diff --git a/.tito/packages/ufdbGuard b/.tito/packages/ufdbGuard new file mode 100644 index 0000000..520ae83 --- /dev/null +++ b/.tito/packages/ufdbGuard @@ -0,0 +1 @@ +1.33.4-CentOS7 ./ diff --git a/ufdbGuard.spec b/ufdbGuard.spec new file mode 100644 index 0000000..8917c09 --- /dev/null +++ b/ufdbGuard.spec @@ -0,0 +1,356 @@ +# ufdbGuard.spec.CentOS7 + +%global _hardened_build 1 +%global version 1.33.4 + +# no stripping of the binaries +%global __os_install_post %{nil} +%define debug_package %{nil} +%define __strip /bin/true + +### %__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags} +%define __global_cflags -O2 -g -pipe -Wall -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags} + +Name: ufdbGuard +Version: %{version} +Release: CentOS7 +Summary: ufdbGuard is a URL filter for Squid +License: GNU General Public License v2.0 only +Group: Internet/Proxy + +# FHS says no package may have files under /usr/local nor /opt +# Prefix: /usr/local/ufdbguard +Prefix: /usr + +Provides: ufdbguardd +Provides: ufdbgclient +Provides: ufdbhttpd +Provides: ufdbsignal +Provides: ufdb-pstack +Provides: ufdbpeek +Provides: ufdbGenTable, ufdbConvertDB +Provides: ufdbUpdate +Provides: ufdbAnalyse +Provides: ufdb_analyse_urls, ufdb_analyse_users, ufdb_top_urls, ufdb_top_users + +URL: http://www.urlfilterdb.com/ + +# The sources for many versions of ufdbGuard are on sourceforge.net (Source0) +# The latest version can also be downloaded from URLfilterDB (Source1) +Source: https://www.urlfilterdb.com/files/downloads/%{name}-%{version}.tar.gz +# Source0: http://sourceforge.net/projects/ufdbguard/ +# Source1: http://www.urlfilterdb.com/en/downloads/software_doc.html + +# Buildroot: /local/src/ufdbGuard-%{version} +# Buildroot: . +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) + +# required packages for ufdbguardd +Requires: glibc >= 2.17 +Requires: openssl >= 1.0.1e +Requires: bzip2-libs >= 1.0.6 +Requires: zlib >= 1.2.7 +# required packages for ufdbUpdate +Requires: wget >= 1.14 +Requires: tar, gzip +# require packages for ufdb-pstack +Requires: gdb >= 7.6.1 +Requires: yum-utils >= 1.1.31 +# required packages for installation +Requires: at +# required packages for analysis scripts +Requires: perl +%global __requires_exclude %{?__requires_exclude}|perl\\(CGI::|perl\\(FCGI:: +# squid is required but may be installed from source and not using an RPM, +# or ufdbguard is used on a system where squid is not installed. +# Requires: squid +# gdb is highly recommended but not a requirement +# Requires: gdb + +Buildrequires: openssl-devel >= 1.0.1e +Buildrequires: bzip2-devel >= 1.0.6 +Buildrequires: zlib-devel >= 1.2.7 +Buildrequires: make, gcc, bison, flex +Buildrequires: bind-utils + +# TODO: %_initddir is macro for /etc/rc.d/init.d +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(pre): shadow-utils + +%description +ufdbGuard is a free URL filter for Squid with additional features like +SafeSearch enforcement for a large number of search engines, safer HTTPS +visits and dynamic detection of proxies (URL filter circumventors). + +ufdbGuard supports free and commercial URL databases that can be +downloaded from various sites and vendors. +You can also make your own URL database for ufdbGuard. + + +%post + +echo >&2 +echo "ufdbGuard is installed." >&2 +echo "See the Reference Manual for further instructions and configuration." >&2 +echo "Seek help at https://www.urlfilterdb.com in case you have a question or an issue." >&2 +echo >&2 + +job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" ` +if [ "$job" = "" ] +then + echo "There is not yet a cron job for ufdbUpdate *****" >&2 + echo >&2 +fi + +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add ufdb +# +# echo "#!/bin/sh" > /tmp/ufdb.postinstall +# echo "echo Updating debuginfo ..." >> /tmp/ufdb.postinstall +# echo "debuginfo-install -y -q glibc >/dev/null 2>&1" >> /tmp/ufdb.postinstall +# echo "debuginfo-install -y -q zlib >/dev/null 2>&1" >> /tmp/ufdb.postinstall +# echo "debuginfo-install -y -q bzip2 >/dev/null 2>&1" >> /tmp/ufdb.postinstall +# echo "debuginfo-install -y -q openssl >/dev/null 2>&1" >> /tmp/ufdb.postinstall +# chmod +x /tmp/ufdb.postinstall +# # +# echo "The installation of the ufdbGuard package is almost finished." >&2 +# echo "Execute /tmp/ufdb.postinstall to update debuginfo for glibc, zlib, bzip2 and openssl. *****" >&2 +# echo >&2 + +at now + 3min </dev/null 2>&1 +debuginfo-install -y -q zlib >/dev/null 2>&1 +debuginfo-install -y -q bzip2 >/dev/null 2>&1 +debuginfo-install -y -q openssl >/dev/null 2>&1 +EOF + +# +# TODO: run check_dns + +%preun +if [ $1 = 0 ] ; then + /sbin/service ufdb stop >/dev/null 2>&1 + /sbin/chkconfig --del ufdb +fi + + +# for pre-F13: +%clean +[ %{buildroot} != "/" ] && echo rm -rf %{buildroot} + +# ufdbGuard is installed with user ufdb and group ufdb +%pre +# set -x +getent group ufdb >/dev/null || groupadd -r ufdb +getent passwd ufdb >/dev/null || \ +useradd -r -g ufdb -d /var/ufdbguard -M -s /usr/bin/sh \ +-c "ufdbGuard URL filter" ufdb +exit 0 + +%prep +# echo prep in %{buildroot} +# set -x +# TODO %setup -q +%setup -q + +%build +echo build in `pwd` +%configure \ + --with-ufdb-user=ufdb \ + --prefix=/usr \ + --with-ufdb-bindir=/usr/sbin \ + --with-ufdb-piddir=/var/run/ufdbguard \ + --with-ufdb-mandir=/usr/share/man \ + --with-ufdb-images_dir=/var/ufdbguard/images \ + --with-ufdb-logdir=/var/ufdbguard/logs \ + --with-ufdb-samplesdir=/var/ufdbguard/samples \ + --with-ufdb-config=/etc/ufdbguard \ + --with-ufdb-dbhome=/var/ufdbguard/blacklists + +%{__make} %{?_smp_mflags} + +%install +# echo install +# env +[ %{buildroot} != "/" ] && rm -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} mkdirsredhatcentos install +# the install makes a backup of the conf file that we do not want in the package +rm -f %{buildroot}/etc/ufdbguard/ufdbGuard.conf.pre-v1.* + +# echo +# echo "The configuration file of ufdbGuard is /etc/ufdbguard/ufdbGuard.conf" +# echo "The system configuration file for the ufdbGuard Software Suite is /etc/sysconfig/ufdbguard" + +# ufdbsignal is suid-root since it must be able to send a signal to ufdbguardd. +# ufdbsignal is a very simple program which checks the uid to see if the user is permitted to send a signal. +# ufdbsignal reads the pid from /var/run/ufdbguardd/ufdbguardd.pid. + +%verifyscript + +if [ ! -f /etc/sysconfig/ufdbguard ] +then + echo "/etc/sysconfig/ufdbguard does not exist." >&2 +else + eval `grep "^DOWNLOAD_USER=" /etc/sysconfig/ufdbguard` + if [ "$DOWNLOAD_USER" = "" ] + then + echo "The username for periodical downloads of the URL database is not set." >&2 + echo "Edit /etc/sysconfig/ufdbguard and set DOWNLOAD_USER and DOWNLOAD_PASSWORD." >&2 + else + echo "DOWNLOAD_USER is set to $DOWNLOAD_USER in /etc/sysconfig/ufdbguard" + fi +fi + +if [ ! -f /etc/ufdbguard/ufdbGuard.conf ] +then + echo "/etc/ufdbguard/ufdbGuard.conf does not exist." +else + set -- `grep ^dbhome /etc/ufdbguard/ufdbGuard.conf` + # must get rid of quotes or else "if [ ! -d $DBDIR ]" fails :-( + DBDIR=`echo ${2:-notset} | sed -e 's,",,g' ` + if [ $DBDIR = notset ] + then + DBDIR=/var/ufdbguard/blacklists + echo "/etc/ufdbguard/ufdbGuard.conf: dbhome is not set" >&2 + echo "Using default value for dbhome: $DBDIR" >&2 + fi + if [ ! -d $DBDIR ] + then + echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR: directory does not exist" >&2 + else + if [ ! -d $DBDIR/adult -o ! -d $DBDIR/checked ] + then + echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR:" >&2 + echo "The directory for the URL database does not contain subdirectories for adult and/or checked." >&2 + echo "This means that the URL database of URLfilterDB is not used." >&2 + echo "If you intend to use the URL database of URLfilterDB, make sure that " >&2 + echo "\"ufdbUpdate [-v]\" runs without errors to download the URL database." >&2 + echo "See the Reference Manual for more information." >&2 + fi + fi +fi + +exit 0 + + +%postun + +job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" ` +if [ "$job" != "" ] +then + echo "Note: there is still a cron job for ufdbUpdate." >&2 +fi + +exit 0 + + +# %config +# /etc/sysconfig/ufdbguard +# /etc/ufdbguard/ufdbGuard.conf + +%files +%defattr(-,root,root,-) +/etc/init.d/ufdb +%config(noreplace) %attr(-,ufdb,ufdb) /etc/sysconfig/ufdbguard +%config(noreplace) %attr(-,ufdb,ufdb) /etc/ufdbguard/ufdbGuard.conf +/var/ufdbguard/images/default.flv +/var/ufdbguard/images/default.mp3 +/var/ufdbguard/images/default.mpeg +/var/ufdbguard/images/default.wmv +/var/ufdbguard/images/forbidden-normal-de.png +/var/ufdbguard/images/forbidden-normal-en.png +/var/ufdbguard/images/forbidden-normal-es.png +/var/ufdbguard/images/forbidden-normal-fr.png +/var/ufdbguard/images/forbidden-normal-it.png +/var/ufdbguard/images/forbidden-normal-nl.png +/var/ufdbguard/images/forbidden-normal-pl.png +/var/ufdbguard/images/forbidden-normal-pt.png +/var/ufdbguard/images/forbidden-normal-sv.png +/var/ufdbguard/images/forbidden-normal-tr.png +/var/ufdbguard/images/no-ads.png +/var/ufdbguard/images/smallcross.png +/var/ufdbguard/images/square.png +/var/ufdbguard/images/transparent.png +/var/ufdbguard/samples/execdomainlist.sh +/var/ufdbguard/samples/execuserlist.sh +/var/ufdbguard/samples/URLblocked.cgi +/usr/sbin/ufdb-pstack +/usr/sbin/ufdbAnalyse +/usr/sbin/ufdbConvertDB +/usr/sbin/ufdbGenTable +/usr/sbin/ufdbUpdate +/usr/sbin/ufdb_analyse_urls +/usr/sbin/ufdb_analyse_users +/usr/sbin/ufdb_top_urls +/usr/sbin/ufdb_top_users +/usr/sbin/ufdbgclient +/usr/sbin/ufdbguardd +/usr/sbin/ufdbhttpd +%attr(4755,root,root) /usr/sbin/ufdbsignal +/usr/share/man/man1/ufdb_analyse_urls.1 +/usr/share/man/man1/ufdb_analyse_users.1 +/usr/share/man/man1/ufdb_top_urls.1 +/usr/share/man/man1/ufdb_top_users.1 +/usr/share/man/man1/ufdbAnalyse.1 +/usr/share/man/man8/ufdbgclient.8 +/usr/share/man/man8/ufdbguardd.8 +/usr/share/man/man8/ufdbhttpd.8 +/usr/share/man/man8/ufdbupdate.8 +%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists +%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists/security +# The cacerts get updated by ufdbUpdate: +%verify(not md5 size mtime) %attr(644,ufdb,ufdb) /var/ufdbguard/blacklists/security/cacerts +# log files go to /var/ufdbguard/logs +%dir %attr(-,ufdb,ufdb) /var/ufdbguard/logs +# pid files go to /var/run/ufdbguard +%dir %attr(755,ufdb,ufdb) /var/run/ufdbguard + +%doc README CHANGELOG +# TODO + +%changelog +* Tue Feb 20 2018 Daniel Berteaud 1.33.4-CentOS7 +- new package built with tito + +* Thu Sep 21 2017 Marcus Kool - 1.33.4 +Fix: URLs with very long domainnames may cause a crash if the URL is not in the URL database +Fix: ufdbguardd did not obey 'continue' inside a source +Fix: the logfile did not not contain "PASS URL" for all allowed URLs +Fix: suppress another warning by ufdbGenTable if the -q option is used +Fix: execuserlist with large arguments cannot be cached +Fix: ufdbguardd sometimes does not use the correct source for its decision +Fix: in-addr also matched URLs without an IP address +Configuration: the option squid-uses-active-bumping was missing in the default configuration file + +* Tue Jun 6 2017 Marcus Kool - 1.33.3 +Fix: ufdbgclient truncates Squid request lines to 8K which means that very long URLs cannot be filtered +Fix: ufdbGenTable erroneously warned about URLs inside a comment +Fix: make ufdbGuard compile on FreeBSD +Fix: when evaluate-and IPv4/6 is used in a source definition, the source may not matched +Fix: ufdbguardd did not accept the IPv6 address '::' +Enhancement: several warnings for IPv4 and IPv6 addresses inside a source were implemented + +* Wed May 23 2017 Marcus Kool - 1.33.2 +Fix: ufdbguardd may incorrectly abort with a fatal error cannot-get-rwlock-for-database-refresh-after-many-attempts +Fix: safesearch did not work in 2 out of 3 cases +Fix: ufdbguard did not compile on FreeBSD. +Fix: crash due to stack overwrite in uploadStatistics/logStatistics +Documentation: added use-ipv6-on-wan option to Reference Manual + +* Wed Mar 15 2017 Marcus Kool - 1.33.1 +Enhancement: IPv6 support for sources with new keywords ipv6 and ipv6list +Enhancement: detect certificates of ucweb.com and uc.cn of the ucweb browser that circumvents URL filters +Enhancement: ufdbgclient has new -m parameter to use multithreading and improve performance +Enhancement: make ufdbguardd.pid world-readable +Enhancement: allow UTF8 characters in URLs +Enhancement: new keyword ufdb-log-url-details controls if URLs in the log file have parameters or not +Fix: on the ARM platform generated URL tables were corrupt +Fix: implicitly allowed URLs were logged with category "any" instead of the correct category ID +Fix: prevent false positives with Tor proxy detection on port 443 +Fix: failed probes for :443 were not properly cached and resulted in too many probes for IP +Fix: when reverse IP lookups are used, the URL category was not logged correctly (was logged as "any") +Fix: ufdbGenTable uses less memory +Fix: the feature "block-bumped-connect on" never blocked a CONNECT request +