# ufdbGuard.spec.CentOS7 %global _hardened_build 1 %global version 1.34.5 # no stripping of the binaries %global __os_install_post %{nil} %define debug_package %{nil} %define __strip /bin/true ### %__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags} %define __global_cflags -O2 -g -pipe -Wall -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags} Name: ufdbGuard Version: 1.34.5 Release: 1%{?dist} Summary: ufdbGuard is a URL filter for Squid License: GNU General Public License v2.0 only Group: Internet/Proxy # FHS says no package may have files under /usr/local nor /opt # Prefix: /usr/local/ufdbguard Prefix: /usr Provides: ufdbguardd Provides: ufdbgclient Provides: ufdbhttpd Provides: ufdbsignal Provides: ufdb-pstack Provides: ufdbpeek Provides: ufdbGenTable, ufdbConvertDB Provides: ufdbUpdate Provides: ufdbDLstatus Provides: ufdbAnalyse Provides: ufdb_analyse_urls, ufdb_analyse_users, ufdb_top_urls, ufdb_top_users URL: http://www.urlfilterdb.com/ # The sources for many versions of ufdbGuard are on sourceforge.net (Source0) # The latest version can also be downloaded from URLfilterDB (Source1) Source: https://www.urlfilterdb.com/files/downloads/%{name}-%{version}.tar.gz # Source0: http://sourceforge.net/projects/ufdbguard/ # Source1: http://www.urlfilterdb.com/en/downloads/software_doc.html # Buildroot: /local/src/ufdbGuard-%{version} # Buildroot: . BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) # required packages for ufdbguardd Requires: glibc >= 2.17 Requires: openssl >= 1.0.2k Requires: bzip2-libs >= 1.0.6 Requires: zlib >= 1.2.7 # required packages for ufdbUpdate Requires: wget >= 1.14 Requires: tar, gzip # require packages for ufdb-pstack Requires: gdb >= 7.6.1 # Requires: yum-utils >= 1.1.31 # required packages for installation # Requires: at # required packages for analysis scripts Requires: perl %global __requires_exclude %{?__requires_exclude}|perl\\(CGI::|perl\\(FCGI:: # squid is required but may be installed from source and not using an RPM, # or ufdbguard is used on a system where squid is not installed. # Requires: squid Buildrequires: openssl-devel >= 1.0.2k Buildrequires: bzip2-devel >= 1.0.6 Buildrequires: zlib-devel >= 1.2.7 Buildrequires: make, gcc, bison, flex Buildrequires: bind-utils # TODO: %_initddir is macro for /etc/rc.d/init.d Requires(post): chkconfig Requires(preun): chkconfig Requires(preun): initscripts Requires(pre): shadow-utils %description ufdbGuard is a free URL filter for Squid with additional features like SafeSearch enforcement for a large number of search engines, safer HTTPS visits and dynamic detection of proxies (URL filter circumventors). ufdbGuard supports free and commercial URL databases that can be downloaded from various sites and vendors. You can also make your own URL database for ufdbGuard. %post echo >&2 echo "ufdbGuard is installed." >&2 echo "See the Reference Manual for further instructions and configuration." >&2 echo "Seek help at https://www.urlfilterdb.com in case you have a question or an issue." >&2 echo >&2 job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" ` if [ "$job" = "" ] then echo "There is not yet a cron job for ufdbUpdate *****" >&2 echo >&2 fi # This adds the proper /etc/rc*.d links for the script /sbin/chkconfig --add ufdb # # echo "#!/bin/sh" > /tmp/ufdb.postinstall # echo "echo Updating debuginfo ..." >> /tmp/ufdb.postinstall # echo "debuginfo-install -y -q glibc >/dev/null 2>&1" >> /tmp/ufdb.postinstall # echo "debuginfo-install -y -q zlib >/dev/null 2>&1" >> /tmp/ufdb.postinstall # echo "debuginfo-install -y -q bzip2 >/dev/null 2>&1" >> /tmp/ufdb.postinstall # echo "debuginfo-install -y -q openssl >/dev/null 2>&1" >> /tmp/ufdb.postinstall # chmod +x /tmp/ufdb.postinstall # # # echo "The installation of the ufdbGuard package is almost finished." >&2 # echo "Execute /tmp/ufdb.postinstall to update debuginfo for glibc, zlib, bzip2 and openssl. *****" >&2 # echo >&2 /usr/bin/sh >/tmp/ufdbguardd.postinstall.log 2>&1 </dev/null 2>&1 debuginfo-install -y -q zlib >/dev/null 2>&1 debuginfo-install -y -q bzip2 >/dev/null 2>&1 debuginfo-install -y -q openssl >/dev/null 2>&1 EOF # # TODO: run check_dns %preun if [ $1 = 0 ] ; then /sbin/service ufdb stop >/dev/null 2>&1 /sbin/chkconfig --del ufdb fi # for pre-F13: %clean [ %{buildroot} != "/" ] && echo rm -rf %{buildroot} # ufdbGuard is installed with user ufdb and group ufdb %pre # set -x getent group ufdb >/dev/null || groupadd -r ufdb getent passwd ufdb >/dev/null || \ useradd -r -g ufdb -d /var/ufdbguard -M -s /usr/bin/sh \ -c "ufdbGuard URL filter" ufdb exit 0 %prep # echo prep in %{buildroot} # set -x # TODO %setup -q %setup -q %build echo build in `pwd` %configure \ --with-ufdb-user=ufdb \ --prefix=/usr \ --with-ufdb-bindir=/usr/sbin \ --with-ufdb-piddir=/var/run/ufdbguard \ --with-ufdb-mandir=/usr/share/man \ --with-ufdb-images_dir=/var/ufdbguard/images \ --with-ufdb-logdir=/var/ufdbguard/logs \ --with-ufdb-samplesdir=/var/ufdbguard/samples \ --with-ufdb-config=/etc/ufdbguard \ --with-ufdb-dbhome=/var/ufdbguard/blacklists %{__make} %{?_smp_mflags} %install # echo install # env [ %{buildroot} != "/" ] && rm -rf %{buildroot} %{__make} DESTDIR=%{buildroot} mkdirsredhatcentos install # the install makes a backup of the conf file that we do not want in the package rm -f %{buildroot}/etc/ufdbguard/ufdbGuard.conf.pre-v1.* # echo # echo "The configuration file of ufdbGuard is /etc/ufdbguard/ufdbGuard.conf" # echo "The system configuration file for the ufdbGuard Software Suite is /etc/sysconfig/ufdbguard" # ufdbsignal is suid-root since it must be able to send a signal to ufdbguardd. # ufdbsignal is a very simple program which checks the uid to see if the user is permitted to send a signal. # ufdbsignal reads the pid from /var/run/ufdbguardd/ufdbguardd.pid. %verifyscript if [ ! -f /etc/sysconfig/ufdbguard ] then echo "/etc/sysconfig/ufdbguard does not exist." >&2 else eval `grep "^DOWNLOAD_USER=" /etc/sysconfig/ufdbguard` if [ "$DOWNLOAD_USER" = "" ] then echo "The username for periodical downloads of the URL database is not set." >&2 echo "Edit /etc/sysconfig/ufdbguard and set DOWNLOAD_USER and DOWNLOAD_PASSWORD." >&2 else echo "DOWNLOAD_USER is set to $DOWNLOAD_USER in /etc/sysconfig/ufdbguard" fi fi if [ ! -f /etc/ufdbguard/ufdbGuard.conf ] then echo "/etc/ufdbguard/ufdbGuard.conf does not exist." else set -- `grep ^dbhome /etc/ufdbguard/ufdbGuard.conf` # must get rid of quotes or else "if [ ! -d $DBDIR ]" fails :-( DBDIR=`echo ${2:-notset} | sed -e 's,",,g' ` if [ $DBDIR = notset ] then DBDIR=/var/ufdbguard/blacklists echo "/etc/ufdbguard/ufdbGuard.conf: dbhome is not set" >&2 echo "Using default value for dbhome: $DBDIR" >&2 fi if [ ! -d $DBDIR ] then echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR: directory does not exist" >&2 else if [ ! -d $DBDIR/adult -o ! -d $DBDIR/checked ] then echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR:" >&2 echo "The directory for the URL database does not contain subdirectories for adult and/or checked." >&2 echo "This means that the URL database of URLfilterDB is not used." >&2 echo "If you intend to use the URL database of URLfilterDB, make sure that " >&2 echo "\"ufdbUpdate [-v]\" runs without errors to download the URL database." >&2 echo "See the Reference Manual for more information." >&2 fi fi fi exit 0 %postun job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" ` if [ "$job" != "" ] then echo "Note: there is still a cron job for ufdbUpdate." >&2 fi exit 0 # %config # /etc/sysconfig/ufdbguard # /etc/ufdbguard/ufdbGuard.conf %files %defattr(-,root,root,-) /etc/init.d/ufdb %config(noreplace) %attr(-,ufdb,ufdb) /etc/sysconfig/ufdbguard %config(noreplace) %attr(-,ufdb,ufdb) /etc/ufdbguard/ufdbGuard.conf /var/ufdbguard/images/default.flv /var/ufdbguard/images/default.mp3 /var/ufdbguard/images/default.mpeg /var/ufdbguard/images/default.wmv /var/ufdbguard/images/forbidden-normal-de.png /var/ufdbguard/images/forbidden-normal-en.png /var/ufdbguard/images/forbidden-normal-es.png /var/ufdbguard/images/forbidden-normal-fr.png /var/ufdbguard/images/forbidden-normal-it.png /var/ufdbguard/images/forbidden-normal-nl.png /var/ufdbguard/images/forbidden-normal-pl.png /var/ufdbguard/images/forbidden-normal-pt.png /var/ufdbguard/images/forbidden-normal-sv.png /var/ufdbguard/images/forbidden-normal-tr.png /var/ufdbguard/images/no-ads.png /var/ufdbguard/images/smallcross.png /var/ufdbguard/images/square.png /var/ufdbguard/images/transparent.png /var/ufdbguard/samples/execdomainlist.sh /var/ufdbguard/samples/execuserlist.sh /var/ufdbguard/samples/URLblocked.cgi /usr/sbin/ufdb-pstack /usr/sbin/ufdbAnalyse /usr/sbin/ufdbConvertDB /usr/sbin/ufdbGenTable /usr/sbin/ufdbUpdate /usr/sbin/ufdbDLstatus /usr/sbin/ufdb_analyse_urls /usr/sbin/ufdb_analyse_users /usr/sbin/ufdb_top_urls /usr/sbin/ufdb_top_users /usr/sbin/ufdbgclient /usr/sbin/ufdbguardd /usr/sbin/ufdbhttpd %attr(4755,root,root) /usr/sbin/ufdbsignal /usr/share/man/man1/ufdb_analyse_urls.1 /usr/share/man/man1/ufdb_analyse_users.1 /usr/share/man/man1/ufdb_top_urls.1 /usr/share/man/man1/ufdb_top_users.1 /usr/share/man/man1/ufdbAnalyse.1 /usr/share/man/man8/ufdbgclient.8 /usr/share/man/man8/ufdbguardd.8 /usr/share/man/man8/ufdbhttpd.8 /usr/share/man/man8/ufdbupdate.8 %dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists %dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists/security # The cacerts get updated by ufdbUpdate: %verify(not md5 size mtime) %attr(644,ufdb,ufdb) /var/ufdbguard/blacklists/security/cacerts # log files go to /var/ufdbguard/logs %dir %attr(-,ufdb,ufdb) /var/ufdbguard/logs # pid files go to /var/run/ufdbguard %dir %attr(755,ufdb,ufdb) /var/run/ufdbguard %doc README CHANGELOG # TODO %changelog * Wed May 15 2019 Daniel Berteaud 1.34.3-1 - Update to 1.34.3 (daniel@firewall-services.com) * Wed Mar 06 2019 Daniel Berteaud 1.34.2-1 - Update to 1.34.2 (daniel@firewall-services.com) * Mon Feb 11 2019 Daniel Berteaud 1.34.1-1 - Update to 1.34.1 (daniel@firewall-services.com) * Tue Nov 27 2018 Daniel Berteaud 1.33.8-2 - Update to 1.33.8 (daniel@firewall-services.com) - Update tito config to use GitLfsBuilder (daniel@firewall-services.com) - Track sources with git lfs (daniel@firewall-services.com) * Tue Aug 21 2018 Daniel Berteaud 1.33.7-1 - Update to 1.33.7 * Mon Jul 23 2018 Daniel Berteaud 1.33.6-1 - git-annex in dani@germaine.lapiole.org:~/big/e-smith/files/users/dani/src/ufdbGuard (daniel@firewall-services.com) * Mon Jul 23 2018 Daniel Berteaud 1.33.6-1 - Update to 1.33.6 * Fri May 25 2018 Daniel Berteaud 1.33.6rc2-0.beta1 - Update to 1.33.6rc2 * Thu May 24 2018 Daniel Berteaud 1.33.6rc1-0.beta1 - update to 1.33.6rc1 * Wed May 09 2018 Daniel Berteaud 1.33.5-1 - git-annex in dani@germaine.lapiole.org:~/big/e-smith/files/users/dani/src/ufdbGuard (daniel@firewall-services.com) * Thu Apr 19 2018 Marcus Kool - 1.33.5 Fix: ufdbguardd may crash during a database refresh Fix: empty pass statements in acls may cause a crash. Fix: SSH tunnels were detected but access was not blocked Fix: sometimes the SSL/TLS certificate was not checked to be signed by a CA Fix: skip acls with "pass any" if the source has the continue flag set * Thu Sep 21 2017 Marcus Kool - 1.33.4 Fix: URLs with very long domainnames may cause a crash if the URL is not in the URL database Fix: ufdbguardd did not obey 'continue' inside a source Fix: the logfile did not not contain "PASS URL" for all allowed URLs Fix: suppress another warning by ufdbGenTable if the -q option is used Fix: execuserlist with large arguments cannot be cached Fix: ufdbguardd sometimes does not use the correct source for its decision Fix: in-addr also matched URLs without an IP address Configuration: the option squid-uses-active-bumping was missing in the default configuration file * Tue Jun 6 2017 Marcus Kool - 1.33.3 Fix: ufdbgclient truncates Squid request lines to 8K which means that very long URLs cannot be filtered Fix: ufdbGenTable erroneously warned about URLs inside a comment Fix: make ufdbGuard compile on FreeBSD Fix: when evaluate-and IPv4/6 is used in a source definition, the source may not matched Fix: ufdbguardd did not accept the IPv6 address '::' Enhancement: several warnings for IPv4 and IPv6 addresses inside a source were implemented * Tue May 23 2017 Marcus Kool - 1.33.2 Fix: ufdbguardd may incorrectly abort with a fatal error cannot-get-rwlock-for-database-refresh-after-many-attempts Fix: safesearch did not work in 2 out of 3 cases Fix: ufdbguard did not compile on FreeBSD. Fix: crash due to stack overwrite in uploadStatistics/logStatistics Documentation: added use-ipv6-on-wan option to Reference Manual * Wed Mar 15 2017 Marcus Kool - 1.33.1 Enhancement: IPv6 support for sources with new keywords ipv6 and ipv6list Enhancement: detect certificates of ucweb.com and uc.cn of the ucweb browser that circumvents URL filters Enhancement: ufdbgclient has new -m parameter to use multithreading and improve performance Enhancement: make ufdbguardd.pid world-readable Enhancement: allow UTF8 characters in URLs Enhancement: new keyword ufdb-log-url-details controls if URLs in the log file have parameters or not Fix: on the ARM platform generated URL tables were corrupt Fix: implicitly allowed URLs were logged with category "any" instead of the correct category ID Fix: prevent false positives with Tor proxy detection on port 443 Fix: failed probes for :443 were not properly cached and resulted in too many probes for IP Fix: when reverse IP lookups are used, the URL category was not logged correctly (was logged as "any") Fix: ufdbGenTable uses less memory Fix: the feature "block-bumped-connect on" never blocked a CONNECT request