Further improved ebuild, using EAPI 2: depend on the presence of unique_id Apache module; create a secured data directory instead of using /tmp; avoid changing the server signature by default (USE=-vanilla).

(Portage version: 2.2_rc51/cvs/Linux x86_64)

2 files changed, 156 insertions, 1 deletions

diff --git a/www-apache/mod_security/ChangeLog b/www-apache/mod_security/ChangeLog
index db88ca98ecf6..69fe419ebfb1 100644
--- a/www-apache/mod_security/ChangeLog
+++ b/www-apache/mod_security/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for www-apache/mod_security
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.33 2009/11/21 13:13:47 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.34 2009/11/26 09:48:42 flameeyes Exp $
+
+*mod_security-2.5.11-r2 (26 Nov 2009)
+
+  26 Nov 2009; Diego E. Pettenò <flameeyes@gentoo.org>
+  +mod_security-2.5.11-r2.ebuild:
+  Further improved ebuild, using EAPI 2: depend on the presence of unique_id
+  Apache module; create a secured data directory instead of using /tmp;
+  avoid changing the server signature by default (USE=-vanilla).
 
 *mod_security-2.5.11-r1 (21 Nov 2009)
 
diff --git a/www-apache/mod_security/mod_security-2.5.11-r2.ebuild b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild
new file mode 100644
index 000000000000..abcaa02e0f18
--- /dev/null
+++ b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild
@@ -0,0 +1,147 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/mod_security-2.5.11-r2.ebuild,v 1.1 2009/11/26 09:48:42 flameeyes Exp $
+
+EAPI=2
+
+inherit apache-module autotools
+
+MY_P=${P/mod_security-/modsecurity-apache_}
+MY_P=${MY_P/_rc/-rc}
+
+DESCRIPTION="Web application firewall and Intrusion Detection System for Apache."
+HOMEPAGE="http://www.modsecurity.org/"
+SRC_URI="http://www.modsecurity.org/download/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~mips ~ppc ~sparc ~x86"
+IUSE="lua perl vanilla"
+
+DEPEND="dev-libs/libxml2
+	perl? ( dev-perl/libwww-perl )
+	lua? ( >=dev-lang/lua-5.1 )
+	www-servers/apache[apache2_modules_unique_id]"
+RDEPEND="${DEPEND}"
+
+S="${WORKDIR}/${MY_P}"
+
+APACHE2_MOD_FILE="apache2/.libs/${PN}2.so"
+APACHE2_MOD_CONF="2.5.10/99_mod_security"
+APACHE2_MOD_DEFINE="SECURITY"
+
+need_apache2
+
+src_prepare() {
+	if ! use vanilla; then
+		# Disabling rules here
+		epatch "${FILESDIR}"/${PN}-2.5.11-disable-http-pollution.patch
+		sed -i -e 's:^SecServerSignature:#\0:' \
+			rules/modsecurity_crs_10_global_config.conf || die
+	fi
+
+	sed -i -e '/^SecDataDir/s: .*: /var/cache/mod_security:' \
+		rules/modsecurity_crs_10_global_config.conf || die
+
+	epatch "${FILESDIR}"/${PN}-2.5.10-broken-autotools.patch
+	epatch "${FILESDIR}"/${PN}-2.5.10-as-needed.patch
+
+	cd apache2
+	eautoreconf
+}
+
+src_configure() {
+	cd apache2
+
+	econf --with-apxs="${APXS}" \
+		--without-curl \
+		$(use_with lua) \
+		|| die "econf failed"
+}
+
+src_compile() {
+	cd apache2
+
+	APXS_FLAGS=
+	for flag in ${CFLAGS}; do
+		APXS_FLAGS="${APXS_FLAGS} -Wc,${flag}"
+	done
+
+	# Yes we need to prefix it _twice_
+	for flag in ${LDFLAGS}; do
+		APXS_FLAGS="${APXS_FLAGS} -Wl,${flag}"
+	done
+
+	emake \
+		APXS_CFLAGS="${CFLAGS}" \
+		APXS_LDFLAGS="${LDFLAGS}" \
+		APXS_EXTRA_CFLAGS="${APXS_FLAGS}" \
+		|| die "emake failed"
+}
+
+src_test() {
+	cd apache2
+	emake test || die
+}
+
+src_install() {
+	apache-module_src_install
+
+	# install rules updater only if perl is enabled (optionally)
+	if use perl; then
+		newsbin tools/rules-updater.pl modsec-rules-updater || die
+	fi
+
+	# install documentation
+	dodoc CHANGES || die
+	newdoc rules/CHANGELOG CHANGES.crs || die
+	newdoc rules/README README.crs || die
+	dohtml -r doc/* || die
+
+	# Prepare the core ruleset
+	cd "${S}"/rules/
+
+	sed -i -e 's:logs/:/var/log/apache2/:g' *.conf || die
+
+	insinto ${APACHE_MODULES_CONFDIR}/mod_security/
+	doins *.conf base_rules/* || die
+
+	insinto ${APACHE_MODULES_CONFDIR}/mod_security/optional_rules
+	doins optional_rules/* || die
+
+	if ! use vanilla; then
+		mv "${D}"${APACHE_MODULES_CONFDIR}/mod_security/modsecurity_*{41_phpids,50_outbound}* \
+			"${D}"${APACHE_MODULES_CONFDIR}/mod_security/optional_rules || die
+	fi
+
+	keepdir /var/cache/mod_security || die
+	fowners apache:apache /var/cache/mod_security || die
+	fperms 0770 /var/cache/mod_security || die
+}
+
+pkg_postinst() {
+	if ! use vanilla; then
+		elog "Please note that the core rule set distributed with mod_security is quite"
+		elog "draconic; to make it more usable, the Gentoo distribution disables a few"
+		elog "rule set files, that are relevant for PHP-only websites or that would make it"
+		elog "kill a website that discussed of source code."
+		elog
+		elog "Furthermore we disable the 'HTTP Parameter Pollution' tests that disallow"
+		elog "multiple parameters with the same name, because that's common practice both"
+		elog "for Rails-based web-applications and Bugzilla."
+		if use perl; then
+			elog
+			elog "You want to install the Perl-based updater script for the Core Rule Set."
+			elog "Be warned that the script will update the rules iwth the original, draconic"
+			elog "rules, so you might end up with unusable web applications."
+		fi
+	else
+		elog "You decided to enable the original Core Rule Set from ModSecurity."
+		elog "Be warned that the original Core Rule Set is draconic and most likely will"
+		elog "render your web application unusable if you don't disable at leat some of"
+		elog "the rules."
+	fi
+		elog
+	elog "If you want to enable further rules, check the following directory:"
+	elog "	${APACHE_MODULES_CONFDIR}/mod_security/optional_rules"
+}