Install configuration files and folders with more secure, non-world-readable permissions.

Package-Manager: portage-2.2.0_alpha166-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0x743A52E86BA81050

3 files changed, 232 insertions, 15 deletions

diff --git a/net-irc/unrealircd/ChangeLog b/net-irc/unrealircd/ChangeLog
index cb57fe40ff60..027865e48da2 100644
--- a/net-irc/unrealircd/ChangeLog
+++ b/net-irc/unrealircd/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-irc/unrealircd
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-irc/unrealircd/ChangeLog,v 1.98 2013/01/27 07:31:25 binki Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-irc/unrealircd/ChangeLog,v 1.99 2013/03/13 07:24:15 binki Exp $
+
+*unrealircd-3.2.10-r1 (13 Mar 2013)
+
+  13 Mar 2013; Nathan Phillip Brink <binki@gentoo.org>
+  +unrealircd-3.2.10-r1.ebuild:
+  Install configuration files and folders with more secure, non-world-readable
+  permissions.
 
   27 Jan 2013; Nathan Phillip Brink <binki@gentoo.org> files/unrealircd.initd,
   unrealircd-3.2.10.ebuild, unrealircd-3.2.9.ebuild:
diff --git a/net-irc/unrealircd/Manifest b/net-irc/unrealircd/Manifest
index 986b93963998..fce92d42eed8 100644
--- a/net-irc/unrealircd/Manifest
+++ b/net-irc/unrealircd/Manifest
@@ -6,24 +6,25 @@ AUX unrealircd.confd-r1 1339 SHA256 d06a0d17b12171f7b83c8e9ab5ecb84ab5a98a0310b1
 AUX unrealircd.initd 1253 SHA256 5eb5be0b5d4d0ea3edb0b3829fe787401f3a1d8c51bbcde52fa612630b561fca SHA512 57aa1028bc2fb65894e71feb57669ec238c884475456b0a8eaac6b117835a905e5a24275bdd4400b327a662c99b06887e2c701ca077420ca6e140227d04181cd WHIRLPOOL 312f31f3c52c94f1228b955e63c79e7fbbc10eb7d6cce98a39521d8df89a5506068de7420f1d73302d801ac32ed7f6e018c29dc52e2011bec63a72fec01e516d
 DIST Unreal3.2.10.tar.gz 3132312 SHA256 91a6fb61072fae60ad4620b1c45ad594b4c636871e838e75f1cc9dbe261c5df2 SHA512 fdd656ff014e74d2213bf52fb56f73abcfebdb201e1fa4ef5f4ef76e99fbee4ae128458c718a57beff49cbc132dd1b4408ffb137a080327d12f190a74e9d4712 WHIRLPOOL 28f39831c16720c97a7415e2a07b4a853f3f1526d77d8441f3f19956d5a9531ca93bbea33c1d8d62d33547db240f2f52651b303d73ea56a2c6871ddba49f459a
 DIST Unreal3.2.9.tar.gz 3064571 SHA256 3f581a331825d9179f5367ea6367dd0dc71c7ba615ac3c0134332086bee0e1d8 SHA512 6f18c2e9282c2417d34fa4ace8be183394ec896abcb9f9b0d87fb61013360a6281fb151a73b03379c5fcc1f30235ba6c3420c709df273cf1887f8e7d95d6a686 WHIRLPOOL e589a4c02de158e14b9e52a4297a73b1c107a724e13526447907714d7eee4f21a7a8d70f8f301a137847dc6cb83f6424d0c128a9b9a526ef0ce0d09f675dc874
+EBUILD unrealircd-3.2.10-r1.ebuild 6599 SHA256 0d73fb3eb7e2c4986cab39155888de541bbe9996550448f480dda58973c96976 SHA512 58e473ecbfcb1f8c9772c2ec885ed5263724581b889a007571deab11ea5ed49609deb95c9256ed7cbf77d484b4bd88328a74271abe72aafd237569dfd1e6ed40 WHIRLPOOL 7bb92534b8c9076fb092aa29a28c53d86a2df06bc35dbf2753053ddd0d4e606a8102e839f8c23b08f2d819a80d3a22b77205a9f3b46171f4ca740d11d0682282
 EBUILD unrealircd-3.2.10.ebuild 4497 SHA256 8192cd2a47c7c8059cb69f2947c7526f2fe08f3227ace8b9c58125282211d47a SHA512 eff41382456241e412639273182939e949fc93f522e7200d79e2b4f3d4d0c62cd3ca32070603606cd2c583df40642f176cef78aa44749b48f70f9ceb73b55cbe WHIRLPOOL 0cbdd31e51959c255b4a8fec2c9cbe7d62ec9661d64e780b338255a5fd95b29388be25c1c06c31512fcbb8948bd7c8153b71ee0a863726a4efb10dc1f3f0aeae
 EBUILD unrealircd-3.2.9.ebuild 4663 SHA256 6d6189af7404305ebcd93c6f7c19384ab78618dca9814023d44d10a2da2c613d SHA512 395284497e05aa6b9997db5cb4fbc996e3cbb3d57677232cb3b6bcf42a74a705067da5801652b9ec2a5a540c79aa55e783aee5a40bb53a0c7f44c17cff5e3d45 WHIRLPOOL a2d88dd8e959df4eaa512e07d39a90916b16aded23d4244191da21a6b6961be982d56a12363cd5af932003a4ab246902f279f80120a718bbe7c13306cc0015c0
-MISC ChangeLog 15029 SHA256 312d2426dd7fe561cb64e1b953409c1f412d9173c64ee5439747b531ac536faa SHA512 c776eae4a7cf03a6d70401cb325ca8f816e9c389b553b445aa83945975e7ffb3bb23d08195fcc059fa34e22c3a3cec68bf73e99ebd018089e6ebc7d6bacbb1ff WHIRLPOOL 785db037e80081bd3e7e38288f385df9d32784957fd5a5f66d886c357a031366d562dd6a0c1c156c88282338ac9f440417b3a522f035a0c54df80e6b8058dd0f
+MISC ChangeLog 15248 SHA256 83c8bfb79b44e7e58dc6d52664a0306a9f1eaf5bbc0f9cccadfc3909dda9528e SHA512 b0d507031c16d7c85eddd35a9aa558447b013a7f3dbf641b57292864a6e579c01e600beb136a1c4ca7fbfd4621094884e4bfecdfa743ff1efd12205a0b89b397 WHIRLPOOL b605f5080d0cc0db3cc93b565e707c1665bc4dfa964714ae02ec5bfb27cee31a28fe260b7c9d4e7b59fcbac916a24a3d1de6d3e481b88539508d97a3f565ba59
 MISC metadata.xml 1107 SHA256 d4b8197e572fd775c6876f9809f6e183ca3a5146d3c0525166d1b008b15d8f87 SHA512 9644861ddc9fc7898aa25ce05cc952a4d5d13450ca12123039b2cc2c8bf09636aa493c16416c27ceec95b505c277d421dba5033fe12d847e1184d12c3e81f5e8 WHIRLPOOL 564b4ca5d4a1d8cd956f89d32749e4ce0108b524012560d9b8345886e9fc572e5978bdeb00429cbdf43e5c9de330bb5b4feb02ded728d461971acb948b391ac2
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.14 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRBNfRAAoJEHQ6UuhrqBBQYkUQAJZOFMUXjOh7rbH/AVNF+QyT
-ufgeVbwJFXcLqxFiAIALTK8IVIalbYhxQY4ugNPW7kQUk3f6KLzQQxYmWxqlOCiU
-2pNCC8ebCni6+uxGQkzm45ltZTpkFGJ2XaXeaEfZei7TF136ZcxtQZ2s2LilKHlZ
-aCahLcI8pESy3D/kTpXMQE67z/eW8VU5lQlRkFW+tQnCuSjaJtIPH5PBRjdu+VWr
-d9pqjKOiBtes1dd4bjsWmn2b96Oh7VA0wrwlBXxRqUzw8nJUQLvoLyVSTyLUTVy0
-kchDKHBc5QoeBpnyIYnDkGI3PV9GQ7sZxHY2doBOReoP2FzIH1O4H2BWjrZ9zh51
-MS9iFKqMgXuvJH0ftD8XDQDVDItfd8maSfASrzeYDSauHmygcnV3HUB5yZSOFSiv
-FIgFN7nm+/i4oY4tR1g1Pl1oIIvoMXYHmSerw67cEZs36wHWcLbaaYNAffJNvtkf
-CGuSrPVdOBc9vrfykvcUDtgQ+oHRe/0cfT9QB0skGTXilgXEoYAg3mPTdxW1raDl
-TBzTq93fY7OtlhraJ9grpROG13R+THv2M3zXLE0SV4XKZw4TsreYemBB6ZaA8mnI
-ewn58Ne0gTPqSWW6m9rMsM6E5KBNrLjvLuouW7uzpb6MEgsZKSPG314p7p6Zy5qf
-LXsPV30QbxahNeZxX2B3
-=3/Y2
+iQIcBAEBCAAGBQJRQCmiAAoJEHQ6UuhrqBBQS5MQAJqnaRb3v4evxrBzBiUzsFSI
+SYGEpzagKu2xVsVlOQNixy6lHOaMKmNXRm6TL8a/c3Xoq8ktqwcaub535HGqsrWH
+UwtW3yB/K3Svq/gx04/R0HVx+N5T5dJCTD5hnZa5AdNJaRgZt75/6qeX0SsUqkij
+N58/s1OMjPrg6/9NPWbCC/2YyRK1B8pcJ24mymlVoi+XoE8BKcmwFyOtBP/1+Afw
+GaOMJmh9b+kfv0KWV81Gt9vwg5+HZkPDiBYFq25YR/v/lyP+GTeJC1zU7/g2BHdD
+fAAClUC+kVMp0ujgJ3QI0yDMSV8rHaYQiyx+xHIEkBzAbKAFW4Tsyi5MQ1rFYq4b
+gekvhJkvhkYmi8cEWQwoC50Grz7rLQv1cUk/ehIuqk+HypD8IqKXLslVseow7/Pn
+FgKEoxRkH7ksxBknNJlIYoG5+wQDaTgq/Dg+pevfoLA1wX83NlsxYop5fjq3YbMe
+iXjGosed0dr/sOqhOWx4DC+dy5VubJkFcHTYJ30Xdum7/jRnIvyuRcv6HySJ8YI0
+aAKvaqtL5TneJSt9uQRHL0j6goMq9A4iH2gotASfCxHnRhbIoLr/hld6dqMWzN1r
+vYbaQbceCBdRzohtLD2hbsRydAtG1xJh1AkLpM4wA0CYKkhubLTWQuXpyQPgXY/M
+fL5//b8ZElCh6KXvSEnv
+=bZ8n
 -----END PGP SIGNATURE-----
diff --git a/net-irc/unrealircd/unrealircd-3.2.10-r1.ebuild b/net-irc/unrealircd/unrealircd-3.2.10-r1.ebuild
new file mode 100644
index 000000000000..308c021051af
--- /dev/null
+++ b/net-irc/unrealircd/unrealircd-3.2.10-r1.ebuild
@@ -0,0 +1,209 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-irc/unrealircd/unrealircd-3.2.10-r1.ebuild,v 1.1 2013/03/13 07:24:15 binki Exp $
+
+EAPI=4
+
+inherit eutils ssl-cert versionator multilib user
+
+MY_P=Unreal${PV/_/-}
+
+DESCRIPTION="An advanced Internet Relay Chat daemon"
+HOMEPAGE="http://www.unrealircd.com/"
+SRC_URI="http://www.unrealircd.com/downloads/${MY_P}.tar.gz"
+
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="~amd64 ~ppc ~x86 ~x86-fbsd ~amd64-linux"
+IUSE="curl ipv6 +extban-stacking +operoverride operoverride-verify +prefixaq
+	showlistmodes shunnotices ssl topicisnuhost +usermod zlib"
+
+RDEPEND="ssl? ( dev-libs/openssl )
+	zlib? ( sys-libs/zlib )
+	curl? ( net-misc/curl[ares] )
+	dev-libs/tre
+	>=net-dns/c-ares-1.7"
+DEPEND="${RDEPEND}
+	>=sys-apps/sed-4
+	virtual/pkgconfig"
+
+S=${WORKDIR}/Unreal$(get_version_component_range 1-3)
+
+pkg_setup() {
+	enewuser unrealircd
+}
+
+src_prepare() {
+	# QA check against bundled pkgs
+	rm extras/*.gz || die
+
+	sed -i \
+		-e "s:ircd\.pid:${EPREFIX}/var/run/unrealircd/ircd.pid:" \
+		-e "s:ircd\.log:${EPREFIX}/var/log/unrealircd/ircd.log:" \
+		-e "s:debug\.log:${EPREFIX}/var/log/unrealircd/debug.log:" \
+		-e "s:ircd\.tune:${EPREFIX}/var/lib/unrealircd/ircd.tune:" \
+		include/config.h \
+		|| die "sed failed"
+}
+
+src_configure() {
+	econf \
+		--with-listen=5 \
+		--with-dpath="${EPREFIX}"/etc/unrealircd \
+		--with-spath="${EPREFIX}"/usr/bin/unrealircd \
+		--with-nick-history=2000 \
+		--with-sendq=3000000 \
+		--with-bufferpool=18 \
+		--with-permissions=0600 \
+		--with-fd-setsize=1024 \
+		--with-system-cares \
+		--with-system-tre \
+		--enable-dynamic-linking \
+		$(use_enable curl libcurl "${EPREFIX}"/usr) \
+		$(use_enable ipv6 inet6) \
+		$(use_enable prefixaq) \
+		$(use_enable ssl ssl "${EPREFIX}"/usr) \
+		$(use_enable zlib ziplinks "${EPREFIX}"/usr) \
+		$(use_with showlistmodes) \
+		$(use_with topicisnuhost) \
+		$(use_with shunnotices) \
+		$(use_with !operoverride no-operoverride) \
+		$(use_with operoverride-verify) \
+		$(use_with !usermod disableusermod) \
+		$(use_with !extban-stacking disable-extendedban-stacking)
+}
+
+src_install() {
+	keepdir /var/{lib,log}/unrealircd
+
+	newbin src/ircd unrealircd
+
+	exeinto /usr/$(get_libdir)/unrealircd/modules
+	doexe src/modules/*.so
+
+	dodir /etc/unrealircd
+	dosym /var/lib/unrealircd /etc/unrealircd/tmp
+
+	insinto /etc/unrealircd
+	doins {badwords.*,help,spamfilter,dccallow}.conf
+	newins doc/example.conf unrealircd.conf
+
+	insinto /etc/unrealircd/aliases
+	doins aliases/*.conf
+
+	local so_suffix=so
+	[[ ${CHOST} == -*mingw* ]] && so_suffix=dll
+	sed -i \
+		-e s:src/modules:"${EPREFIX}"/usr/$(get_libdir)/unrealircd/modules: \
+		-e '/loadmodule.*\.'${so_suffix}'/s;^//;;' \
+		-e s:ircd\\.log:"${EPREFIX}"/var/log/unrealircd/ircd.log: \
+		"${ED}"/etc/unrealircd/unrealircd.conf \
+		|| die
+
+	dodoc \
+		Changes Donation Unreal.nfo \
+		ircdcron/{ircd.cron,ircdchk} \
+		|| die "dodoc failed"
+	dohtml doc/*.html
+
+	newinitd "${FILESDIR}"/unrealircd.initd unrealircd
+	newconfd "${FILESDIR}"/unrealircd.confd-r1 unrealircd
+
+	# config should be read-only
+	fperms -R 0640 /etc/unrealircd{,/aliases}
+	fperms 0750 /etc/unrealircd{,/aliases}
+	# state is editable but not owned by unrealircd directly
+	fperms 0770 /var/{lib,log}/unrealircd
+	fowners -R root:unrealircd /{etc,var/{lib,log}}/unrealircd
+}
+
+pkg_preinst() {
+	# Must pre-create directories; otherwise their permissions are lost
+	# on installation.
+
+	# Usage: _unrealircd_dir_permissions <user> <group> <mode> <dir>[, <dir>…]
+	#
+	# Ensure that directories are created with the correct permissions
+	# before portage tries to merge them to the filesystem because,
+	# otherwise, those directories are installed world-readable.
+	#
+	# If this is a first-time install, create those directories with
+	# correct permissions before installing. Otherwise, update
+	# permissions—but only if we are replacing an unrealircd ebuild at
+	# least as old as net-irc/unrealircd-3.2.10. Portage handles normal
+	# file permissions correctly, so no need for recursive
+	# chmoding/chowning.
+	_unrealircd_dir_permissions() {
+		local user=${1} group=${2} mode=${3} dir v
+		shift 3
+		while dir=${1} && shift; do
+			if [[ ! -d "${EROOT}${dir}" ]]; then
+				ebegin "Creating ${EROOT}${dir} with correct permissions"
+				install -d -m "${mode}" -o "${user}" -g "${group}" "${EROOT}${dir}" || die
+				eend ${?}
+			elif ! [[ ${REPLACING_VERSIONS} ]] || for v in ${REPLACING_VERSIONS}; do
+					# If 3.2.10 ≤ ${REPLACING_VERSIONS}, then we update
+					# existing permissions.
+					version_is_at_least "${v}" 3.2.10 && break
+				done; then
+				ebegin "Correcting permissions of ${EROOT}${dir} left by ${CATEGORY}/${PN}-${v}"
+				chmod "${mode}" "${EROOT}${dir}" \
+					&& chown ${user}:${group} "${EROOT}${dir}" \
+					|| die "Unable to correct permissions of ${EROOT}${dir}"
+				eend ${?}
+			fi
+		done
+	}
+
+	# unrealircd only needs to be able to read files in /etc/unrealircd.
+	_unrealircd_dir_permissions root unrealircd 0750 etc/unrealircd{,/aliases}
+
+	# unrealircd needs to be able to create files in /var/lib/unrealircd
+	# and /var/log/unrealircd.
+	_unrealircd_dir_permissions root unrealircd 0770 var/{lib,log}/unrealircd
+}
+
+pkg_postinst() {
+	# Move docert call from scr_install() to install_cert in pkg_postinst for
+	# bug #201682
+	if use ssl ; then
+		if [[ ! -f "${EROOT}"/etc/unrealircd/server.cert.key ]]; then
+			install_cert /etc/unrealircd/server.cert
+			chown unrealircd "${EROOT}"/etc/unrealircd/server.cert.*
+			chmod 0640 "${EROOT}"/etc/unrealircd/server.cert.*
+			ln -snf server.cert.key "${EROOT}"/etc/unrealircd/server.key.pem
+		fi
+	fi
+
+	local unrealircd_conf="${EROOT}"/etc/unrealircd/unrealircd.conf
+	# Fix up the default cloak keys.
+	if grep -qe '"and another one";$' "${unrealircd_conf}" && grep -qe '"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";$' "${unrealircd_conf}"; then
+		ebegin "Generating cloak-keys"
+		local keys=(
+			$(unrealircd -k 2>&1 | tail -n 3)
+		)
+		[[ -n ${keys[0]} || -n ${keys[1]} || -n ${keys[2]} ]]
+		eend $?
+
+		ebegin "Substituting cloak-keys into ${unrealircd_conf}"
+		sed -i \
+			-e '/cloak-keys/ {
+n
+s/"aoAr1HnR6gl3sJ7hVz4Zb7x4YwpW";/"'"${keys[0]}"'";/
+n
+s/"and another one";/"'"${keys[1]}"'";/
+n
+s/"and another one";/"'"${keys[2]}"'";/
+}' \
+			"${unrealircd_conf}"
+		eend $?
+	fi
+
+	elog "UnrealIRCd will not run until you've set up /etc/unrealircd/unrealircd.conf"
+	elog
+	elog "You can find example cron scripts here:"
+	elog "   /usr/share/doc/${PF}/ircd.cron.gz"
+	elog "   /usr/share/doc/${PF}/ircdchk.gz"
+	elog
+	elog "You can also use /etc/init.d/unrealircd to start at boot"
+}