
+src_compile() {
+	( cd apachemod && emake CC=$(tc-getCC) CXX=$(tc-getCXX) ) || die
+
+	# Modify browser files to reflect USE flags.
+	for flag in ssl pam opera; do
+		if use ${flag}; then
+			sed -i -e "s/^#USE=${flag}#//" browser/{*,.htaccess}
+			sed -i -e "/^#USE=-${flag}#/D" browser/{*,.htaccess}
+		else
+			sed -i -e "s/^#USE=-${flag}#//" browser/{*,.htaccess}
+			sed -i -e "/^#USE=${flag}#/D" browser/{*,.htaccess}
+		fi
+	done
+}
+
+src_install() {
+	apache-module_src_install
+
+	webapp_src_preinst
+	cp browser/{*,.htaccess} ${D}/${MY_HTDOCSDIR}
+	webapp_postinst_txt en ${FILESDIR}/${P}-postinst-en.txt
+	webapp_src_install
+}
+
+pkg_postinst() {
+	webapp_pkg_postinst
+
+	apache-module_pkg_postinst
+
+	if ! use ssl; then
+		ewarn "USE=-ssl:   Anyterm without SSL is very insecure!"
+	fi
+	if ! use pam; then
+		ewarn "USE=-pam:   You will have to add your own authentication"
+		ewarn "            mechanism."
+	fi
+	if use opera; then
+	    ewarn "USE=opera:  Be sure to disable some logging in your apache"
+		ewarn "            configuration files!"
+	fi
+	if ! use ssl || ! use pam || use opera; then
+		ewarn "For more information see http://anyterm.org/security.html"
+	fi
+}
diff --git a/www-apache/anyterm/files/50_anyterm.conf b/www-apache/anyterm/files/50_anyterm.conf
index f84d7d89be55..24e04ce564ef 100644
--- a/www-apache/anyterm/files/50_anyterm.conf
+++ b/www-apache/anyterm/files/50_anyterm.conf
@@ -2,7 +2,9 @@
   <IfModule !anyterm.c>
     LoadModule anyterm modules/anyterm.so
   </IfModule>
-  <Directory "/var/www/localhost/htdocs/anyterm/">
-    AllowOverride All
-  </Directory>
+  <IfDefine DEFAULT_VHOST>
+    <Directory "/var/www/localhost/htdocs/anyterm">
+      AllowOverride All
+    </Directory>
+  </IfDefine>
 </IfDefine>
diff --git a/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch b/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch
index b6f201f6bf05..d2f203d8ce71 100644
--- a/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch
+++ b/www-apache/anyterm/files/anyterm-1.1.8-browser-gentoo.patch
@@ -1,46 +1,71 @@
+diff -Naur anyterm-1.1.8/browser/anyterm.js anyterm/browser/anyterm.js
+--- anyterm-1.1.8/browser/anyterm.js	2005-11-24 19:54:15.000000000 +0100
++++ anyterm/browser/anyterm.js	2006-01-25 16:52:46.000000000 +0100
+@@ -26,16 +26,21 @@
+ var open=false;
+ var session;
+ 
+-//var post_method="POST";
+-var post_method="GET";
++#USE=opera#//var post_method="POST";
++#USE=opera#var post_method="GET";
++#USE=-opera#var post_method="POST";
++#USE=-opera#//var post_method="GET";
+ 
+ // Random sequence numbers are needed to prevent Opera from caching
+ // replies
+ 
+ var is_opera = navigator.userAgent.toLowerCase().indexOf("opera") != -1;
+-if (is_opera) {
+-  post_method="GET";
+-}
++#USE=opera#if (is_opera) {
++#USE=opera#  post_method="GET";
++#USE=opera#}
++#USE=-opera#//if (is_opera) {
++#USE=-opera#//  post_method="GET";
++#USE=-opera#//}
+ 
+ var seqnum_val=Math.round(Math.random()*100000);
+ function cachebust() {
 diff -Naur anyterm-1.1.8/browser/.htaccess anyterm/browser/.htaccess
 --- anyterm-1.1.8/browser/.htaccess	2005-09-05 00:49:44.000000000 +0200
-+++ anyterm/browser/.htaccess	2006-01-23 22:36:42.000000000 +0100
-@@ -7,6 +7,11 @@
++++ anyterm/browser/.htaccess	2006-01-25 17:03:29.000000000 +0100
+@@ -6,6 +6,8 @@
+ # will be ignored if the anyterm module has not been loaded.
  
  <IfModule anyterm>
++#USE=ssl#<IfModule mod_ssl.c>
++#USE=pam#<IfModule mod_auth_pam.c>
  
-+# twp: To force Anyterm installations to be as secure as possible "out-of-the-
-+# twp: box", we also require that both mod_ssl and mod_auth_pam are present.
-+<IfModule mod_ssl.c>
-+<IfModule mod_auth_pam.c>
-+
  # Use an anyterm_command directive to specify the command to run
  # inside the terminal:
- #
-@@ -24,6 +29,18 @@
+@@ -24,6 +26,16 @@
  # Example:
  # anyterm_command '/path/to/anygetty --remotehost "Anyterm: %h" --autologin=%u'
  
 +# twp: Use ssh to avoid problems with Gentoo's /bin/login.
 +anyterm_command '/usr/bin/ssh %u@localhost'
 +
-+# twp: Only provide Anyterm over SSL connections.
-+SSLRequireSSL
-+
-+# twp: Require a valid user using mod_auth_pam.
-+AuthPAM_Enabled on
-+AuthType Basic
-+AuthName "Anyterm"
-+Require valid-user
-+
++#USE=ssl#SSLRequireSSL
++#USE=ssl#
++#USE=pam#AuthPAM_Enabled on
++#USE=pam#AuthType Basic
++#USE=pam#AuthName "Anyterm"
++#USE=pam#Require valid-user
++#USE=pam#
  <Files anyterm-module>
    SetHandler anyterm
  
-@@ -34,7 +51,10 @@
+@@ -34,7 +46,10 @@
    # CustomLog /path/to/logfile combined env=!DONTLOG
    # See the Apache documentation for details.  Note "=!" not "!=" !
  
 -  # SetEnv DONTLOG
-+  SetEnv DONTLOG
++#USE=opera#  SetEnv DONTLOG
++#USE=-opera#  # SetEnv DONTLOG
  </Files>
  
++#USE=pam#</IfModule>
++#USE=ssl#</IfModule>
  </IfModule>
-+</IfModule>
-+
-+</IfModule>
diff --git a/www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt b/www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt
new file mode 100644
index 000000000000..f96f0dcef3e9
--- /dev/null
+++ b/www-apache/anyterm/files/anyterm-1.1.8-postinst-en.txt
@@ -0,0 +1,59 @@
+DEFAULT GENTOO INSTALLATION
+
+The default Gentoo installation is designed to work and be as secure as
+possible out-of-the box as long as you have USE="ssl pam -opera".
+
+
+USE FLAGS
+
++ssl	forces anyterm to only run over secure (HTTPS) connections.
+-ssl    disables secure connections, all data will pass over the network in
+        plain text, including passwords!
++pam    enables PAM authentication, so anyone with an account on your computer
+        can use anyterm without any further configuration.
+-pam    means that you will have to configure your own authentication
+        mechanism.
++opera  Enables a workaround for a bug in the Opera browser, but you will have
+        to modify apache's logging behaviour to prevent snooping by local
+	users.
+-opera  Disables the Opera bug workaround.
+
+
+INSTALLATION INSTRUCTIONS
+
+1. Add the following flags to APACHE2_OPTS in /etc/init.d/apache2:
+	-D ANYTERM
+	-D SSL                # if USE=ssl
+	-D SSL_DEFAULT_VHOST  # if USE="ssl -vhosts"
+	-D AUTH_PAM           # if USE=pam
+
+2. If you have USE=vhosts then you need to add the following directives to
+   each virtual host's configuration file:
+   	<Directory "${MY_INSTALLDIR}">
+	  AllowOverride All
+	</Directory>
+
+3. If you have USE=opera then you should disable logging of some requests. In
+   each apache configuration file add env=!DONTLOG to each CustomLog
+   directive. For example:
+   USE="ssl -vhosts":
+   	Edit /etc/apache2/modules.d/41_mod_ssl.default-vhost.conf:
+	    CustomLog logs/ssl_request_log \
+	              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" \
+		      env=!DONTLOG
+   USE="-ssl -vhosts":
+   	Edit /etc/apache2/httpd.conf:
+	     CustomLog logs/access_log common env=!DONTLOG
+
+4. Restart apache2:
+	/etc/init.d/apache2 restart
+
+5. Browse to:
+	https://${VHOST_HOSTNAME}${VHOST_APPDIR}/${PN}.html  # if USE=ssl
+	http://${VHOST_HOSTNAME}${VHOST_APPDIR}/${PN}.html   # if USE=-ssl
+
+
+MORE INFORMATION
+
+http://anyterm.org/
+http://anyterm.org/security.html
diff --git a/www-apache/anyterm/files/digest-anyterm-1.1.8-r1 b/www-apache/anyterm/files/digest-anyterm-1.1.8-r2
index 5aa11d832d47..5aa11d832d47 100644
--- a/www-apache/anyterm/files/digest-anyterm-1.1.8-r1
+++ b/www-apache/anyterm/files/digest-anyterm-1.1.8-r2
author	Tom William Payne <twp@gentoo.org>	2006-01-25 19:37:10 +0000
committer	Tom William Payne <twp@gentoo.org>	2006-01-25 19:37:10 +0000
commit	190bf5403b66134ce60d8e36e75573a2039fbfee (patch)
tree	1a03ec220860980102e249a085538bb751903668 /www-apache/anyterm
parent	New upstream release: MonetDB 4.10.0 "Earth" (diff)
download	gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.tar.gz gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.tar.bz2 gentoo-2-190bf5403b66134ce60d8e36e75573a2039fbfee.zip