diff options
author | Diego Elio Pettenò <flameeyes@gentoo.org> | 2009-11-26 09:48:42 +0000 |
---|---|---|
committer | Diego Elio Pettenò <flameeyes@gentoo.org> | 2009-11-26 09:48:42 +0000 |
commit | fe97368afb1296cd3c293f78935930d230546a2c (patch) | |
tree | ce5cc7ac56dc7ced9e43ef2dafcf826c9a865f01 | |
parent | version bump, minimal changes (diff) | |
download | gentoo-2-fe97368afb1296cd3c293f78935930d230546a2c.tar.gz gentoo-2-fe97368afb1296cd3c293f78935930d230546a2c.tar.bz2 gentoo-2-fe97368afb1296cd3c293f78935930d230546a2c.zip |
Further improved ebuild, using EAPI 2: depend on the presence of unique_id Apache module; create a secured data directory instead of using /tmp; avoid changing the server signature by default (USE=-vanilla).
(Portage version: 2.2_rc51/cvs/Linux x86_64)
-rw-r--r-- | www-apache/mod_security/ChangeLog | 10 | ||||
-rw-r--r-- | www-apache/mod_security/mod_security-2.5.11-r2.ebuild | 147 |
2 files changed, 156 insertions, 1 deletions
diff --git a/www-apache/mod_security/ChangeLog b/www-apache/mod_security/ChangeLog index db88ca98ecf6..69fe419ebfb1 100644 --- a/www-apache/mod_security/ChangeLog +++ b/www-apache/mod_security/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for www-apache/mod_security # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.33 2009/11/21 13:13:47 flameeyes Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.34 2009/11/26 09:48:42 flameeyes Exp $ + +*mod_security-2.5.11-r2 (26 Nov 2009) + + 26 Nov 2009; Diego E. Pettenò <flameeyes@gentoo.org> + +mod_security-2.5.11-r2.ebuild: + Further improved ebuild, using EAPI 2: depend on the presence of unique_id + Apache module; create a secured data directory instead of using /tmp; + avoid changing the server signature by default (USE=-vanilla). *mod_security-2.5.11-r1 (21 Nov 2009) diff --git a/www-apache/mod_security/mod_security-2.5.11-r2.ebuild b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild new file mode 100644 index 000000000000..abcaa02e0f18 --- /dev/null +++ b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild @@ -0,0 +1,147 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/mod_security-2.5.11-r2.ebuild,v 1.1 2009/11/26 09:48:42 flameeyes Exp $ + +EAPI=2 + +inherit apache-module autotools + +MY_P=${P/mod_security-/modsecurity-apache_} +MY_P=${MY_P/_rc/-rc} + +DESCRIPTION="Web application firewall and Intrusion Detection System for Apache." +HOMEPAGE="http://www.modsecurity.org/" +SRC_URI="http://www.modsecurity.org/download/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~mips ~ppc ~sparc ~x86" +IUSE="lua perl vanilla" + +DEPEND="dev-libs/libxml2 + perl? ( dev-perl/libwww-perl ) + lua? ( >=dev-lang/lua-5.1 ) + www-servers/apache[apache2_modules_unique_id]" +RDEPEND="${DEPEND}" + +S="${WORKDIR}/${MY_P}" + +APACHE2_MOD_FILE="apache2/.libs/${PN}2.so" +APACHE2_MOD_CONF="2.5.10/99_mod_security" +APACHE2_MOD_DEFINE="SECURITY" + +need_apache2 + +src_prepare() { + if ! use vanilla; then + # Disabling rules here + epatch "${FILESDIR}"/${PN}-2.5.11-disable-http-pollution.patch + sed -i -e 's:^SecServerSignature:#\0:' \ + rules/modsecurity_crs_10_global_config.conf || die + fi + + sed -i -e '/^SecDataDir/s: .*: /var/cache/mod_security:' \ + rules/modsecurity_crs_10_global_config.conf || die + + epatch "${FILESDIR}"/${PN}-2.5.10-broken-autotools.patch + epatch "${FILESDIR}"/${PN}-2.5.10-as-needed.patch + + cd apache2 + eautoreconf +} + +src_configure() { + cd apache2 + + econf --with-apxs="${APXS}" \ + --without-curl \ + $(use_with lua) \ + || die "econf failed" +} + +src_compile() { + cd apache2 + + APXS_FLAGS= + for flag in ${CFLAGS}; do + APXS_FLAGS="${APXS_FLAGS} -Wc,${flag}" + done + + # Yes we need to prefix it _twice_ + for flag in ${LDFLAGS}; do + APXS_FLAGS="${APXS_FLAGS} -Wl,${flag}" + done + + emake \ + APXS_CFLAGS="${CFLAGS}" \ + APXS_LDFLAGS="${LDFLAGS}" \ + APXS_EXTRA_CFLAGS="${APXS_FLAGS}" \ + || die "emake failed" +} + +src_test() { + cd apache2 + emake test || die +} + +src_install() { + apache-module_src_install + + # install rules updater only if perl is enabled (optionally) + if use perl; then + newsbin tools/rules-updater.pl modsec-rules-updater || die + fi + + # install documentation + dodoc CHANGES || die + newdoc rules/CHANGELOG CHANGES.crs || die + newdoc rules/README README.crs || die + dohtml -r doc/* || die + + # Prepare the core ruleset + cd "${S}"/rules/ + + sed -i -e 's:logs/:/var/log/apache2/:g' *.conf || die + + insinto ${APACHE_MODULES_CONFDIR}/mod_security/ + doins *.conf base_rules/* || die + + insinto ${APACHE_MODULES_CONFDIR}/mod_security/optional_rules + doins optional_rules/* || die + + if ! use vanilla; then + mv "${D}"${APACHE_MODULES_CONFDIR}/mod_security/modsecurity_*{41_phpids,50_outbound}* \ + "${D}"${APACHE_MODULES_CONFDIR}/mod_security/optional_rules || die + fi + + keepdir /var/cache/mod_security || die + fowners apache:apache /var/cache/mod_security || die + fperms 0770 /var/cache/mod_security || die +} + +pkg_postinst() { + if ! use vanilla; then + elog "Please note that the core rule set distributed with mod_security is quite" + elog "draconic; to make it more usable, the Gentoo distribution disables a few" + elog "rule set files, that are relevant for PHP-only websites or that would make it" + elog "kill a website that discussed of source code." + elog + elog "Furthermore we disable the 'HTTP Parameter Pollution' tests that disallow" + elog "multiple parameters with the same name, because that's common practice both" + elog "for Rails-based web-applications and Bugzilla." + if use perl; then + elog + elog "You want to install the Perl-based updater script for the Core Rule Set." + elog "Be warned that the script will update the rules iwth the original, draconic" + elog "rules, so you might end up with unusable web applications." + fi + else + elog "You decided to enable the original Core Rule Set from ModSecurity." + elog "Be warned that the original Core Rule Set is draconic and most likely will" + elog "render your web application unusable if you don't disable at leat some of" + elog "the rules." + fi + elog + elog "If you want to enable further rules, check the following directory:" + elog " ${APACHE_MODULES_CONFDIR}/mod_security/optional_rules" +} |