You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
369 lines
13 KiB
369 lines
13 KiB
# ufdbGuard.spec.CentOS7
|
|
|
|
%global _hardened_build 1
|
|
%global version 1.33.5
|
|
|
|
# no stripping of the binaries
|
|
%global __os_install_post %{nil}
|
|
%define debug_package %{nil}
|
|
%define __strip /bin/true
|
|
|
|
### %__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags}
|
|
%define __global_cflags -O2 -g -pipe -Wall -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags}
|
|
|
|
Name: ufdbGuard
|
|
Version: 1.33.6rc2
|
|
Release: 0.beta1%{?dist}
|
|
Summary: ufdbGuard is a URL filter for Squid
|
|
License: GNU General Public License v2.0 only
|
|
Group: Internet/Proxy
|
|
|
|
# FHS says no package may have files under /usr/local nor /opt
|
|
# Prefix: /usr/local/ufdbguard
|
|
Prefix: /usr
|
|
|
|
Provides: ufdbguardd
|
|
Provides: ufdbgclient
|
|
Provides: ufdbhttpd
|
|
Provides: ufdbsignal
|
|
Provides: ufdb-pstack
|
|
Provides: ufdbpeek
|
|
Provides: ufdbGenTable, ufdbConvertDB
|
|
Provides: ufdbUpdate
|
|
Provides: ufdbAnalyse
|
|
Provides: ufdb_analyse_urls, ufdb_analyse_users, ufdb_top_urls, ufdb_top_users
|
|
|
|
URL: http://www.urlfilterdb.com/
|
|
|
|
# The sources for many versions of ufdbGuard are on sourceforge.net (Source0)
|
|
# The latest version can also be downloaded from URLfilterDB (Source1)
|
|
Source: https://www.urlfilterdb.com/files/downloads/%{name}-%{version}.tar.gz
|
|
# Source0: http://sourceforge.net/projects/ufdbguard/
|
|
# Source1: http://www.urlfilterdb.com/en/downloads/software_doc.html
|
|
|
|
# Buildroot: /local/src/ufdbGuard-%{version}
|
|
# Buildroot: .
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
|
|
|
|
# required packages for ufdbguardd
|
|
Requires: glibc >= 2.17
|
|
Requires: openssl >= 1.0.1e
|
|
Requires: bzip2-libs >= 1.0.6
|
|
Requires: zlib >= 1.2.7
|
|
# required packages for ufdbUpdate
|
|
Requires: wget >= 1.14
|
|
Requires: tar, gzip
|
|
# require packages for ufdb-pstack
|
|
Requires: gdb >= 7.6.1
|
|
# Requires: yum-utils >= 1.1.31
|
|
# required packages for installation
|
|
# Requires: at
|
|
# required packages for analysis scripts
|
|
Requires: perl
|
|
%global __requires_exclude %{?__requires_exclude}|perl\\(CGI::|perl\\(FCGI::
|
|
# squid is required but may be installed from source and not using an RPM,
|
|
# or ufdbguard is used on a system where squid is not installed.
|
|
# Requires: squid
|
|
|
|
Buildrequires: openssl-devel >= 1.0.1e
|
|
Buildrequires: bzip2-devel >= 1.0.6
|
|
Buildrequires: zlib-devel >= 1.2.7
|
|
Buildrequires: make, gcc, bison, flex
|
|
Buildrequires: bind-utils
|
|
|
|
# TODO: %_initddir is macro for /etc/rc.d/init.d
|
|
Requires(post): chkconfig
|
|
Requires(preun): chkconfig
|
|
Requires(preun): initscripts
|
|
Requires(pre): shadow-utils
|
|
|
|
%description
|
|
ufdbGuard is a free URL filter for Squid with additional features like
|
|
SafeSearch enforcement for a large number of search engines, safer HTTPS
|
|
visits and dynamic detection of proxies (URL filter circumventors).
|
|
|
|
ufdbGuard supports free and commercial URL databases that can be
|
|
downloaded from various sites and vendors.
|
|
You can also make your own URL database for ufdbGuard.
|
|
|
|
|
|
%post
|
|
|
|
echo >&2
|
|
echo "ufdbGuard is installed." >&2
|
|
echo "See the Reference Manual for further instructions and configuration." >&2
|
|
echo "Seek help at https://www.urlfilterdb.com in case you have a question or an issue." >&2
|
|
echo >&2
|
|
|
|
job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" `
|
|
if [ "$job" = "" ]
|
|
then
|
|
echo "There is not yet a cron job for ufdbUpdate *****" >&2
|
|
echo >&2
|
|
fi
|
|
|
|
# This adds the proper /etc/rc*.d links for the script
|
|
/sbin/chkconfig --add ufdb
|
|
#
|
|
# echo "#!/bin/sh" > /tmp/ufdb.postinstall
|
|
# echo "echo Updating debuginfo ..." >> /tmp/ufdb.postinstall
|
|
# echo "debuginfo-install -y -q glibc >/dev/null 2>&1" >> /tmp/ufdb.postinstall
|
|
# echo "debuginfo-install -y -q zlib >/dev/null 2>&1" >> /tmp/ufdb.postinstall
|
|
# echo "debuginfo-install -y -q bzip2 >/dev/null 2>&1" >> /tmp/ufdb.postinstall
|
|
# echo "debuginfo-install -y -q openssl >/dev/null 2>&1" >> /tmp/ufdb.postinstall
|
|
# chmod +x /tmp/ufdb.postinstall
|
|
# #
|
|
# echo "The installation of the ufdbGuard package is almost finished." >&2
|
|
# echo "Execute /tmp/ufdb.postinstall to update debuginfo for glibc, zlib, bzip2 and openssl. *****" >&2
|
|
# echo >&2
|
|
|
|
/usr/bin/sh >/tmp/ufdbguardd.postinstall.log 2>&1 <<EOF &
|
|
sleep 180
|
|
debuginfo-install -y -q glibc >/dev/null 2>&1
|
|
debuginfo-install -y -q zlib >/dev/null 2>&1
|
|
debuginfo-install -y -q bzip2 >/dev/null 2>&1
|
|
debuginfo-install -y -q openssl >/dev/null 2>&1
|
|
EOF
|
|
|
|
#
|
|
# TODO: run check_dns
|
|
|
|
%preun
|
|
if [ $1 = 0 ] ; then
|
|
/sbin/service ufdb stop >/dev/null 2>&1
|
|
/sbin/chkconfig --del ufdb
|
|
fi
|
|
|
|
|
|
# for pre-F13:
|
|
%clean
|
|
[ %{buildroot} != "/" ] && echo rm -rf %{buildroot}
|
|
|
|
# ufdbGuard is installed with user ufdb and group ufdb
|
|
%pre
|
|
# set -x
|
|
getent group ufdb >/dev/null || groupadd -r ufdb
|
|
getent passwd ufdb >/dev/null || \
|
|
useradd -r -g ufdb -d /var/ufdbguard -M -s /usr/bin/sh \
|
|
-c "ufdbGuard URL filter" ufdb
|
|
exit 0
|
|
|
|
%prep
|
|
# echo prep in %{buildroot}
|
|
# set -x
|
|
# TODO %setup -q
|
|
%setup -q
|
|
|
|
%build
|
|
echo build in `pwd`
|
|
%configure \
|
|
--with-ufdb-user=ufdb \
|
|
--prefix=/usr \
|
|
--with-ufdb-bindir=/usr/sbin \
|
|
--with-ufdb-piddir=/var/run/ufdbguard \
|
|
--with-ufdb-mandir=/usr/share/man \
|
|
--with-ufdb-images_dir=/var/ufdbguard/images \
|
|
--with-ufdb-logdir=/var/ufdbguard/logs \
|
|
--with-ufdb-samplesdir=/var/ufdbguard/samples \
|
|
--with-ufdb-config=/etc/ufdbguard \
|
|
--with-ufdb-dbhome=/var/ufdbguard/blacklists
|
|
|
|
%{__make} %{?_smp_mflags}
|
|
|
|
%install
|
|
# echo install
|
|
# env
|
|
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
|
%{__make} DESTDIR=%{buildroot} mkdirsredhatcentos install
|
|
# the install makes a backup of the conf file that we do not want in the package
|
|
rm -f %{buildroot}/etc/ufdbguard/ufdbGuard.conf.pre-v1.*
|
|
|
|
# echo
|
|
# echo "The configuration file of ufdbGuard is /etc/ufdbguard/ufdbGuard.conf"
|
|
# echo "The system configuration file for the ufdbGuard Software Suite is /etc/sysconfig/ufdbguard"
|
|
|
|
# ufdbsignal is suid-root since it must be able to send a signal to ufdbguardd.
|
|
# ufdbsignal is a very simple program which checks the uid to see if the user is permitted to send a signal.
|
|
# ufdbsignal reads the pid from /var/run/ufdbguardd/ufdbguardd.pid.
|
|
|
|
%verifyscript
|
|
|
|
if [ ! -f /etc/sysconfig/ufdbguard ]
|
|
then
|
|
echo "/etc/sysconfig/ufdbguard does not exist." >&2
|
|
else
|
|
eval `grep "^DOWNLOAD_USER=" /etc/sysconfig/ufdbguard`
|
|
if [ "$DOWNLOAD_USER" = "" ]
|
|
then
|
|
echo "The username for periodical downloads of the URL database is not set." >&2
|
|
echo "Edit /etc/sysconfig/ufdbguard and set DOWNLOAD_USER and DOWNLOAD_PASSWORD." >&2
|
|
else
|
|
echo "DOWNLOAD_USER is set to $DOWNLOAD_USER in /etc/sysconfig/ufdbguard"
|
|
fi
|
|
fi
|
|
|
|
if [ ! -f /etc/ufdbguard/ufdbGuard.conf ]
|
|
then
|
|
echo "/etc/ufdbguard/ufdbGuard.conf does not exist."
|
|
else
|
|
set -- `grep ^dbhome /etc/ufdbguard/ufdbGuard.conf`
|
|
# must get rid of quotes or else "if [ ! -d $DBDIR ]" fails :-(
|
|
DBDIR=`echo ${2:-notset} | sed -e 's,",,g' `
|
|
if [ $DBDIR = notset ]
|
|
then
|
|
DBDIR=/var/ufdbguard/blacklists
|
|
echo "/etc/ufdbguard/ufdbGuard.conf: dbhome is not set" >&2
|
|
echo "Using default value for dbhome: $DBDIR" >&2
|
|
fi
|
|
if [ ! -d $DBDIR ]
|
|
then
|
|
echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR: directory does not exist" >&2
|
|
else
|
|
if [ ! -d $DBDIR/adult -o ! -d $DBDIR/checked ]
|
|
then
|
|
echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR:" >&2
|
|
echo "The directory for the URL database does not contain subdirectories for adult and/or checked." >&2
|
|
echo "This means that the URL database of URLfilterDB is not used." >&2
|
|
echo "If you intend to use the URL database of URLfilterDB, make sure that " >&2
|
|
echo "\"ufdbUpdate [-v]\" runs without errors to download the URL database." >&2
|
|
echo "See the Reference Manual for more information." >&2
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
exit 0
|
|
|
|
|
|
%postun
|
|
|
|
job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" `
|
|
if [ "$job" != "" ]
|
|
then
|
|
echo "Note: there is still a cron job for ufdbUpdate." >&2
|
|
fi
|
|
|
|
exit 0
|
|
|
|
|
|
# %config
|
|
# /etc/sysconfig/ufdbguard
|
|
# /etc/ufdbguard/ufdbGuard.conf
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
/etc/init.d/ufdb
|
|
%config(noreplace) %attr(-,ufdb,ufdb) /etc/sysconfig/ufdbguard
|
|
%config(noreplace) %attr(-,ufdb,ufdb) /etc/ufdbguard/ufdbGuard.conf
|
|
/var/ufdbguard/images/default.flv
|
|
/var/ufdbguard/images/default.mp3
|
|
/var/ufdbguard/images/default.mpeg
|
|
/var/ufdbguard/images/default.wmv
|
|
/var/ufdbguard/images/forbidden-normal-de.png
|
|
/var/ufdbguard/images/forbidden-normal-en.png
|
|
/var/ufdbguard/images/forbidden-normal-es.png
|
|
/var/ufdbguard/images/forbidden-normal-fr.png
|
|
/var/ufdbguard/images/forbidden-normal-it.png
|
|
/var/ufdbguard/images/forbidden-normal-nl.png
|
|
/var/ufdbguard/images/forbidden-normal-pl.png
|
|
/var/ufdbguard/images/forbidden-normal-pt.png
|
|
/var/ufdbguard/images/forbidden-normal-sv.png
|
|
/var/ufdbguard/images/forbidden-normal-tr.png
|
|
/var/ufdbguard/images/no-ads.png
|
|
/var/ufdbguard/images/smallcross.png
|
|
/var/ufdbguard/images/square.png
|
|
/var/ufdbguard/images/transparent.png
|
|
/var/ufdbguard/samples/execdomainlist.sh
|
|
/var/ufdbguard/samples/execuserlist.sh
|
|
/var/ufdbguard/samples/URLblocked.cgi
|
|
/usr/sbin/ufdb-pstack
|
|
/usr/sbin/ufdbAnalyse
|
|
/usr/sbin/ufdbConvertDB
|
|
/usr/sbin/ufdbGenTable
|
|
/usr/sbin/ufdbUpdate
|
|
/usr/sbin/ufdb_analyse_urls
|
|
/usr/sbin/ufdb_analyse_users
|
|
/usr/sbin/ufdb_top_urls
|
|
/usr/sbin/ufdb_top_users
|
|
/usr/sbin/ufdbgclient
|
|
/usr/sbin/ufdbguardd
|
|
/usr/sbin/ufdbhttpd
|
|
%attr(4755,root,root) /usr/sbin/ufdbsignal
|
|
/usr/share/man/man1/ufdb_analyse_urls.1
|
|
/usr/share/man/man1/ufdb_analyse_users.1
|
|
/usr/share/man/man1/ufdb_top_urls.1
|
|
/usr/share/man/man1/ufdb_top_users.1
|
|
/usr/share/man/man1/ufdbAnalyse.1
|
|
/usr/share/man/man8/ufdbgclient.8
|
|
/usr/share/man/man8/ufdbguardd.8
|
|
/usr/share/man/man8/ufdbhttpd.8
|
|
/usr/share/man/man8/ufdbupdate.8
|
|
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists
|
|
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists/security
|
|
# The cacerts get updated by ufdbUpdate:
|
|
%verify(not md5 size mtime) %attr(644,ufdb,ufdb) /var/ufdbguard/blacklists/security/cacerts
|
|
# log files go to /var/ufdbguard/logs
|
|
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/logs
|
|
# pid files go to /var/run/ufdbguard
|
|
%dir %attr(755,ufdb,ufdb) /var/run/ufdbguard
|
|
|
|
%doc README CHANGELOG
|
|
# TODO
|
|
|
|
%changelog
|
|
* Fri May 25 2018 Daniel Berteaud <daniel@firewall-services.com> 1.33.6rc2-0.beta1
|
|
- Update to 1.33.6rc2
|
|
|
|
* Thu May 24 2018 Daniel Berteaud <daniel@firewall-services.com> 1.33.6rc1-0.beta1
|
|
- update to 1.33.6rc1
|
|
* Wed May 09 2018 Daniel Berteaud <daniel@firewall-services.com> 1.33.5-1
|
|
- git-annex in
|
|
dani@germaine.lapiole.org:~/big/e-smith/files/users/dani/src/ufdbGuard
|
|
(daniel@firewall-services.com)
|
|
|
|
* Thu Apr 19 2018 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.5
|
|
Fix: ufdbguardd may crash during a database refresh
|
|
Fix: empty pass statements in acls may cause a crash.
|
|
Fix: SSH tunnels were detected but access was not blocked
|
|
Fix: sometimes the SSL/TLS certificate was not checked to be signed by a CA
|
|
Fix: skip acls with "pass any" if the source has the continue flag set
|
|
|
|
* Thu Sep 21 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.4
|
|
Fix: URLs with very long domainnames may cause a crash if the URL is not in the URL database
|
|
Fix: ufdbguardd did not obey 'continue' inside a source
|
|
Fix: the logfile did not not contain "PASS URL" for all allowed URLs
|
|
Fix: suppress another warning by ufdbGenTable if the -q option is used
|
|
Fix: execuserlist with large arguments cannot be cached
|
|
Fix: ufdbguardd sometimes does not use the correct source for its decision
|
|
Fix: in-addr also matched URLs without an IP address
|
|
Configuration: the option squid-uses-active-bumping was missing in the default configuration file
|
|
|
|
* Tue Jun 6 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.3
|
|
Fix: ufdbgclient truncates Squid request lines to 8K which means that very long URLs cannot be filtered
|
|
Fix: ufdbGenTable erroneously warned about URLs inside a comment
|
|
Fix: make ufdbGuard compile on FreeBSD
|
|
Fix: when evaluate-and IPv4/6 is used in a source definition, the source may not matched
|
|
Fix: ufdbguardd did not accept the IPv6 address '::'
|
|
Enhancement: several warnings for IPv4 and IPv6 addresses inside a source were implemented
|
|
|
|
* Tue May 23 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.2
|
|
Fix: ufdbguardd may incorrectly abort with a fatal error cannot-get-rwlock-for-database-refresh-after-many-attempts
|
|
Fix: safesearch did not work in 2 out of 3 cases
|
|
Fix: ufdbguard did not compile on FreeBSD.
|
|
Fix: crash due to stack overwrite in uploadStatistics/logStatistics
|
|
Documentation: added use-ipv6-on-wan option to Reference Manual
|
|
|
|
* Wed Mar 15 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.1
|
|
Enhancement: IPv6 support for sources with new keywords ipv6 and ipv6list
|
|
Enhancement: detect certificates of ucweb.com and uc.cn of the ucweb browser that circumvents URL filters
|
|
Enhancement: ufdbgclient has new -m parameter to use multithreading and improve performance
|
|
Enhancement: make ufdbguardd.pid world-readable
|
|
Enhancement: allow UTF8 characters in URLs
|
|
Enhancement: new keyword ufdb-log-url-details controls if URLs in the log file have parameters or not
|
|
Fix: on the ARM platform generated URL tables were corrupt
|
|
Fix: implicitly allowed URLs were logged with category "any" instead of the correct category ID
|
|
Fix: prevent false positives with Tor proxy detection on port 443
|
|
Fix: failed probes for <IP>:443 were not properly cached and resulted in too many probes for IP
|
|
Fix: when reverse IP lookups are used, the URL category was not logged correctly (was logged as "any")
|
|
Fix: ufdbGenTable uses less memory
|
|
Fix: the feature "block-bumped-connect on" never blocked a CONNECT request
|
|
|
|
|