diff options
Diffstat (limited to 'app-backup/bacula')
-rw-r--r-- | app-backup/bacula/ChangeLog | 7 | ||||
-rw-r--r-- | app-backup/bacula/bacula-5.0.3-r3.ebuild | 441 | ||||
-rw-r--r-- | app-backup/bacula/files/5.0.3/bacula-5.0.3-cve.patch | 125 |
3 files changed, 572 insertions, 1 deletions
diff --git a/app-backup/bacula/ChangeLog b/app-backup/bacula/ChangeLog index ec7894c693d6..084bf7a1903b 100644 --- a/app-backup/bacula/ChangeLog +++ b/app-backup/bacula/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for app-backup/bacula # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-backup/bacula/ChangeLog,v 1.144 2012/09/23 18:28:42 ago Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-backup/bacula/ChangeLog,v 1.145 2012/10/10 19:32:50 tomjbe Exp $ + + 10 Oct 2012; Thomas Beierlein <tomjbe@gentoo.org> +bacula-5.0.3-r3.ebuild, + +files/5.0.3/bacula-5.0.3-cve.patch: + Readd bacula-5.0.3 including fix for CVE-2012-4430 to enable use with older + bacula directors. 23 Sep 2012; Agostino Sarubbo <ago@gentoo.org> -bacula-5.0.3-r2.ebuild, -bacula-5.2.5.ebuild: diff --git a/app-backup/bacula/bacula-5.0.3-r3.ebuild b/app-backup/bacula/bacula-5.0.3-r3.ebuild new file mode 100644 index 000000000000..881caf91a571 --- /dev/null +++ b/app-backup/bacula/bacula-5.0.3-r3.ebuild @@ -0,0 +1,441 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-backup/bacula/bacula-5.0.3-r3.ebuild,v 1.10 2012/10/10 19:32:50 tomjbe Exp $ + +EAPI="2" +PYTHON_DEPEND="python? 2" +PYTHON_USE_WITH="threads" +PYTHON_USE_WITH_OPT="python" + +inherit eutils multilib python user + +MY_PV=${PV/_beta/-b} +MY_P=${PN}-${MY_PV} +#DOC_VER="${MY_PV}" + +DESCRIPTION="Featureful client/server network backup suite" +HOMEPAGE="http://www.bacula.org/" + +#DOC_SRC_URI="mirror://sourceforge/bacula/${PN}-docs-${DOC_VER}.tar.bz2" +SRC_URI="mirror://sourceforge/bacula/${MY_P}.tar.gz" +# doc? ( ${DOC_SRC_URI} ) + +LICENSE="AGPL-3" +SLOT="0" +KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86" +IUSE="acl bacula-clientonly bacula-nodir bacula-nosd ipv6 logwatch mysql postgres python qt4 readline +sqlite3 ssl static tcpd vim-syntax X" + +# maintainer comment: +# postgresql-base should have USE=threads (see bug 326333) but fails to build +# atm with it (see bug #300964) +DEPEND=" + >=sys-libs/zlib-1.1.4 + dev-libs/gmp + !bacula-clientonly? ( + postgres? ( dev-db/postgresql-base[threads] ) + mysql? ( virtual/mysql ) + sqlite3? ( dev-db/sqlite:3 ) + !bacula-nodir? ( virtual/mta ) + ) + qt4? ( + x11-libs/qt-svg:4 + x11-libs/qwt:5 + ) + ssl? ( dev-libs/openssl ) + logwatch? ( sys-apps/logwatch ) + tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) + readline? ( >=sys-libs/readline-4.1 ) + sys-libs/ncurses" +# doc? ( +# app-text/ghostscript-gpl +# dev-tex/latex2html[png] +# app-text/dvipdfm +# ) +RDEPEND="${DEPEND} + !bacula-clientonly? ( + !bacula-nosd? ( + sys-block/mtx + app-arch/mt-st + ) + ) + vim-syntax? ( || ( app-editors/vim app-editors/gvim ) )" + +S=${WORKDIR}/${MY_P} + +pkg_setup() { + local -i dbnum=0 + if ! use bacula-clientonly; then + if use mysql; then + export mydbtype=mysql + let dbnum++ + fi + if use postgres; then + export mydbtype=postgresql + let dbnum++ + fi + if use sqlite3; then + export mydbtype=sqlite3 + let dbnum++ + fi + if [[ "${dbnum}" -lt 1 ]]; then + ewarn + ewarn "No database backend selected, defaulting to sqlite3." + ewarn "Supported databases are mysql, postgresql, sqlite3" + ewarn + export mydbtype=sqlite3 + elif [[ "${dbnum}" -gt 1 ]]; then + ewarn + ewarn "Too many database backends selected, defaulting to sqlite3." + ewarn "Supported databases are mysql, postgresql, sqlite3" + ewarn + export mydbtype=sqlite3 + fi + fi + + # create the daemon group and user + if [ -z "$(egetent group bacula 2>/dev/null)" ]; then + enewgroup bacula + einfo + einfo "The group 'bacula' has been created. Any users you add to this" + einfo "group have access to files created by the daemons." + einfo + fi + + if use bacula-clientonly && use static && use qt4; then + ewarn + ewarn "Building statically linked 'bat' is not supported. Ignorig 'qt4' useflag." + ewarn + fi + + if ! use bacula-clientonly; then + # USE=static only supported for bacula-clientonly + if use static; then + ewarn + ewarn "USE=static only supported together with USE=bacula-clientonly." + ewarn "Ignoring 'static' useflag." + ewarn + fi + if [ -z "$(egetent passwd bacula 2>/dev/null)" ]; then + enewuser bacula -1 -1 /var/lib/bacula bacula,disk,tape,cdrom,cdrw + einfo + einfo "The user 'bacula' has been created. Please see the bacula manual" + einfo "for information about running bacula as a non-root user." + einfo + fi + fi + + if use python; then + python_set_active_version 2 + python_pkg_setup + fi +} + +src_prepare() { + # adjusts default configuration files for several binaries + # to /etc/bacula/<config> instead of ./<config> + pushd src >&/dev/null || die + for f in console/console.c dird/dird.c filed/filed.c \ + stored/bcopy.c stored/bextract.c stored/bls.c \ + stored/bscan.c stored/btape.c stored/stored.c \ + qt-console/main.cpp; do + sed -i -e 's|^\(#define CONFIG_FILE "\)|\1/etc/bacula/|g' "${f}" \ + || die "sed on ${f} failed" + done + popd >&/dev/null || die + + # drop automatic install of unneeded documentation (for bug 356499) + epatch "${FILESDIR}"/${PV}/${P}-doc.patch + + # bug #310087 + epatch "${FILESDIR}"/${PV}/${P}-as-needed.patch + + # bug #311161 + epatch "${FILESDIR}"/${PV}/${P}-lib-search-path.patch + + # stop build for errors in subdirs + epatch "${FILESDIR}"/${PV}/${P}-Makefile.patch + + # bat needs to respect LDFLAGS + epatch "${FILESDIR}"/${PV}/${P}-ldflags.patch + + # bug #328701 + epatch "${FILESDIR}"/${PV}/${P}-openssl-1.patch + + epatch "${FILESDIR}"/${PV}/${P}-fix-static.patch + + # fix CVE-2012-4430 + epatch "${FILESDIR}"/${PV}/${P}-cve.patch +} + +src_configure() { + local myconf='' + + if use bacula-clientonly; then + myconf="${myconf} \ + $(use_enable bacula-clientonly client-only) \ + $(use_enable !static libtool) \ + $(use_enable static static-cons) \ + $(use_enable static static-fd)" + else + myconf="${myconf} \ + $(use_enable !bacula-nodir build-dird) \ + $(use_enable !bacula-nosd build-stored)" + # bug #311099 + # database support needed by dir-only *and* sd-only + # build as well (for building bscan, btape, etc.) + myconf="${myconf} \ + --with-${mydbtype} \ + --enable-batch-insert" + fi + + # do not build bat if 'static' clientonly + if ! use bacula-clientonly || ! use static; then + myconf="${myconf} \ + $(use_enable qt4 bat)" + fi + + myconf="${myconf} \ + --disable-tray-monitor \ + $(use_with X x) \ + $(use_with python) \ + $(use_enable !readline conio) \ + $(use_enable readline) \ + $(use_with readline readline /usr) \ + $(use_with ssl openssl) \ + $(use_enable ipv6) \ + $(use_enable acl) \ + $(use_with tcpd tcp-wrappers)" + + econf \ + --libdir=/usr/$(get_libdir) \ + --docdir=/usr/share/doc/${PF} \ + --htmldir=/usr/share/doc/${PF}/html \ + --with-pid-dir=/var/run \ + --sysconfdir=/etc/bacula \ + --with-subsys-dir=/var/lock/subsys \ + --with-working-dir=/var/lib/bacula \ + --with-scriptdir=/usr/libexec/bacula \ + --with-dir-user=bacula \ + --with-dir-group=bacula \ + --with-sd-user=root \ + --with-sd-group=bacula \ + --with-fd-user=root \ + --with-fd-group=bacula \ + --enable-smartalloc \ + --disable-afs \ + --host=${CHOST} \ + ${myconf} +} + +src_compile() { + emake || die "emake failed" + + # build docs from bacula-docs tarball +# if use doc; then +# pushd "${WORKDIR}/${PN}-docs-${DOC_VER}" +# ./configure \ +# --with-bacula="${S}" \ +# || die "configure for bacula-docs failed" +# emake -j1 || die "emake for bacula-docs failed" +# popd +# fi +} + +src_install() { + emake DESTDIR="${D}" install || die "emake install failed" + doicon scripts/bacula.png || die + + # install bat when enabled (for some reason ./configure doesn't pick this up) + if use qt4 && ! use static ; then + dosbin "${S}"/src/qt-console/.libs/bat || die + doicon src/qt-console/images/bat_icon.png || die + domenu scripts/bat.desktop || die + fi + + # remove some scripts we don't need at all + rm -f "${D}"/usr/libexec/bacula/{bacula,bacula-ctl-dir,bacula-ctl-fd,bacula-ctl-sd,startmysql,stopmysql} + + # rename statically linked apps + if use bacula-clientonly && use static ; then + pushd "${D}"/usr/sbin || die + mv static-bacula-fd bacula-fd || die + mv static-bconsole bconsole || die + popd || die + fi + + # extra files which 'make install' doesn't cover + if ! use bacula-clientonly; then + # the database update scripts + diropts -m0750 + insinto /usr/libexec/bacula/updatedb + insopts -m0754 + doins "${S}"/updatedb/* || die + fperms 0640 /usr/libexec/bacula/updatedb/README || die + + # the logrotate configuration + # (now unconditional wrt bug #258187) + diropts -m0755 + insinto /etc/logrotate.d + insopts -m0644 + newins "${S}"/scripts/logrotate bacula || die + + # the logwatch scripts + if use logwatch; then + diropts -m0750 + dodir /etc/log.d/scripts/services + dodir /etc/log.d/scripts/shared + dodir /etc/log.d/conf/logfiles + dodir /etc/log.d/conf/services + pushd "${S}"/scripts/logwatch >&/dev/null || die + emake DESTDIR="${D}" install || die "Failed to install logwatch scripts" + popd >&/dev/null || die + fi + fi + + rm -vf "${D}"/usr/share/man/man1/bacula-bwxconsole.1* + if ! use qt4; then + rm -vf "${D}"/usr/share/man/man1/bat.1* + fi + rm -vf "${D}"/usr/share/man/man1/bacula-tray-monitor.1* + if use bacula-clientonly || use bacula-nodir; then + rm -vf "${D}"/usr/share/man/man8/bacula-dir.8* + rm -vf "${D}"/usr/share/man/man8/dbcheck.8* + rm -vf "${D}"/usr/share/man/man1/bsmtp.1* + rm -vf "${D}"/usr/libexec/bacula/create_*_database + rm -vf "${D}"/usr/libexec/bacula/drop_*_database + rm -vf "${D}"/usr/libexec/bacula/make_*_tables + rm -vf "${D}"/usr/libexec/bacula/update_*_tables + rm -vf "${D}"/usr/libexec/bacula/drop_*_tables + rm -vf "${D}"/usr/libexec/bacula/grant_*_privileges + rm -vf "${D}"/usr/libexec/bacula/*_catalog_backup + fi + if use bacula-clientonly || use bacula-nosd; then + rm -vf "${D}"/usr/share/man/man8/bacula-sd.8* + rm -vf "${D}"/usr/share/man/man8/bcopy.8* + rm -vf "${D}"/usr/share/man/man8/bextract.8* + rm -vf "${D}"/usr/share/man/man8/bls.8* + rm -vf "${D}"/usr/share/man/man8/bscan.8* + rm -vf "${D}"/usr/share/man/man8/btape.8* + rm -vf "${D}"/usr/libexec/bacula/disk-changer + rm -vf "${D}"/usr/libexec/bacula/mtx-changer + rm -vf "${D}"/usr/libexec/bacula/dvd-handler + fi + + # documentation + dodoc ChangeLog ReleaseNotes SUPPORT technotes + + # vim-files + if use vim-syntax; then + insinto /usr/share/vim/vimfiles/syntax + doins scripts/bacula.vim || die + insinto /usr/share/vim/vimfiles/ftdetect + newins scripts/filetype.vim bacula_ft.vim || die + fi + + # setup init scripts + myscripts="bacula-fd" + if ! use bacula-clientonly; then + if ! use bacula-nodir; then + myscripts="${myscripts} bacula-dir" + fi + if ! use bacula-nosd; then + myscripts="${myscripts} bacula-sd" + fi + fi + for script in ${myscripts}; do + # copy over init script and config to a temporary location + # so we can modify them as needed + cp "${FILESDIR}/${script}".confd "${T}/${script}".confd || die "failed to copy ${script}.confd" + cp "${FILESDIR}/${script}".initd "${T}/${script}".initd || die "failed to copy ${script}.initd" + # set database dependancy for the director init script + case "${script}" in + bacula-dir) + case "${mydbtype}" in + sqlite3) + # sqlite3 databases don't have a daemon + sed -i -e 's/need "%database%"/:/g' "${T}/${script}".initd || die + ;; + *) + # all other databases have daemons + sed -i -e "s:%database%:${mydbtype}:" "${T}/${script}".initd || die + ;; + esac + ;; + *) + ;; + esac + # install init script and config + newinitd "${T}/${script}".initd "${script}" || die + newconfd "${T}/${script}".confd "${script}" || die + done + + # make sure the working directory exists + diropts -m0750 + keepdir /var/lib/bacula + + # make sure bacula group can execute bacula libexec scripts + fowners -R root:bacula /usr/libexec/bacula +} + +pkg_postinst() { + if use bacula-clientonly; then + fowners root:bacula /var/lib/bacula + else + fowners bacula:bacula /var/lib/bacula + fi + + if ! use bacula-clientonly && ! use bacula-nodir; then + einfo + einfo "If this is a new install, you must create the ${mydbtype} databases with:" + einfo " /usr/libexec/bacula/create_${mydbtype}_database" + einfo " /usr/libexec/bacula/make_${mydbtype}_tables" + einfo " /usr/libexec/bacula/grant_${mydbtype}_privileges" + einfo + + ewarn + ewarn "*** ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ***" + ewarn + ewarn "If you're upgrading from a major release, you must upgrade your bacula catalog database." + ewarn "Please read the manual chapter for how to upgrade your database." + ewarn "You can find database upgrade scripts in /usr/libexec/bacula/updatedb/." + ewarn + ewarn "*** ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ***" + ewarn + ebeep 5 + epause 10 + echo + + ewarn + ewarn "*** ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ***" + ewarn + ewarn "The bundled catalog backup script (/usr/libexec/bacula/make_catalog_backup)" + ewarn "is INSECURE. The script needs to be called with the database access password" + ewarn "as a command line parameter, thus, the password can be seen from any other" + ewarn "user on the system" + ewarn + ewarn "NOTICE:" + ewarn "Since version 5.0.0 Bacula bundles an alternative catalog backup script" + ewarn "installed as /usr/libexec/bacula/make_catalog_backup.pl that is not" + ewarn "subject to this issue as it parses the director daemon config to extract" + ewarn "the configured database connection parameters (including the password)." + ewarn + ewarn "See also:" + ewarn "http://www.bacula.org/5.0.x-manuals/en/main/main/Bacula_Security_Issues.html" + ewarn "http://www.bacula.org/5.0.x-manuals/en/main/main/Catalog_Maintenance.html#SECTION0043140000000000000000" + ewarn + ewarn "*** ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ***" + ewarn + ebeep 5 + epause 10 + echo + + einfo + einfo "Please note that SQLite v2 support as well as wxwindows (bwx-console)" + einfo "and gnome (gnome-console) support have been dropped." + einfo + fi + + einfo "Please note that 'bconsole' will always be installed. To compile 'bat'" + einfo "you have to enable 'USE=qt4'." + einfo +} diff --git a/app-backup/bacula/files/5.0.3/bacula-5.0.3-cve.patch b/app-backup/bacula/files/5.0.3/bacula-5.0.3-cve.patch new file mode 100644 index 000000000000..394db6e0ea88 --- /dev/null +++ b/app-backup/bacula/files/5.0.3/bacula-5.0.3-cve.patch @@ -0,0 +1,125 @@ +From 67debcecd3d530c429e817e1d778e79dcd1db905 Mon Sep 17 00:00:00 2001 +From: Kern Sibbald <kern@sibbald.com> +Date: Sat, 18 Aug 2012 13:46:03 +0000 +Subject: Make dump_resource respect console ACL's + +--- +diff --git a/bacula/src/dird/dird_conf.c b/bacula/src/dird/dird_conf.c +index 7dcf591..2f2eb00 100644 +--- a/bacula/src/dird/dird_conf.c ++++ b/bacula/src/dird/dird_conf.c +@@ -554,6 +554,7 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + bool recurse = true; + char ed1[100], ed2[100], ed3[100]; + DEVICE *dev; ++ UAContext *ua = (UAContext *)sock; + + if (res == NULL) { + sendit(sock, _("No %s resource defined\n"), res_to_str(type)); +@@ -599,6 +600,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + break; + + case R_CLIENT: ++ if (!acl_access_ok(ua, Client_ACL, res->res_client.hdr.name)) { ++ break; ++ } + sendit(sock, _("Client: name=%s address=%s FDport=%d MaxJobs=%u\n"), + res->res_client.hdr.name, res->res_client.address, res->res_client.FDport, + res->res_client.MaxConcurrentJobs); +@@ -626,6 +630,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + break; + + case R_STORAGE: ++ if (!acl_access_ok(ua, Storage_ACL, res->res_store.hdr.name)) { ++ break; ++ } + sendit(sock, _("Storage: name=%s address=%s SDport=%d MaxJobs=%u\n" + " DeviceName=%s MediaType=%s StorageId=%s\n"), + res->res_store.hdr.name, res->res_store.address, res->res_store.SDport, +@@ -636,6 +643,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + break; + + case R_CATALOG: ++ if (!acl_access_ok(ua, Catalog_ACL, res->res_cat.hdr.name)) { ++ break; ++ } + sendit(sock, _("Catalog: name=%s address=%s DBport=%d db_name=%s\n" + " db_driver=%s db_user=%s MutliDBConn=%d\n"), + res->res_cat.hdr.name, NPRT(res->res_cat.db_address), +@@ -646,6 +656,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + + case R_JOB: + case R_JOBDEFS: ++ if (!acl_access_ok(ua, Job_ACL, res->res_job.hdr.name)) { ++ break; ++ } + sendit(sock, _("%s: name=%s JobType=%d level=%s Priority=%d Enabled=%d\n"), + type == R_JOB ? _("Job") : _("JobDefs"), + res->res_job.hdr.name, res->res_job.JobType, +@@ -767,6 +780,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + case R_FILESET: + { + int i, j, k; ++ if (!acl_access_ok(ua, FileSet_ACL, res->res_fs.hdr.name)) { ++ break; ++ } + sendit(sock, _("FileSet: name=%s\n"), res->res_fs.hdr.name); + for (i=0; i<res->res_fs.num_includes; i++) { + INCEXE *incexe = res->res_fs.include_items[i]; +@@ -854,6 +870,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm + } + + case R_SCHEDULE: ++ if (!acl_access_ok(ua, Schedule_ACL, res->res_sch.hdr.name)) { ++ break; ++ } + if (res->res_sch.run) { + int i; + RUN *run = res->res_sch.run; +@@ -942,6 +961,9 @@ next_run: + break; + + case R_POOL: ++ if (!acl_access_ok(ua, Pool_ACL, res->res_pool.hdr.name)) { ++ break; ++ } + sendit(sock, _("Pool: name=%s PoolType=%s\n"), res->res_pool.hdr.name, + res->res_pool.pool_type); + sendit(sock, _(" use_cat=%d use_once=%d cat_files=%d\n"), +-- +From 2be20d549211f7984156674116f9239acf6d79bd Mon Sep 17 00:00:00 2001 +From: Kern Sibbald <kern@sibbald.com> +Date: Sun, 19 Aug 2012 06:33:15 +0000 +Subject: Fix Makefile.in so that testfind builds with acl dependency + +--- +diff --git a/bacula/src/tools/Makefile.in b/bacula/src/tools/Makefile.in +index 0c3f305..5731140 100644 +--- a/bacula/src/tools/Makefile.in ++++ b/bacula/src/tools/Makefile.in +@@ -29,12 +29,12 @@ dummy: + + GETTEXT_LIBS = @LIBINTL@ + +-FINDOBJS = testfind.o ../dird/dird_conf.o ../dird/inc_conf.o ../dird/run_conf.o ++FINDOBJS = testfind.o ../dird/dird_conf.o ../dird/inc_conf.o ../dird/ua_acl.o ../dird/run_conf.o + + # these are the objects that are changed by the .configure process + EXTRAOBJS = @OBJLIST@ + +-DIRCONFOBJS = ../dird/dird_conf.o ../dird/run_conf.o ../dird/inc_conf.o ++DIRCONFOBJS = ../dird/dird_conf.o ../dird/ua_acl.o ../dird/run_conf.o ../dird/inc_conf.o + + NODIRTOOLS = bsmtp + DIRTOOLS = bsmtp dbcheck drivetype fstype testfind testls bregex bwild bbatch bregtest bvfs_test ing_test +@@ -79,6 +79,9 @@ drivetype: Makefile drivetype.o ../lib/libbac$(DEFAULT_ARCHIVE_TYPE) ../findlib/ + dird_conf.o: ../dird/dird_conf.c + $(CXX) $(DEFS) $(DEBUG) -c $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< + ++ua_acl.o: ../dird/ua_acl.c ++ $(CXX) $(DEFS) $(DEBUG) -c $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< ++ + run_conf.o: ../dird/run_conf.c + $(CXX) $(DEFS) $(DEBUG) -c $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $< + +-- |