summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDiego Elio Pettenò <flameeyes@gentoo.org>2009-11-26 09:48:42 +0000
committerDiego Elio Pettenò <flameeyes@gentoo.org>2009-11-26 09:48:42 +0000
commitfe97368afb1296cd3c293f78935930d230546a2c (patch)
treece5cc7ac56dc7ced9e43ef2dafcf826c9a865f01
parentversion bump, minimal changes (diff)
downloadgentoo-2-fe97368afb1296cd3c293f78935930d230546a2c.tar.gz
gentoo-2-fe97368afb1296cd3c293f78935930d230546a2c.tar.bz2
gentoo-2-fe97368afb1296cd3c293f78935930d230546a2c.zip
Further improved ebuild, using EAPI 2: depend on the presence of unique_id Apache module; create a secured data directory instead of using /tmp; avoid changing the server signature by default (USE=-vanilla).
(Portage version: 2.2_rc51/cvs/Linux x86_64)
-rw-r--r--www-apache/mod_security/ChangeLog10
-rw-r--r--www-apache/mod_security/mod_security-2.5.11-r2.ebuild147
2 files changed, 156 insertions, 1 deletions
diff --git a/www-apache/mod_security/ChangeLog b/www-apache/mod_security/ChangeLog
index db88ca98ecf6..69fe419ebfb1 100644
--- a/www-apache/mod_security/ChangeLog
+++ b/www-apache/mod_security/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for www-apache/mod_security
# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.33 2009/11/21 13:13:47 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.34 2009/11/26 09:48:42 flameeyes Exp $
+
+*mod_security-2.5.11-r2 (26 Nov 2009)
+
+ 26 Nov 2009; Diego E. Pettenò <flameeyes@gentoo.org>
+ +mod_security-2.5.11-r2.ebuild:
+ Further improved ebuild, using EAPI 2: depend on the presence of unique_id
+ Apache module; create a secured data directory instead of using /tmp;
+ avoid changing the server signature by default (USE=-vanilla).
*mod_security-2.5.11-r1 (21 Nov 2009)
diff --git a/www-apache/mod_security/mod_security-2.5.11-r2.ebuild b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild
new file mode 100644
index 000000000000..abcaa02e0f18
--- /dev/null
+++ b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild
@@ -0,0 +1,147 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/mod_security-2.5.11-r2.ebuild,v 1.1 2009/11/26 09:48:42 flameeyes Exp $
+
+EAPI=2
+
+inherit apache-module autotools
+
+MY_P=${P/mod_security-/modsecurity-apache_}
+MY_P=${MY_P/_rc/-rc}
+
+DESCRIPTION="Web application firewall and Intrusion Detection System for Apache."
+HOMEPAGE="http://www.modsecurity.org/"
+SRC_URI="http://www.modsecurity.org/download/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~mips ~ppc ~sparc ~x86"
+IUSE="lua perl vanilla"
+
+DEPEND="dev-libs/libxml2
+ perl? ( dev-perl/libwww-perl )
+ lua? ( >=dev-lang/lua-5.1 )
+ www-servers/apache[apache2_modules_unique_id]"
+RDEPEND="${DEPEND}"
+
+S="${WORKDIR}/${MY_P}"
+
+APACHE2_MOD_FILE="apache2/.libs/${PN}2.so"
+APACHE2_MOD_CONF="2.5.10/99_mod_security"
+APACHE2_MOD_DEFINE="SECURITY"
+
+need_apache2
+
+src_prepare() {
+ if ! use vanilla; then
+ # Disabling rules here
+ epatch "${FILESDIR}"/${PN}-2.5.11-disable-http-pollution.patch
+ sed -i -e 's:^SecServerSignature:#\0:' \
+ rules/modsecurity_crs_10_global_config.conf || die
+ fi
+
+ sed -i -e '/^SecDataDir/s: .*: /var/cache/mod_security:' \
+ rules/modsecurity_crs_10_global_config.conf || die
+
+ epatch "${FILESDIR}"/${PN}-2.5.10-broken-autotools.patch
+ epatch "${FILESDIR}"/${PN}-2.5.10-as-needed.patch
+
+ cd apache2
+ eautoreconf
+}
+
+src_configure() {
+ cd apache2
+
+ econf --with-apxs="${APXS}" \
+ --without-curl \
+ $(use_with lua) \
+ || die "econf failed"
+}
+
+src_compile() {
+ cd apache2
+
+ APXS_FLAGS=
+ for flag in ${CFLAGS}; do
+ APXS_FLAGS="${APXS_FLAGS} -Wc,${flag}"
+ done
+
+ # Yes we need to prefix it _twice_
+ for flag in ${LDFLAGS}; do
+ APXS_FLAGS="${APXS_FLAGS} -Wl,${flag}"
+ done
+
+ emake \
+ APXS_CFLAGS="${CFLAGS}" \
+ APXS_LDFLAGS="${LDFLAGS}" \
+ APXS_EXTRA_CFLAGS="${APXS_FLAGS}" \
+ || die "emake failed"
+}
+
+src_test() {
+ cd apache2
+ emake test || die
+}
+
+src_install() {
+ apache-module_src_install
+
+ # install rules updater only if perl is enabled (optionally)
+ if use perl; then
+ newsbin tools/rules-updater.pl modsec-rules-updater || die
+ fi
+
+ # install documentation
+ dodoc CHANGES || die
+ newdoc rules/CHANGELOG CHANGES.crs || die
+ newdoc rules/README README.crs || die
+ dohtml -r doc/* || die
+
+ # Prepare the core ruleset
+ cd "${S}"/rules/
+
+ sed -i -e 's:logs/:/var/log/apache2/:g' *.conf || die
+
+ insinto ${APACHE_MODULES_CONFDIR}/mod_security/
+ doins *.conf base_rules/* || die
+
+ insinto ${APACHE_MODULES_CONFDIR}/mod_security/optional_rules
+ doins optional_rules/* || die
+
+ if ! use vanilla; then
+ mv "${D}"${APACHE_MODULES_CONFDIR}/mod_security/modsecurity_*{41_phpids,50_outbound}* \
+ "${D}"${APACHE_MODULES_CONFDIR}/mod_security/optional_rules || die
+ fi
+
+ keepdir /var/cache/mod_security || die
+ fowners apache:apache /var/cache/mod_security || die
+ fperms 0770 /var/cache/mod_security || die
+}
+
+pkg_postinst() {
+ if ! use vanilla; then
+ elog "Please note that the core rule set distributed with mod_security is quite"
+ elog "draconic; to make it more usable, the Gentoo distribution disables a few"
+ elog "rule set files, that are relevant for PHP-only websites or that would make it"
+ elog "kill a website that discussed of source code."
+ elog
+ elog "Furthermore we disable the 'HTTP Parameter Pollution' tests that disallow"
+ elog "multiple parameters with the same name, because that's common practice both"
+ elog "for Rails-based web-applications and Bugzilla."
+ if use perl; then
+ elog
+ elog "You want to install the Perl-based updater script for the Core Rule Set."
+ elog "Be warned that the script will update the rules iwth the original, draconic"
+ elog "rules, so you might end up with unusable web applications."
+ fi
+ else
+ elog "You decided to enable the original Core Rule Set from ModSecurity."
+ elog "Be warned that the original Core Rule Set is draconic and most likely will"
+ elog "render your web application unusable if you don't disable at leat some of"
+ elog "the rules."
+ fi
+ elog
+ elog "If you want to enable further rules, check the following directory:"
+ elog " ${APACHE_MODULES_CONFDIR}/mod_security/optional_rules"
+}