freeradius: Fix SMF initialisation.

Ensures the user/group are correctly substituted into the config file so that the daemon can run as root then drop privileges appropriately, as well as creating the rundir as necessary. Submitted by Jorge Schrauwen in #58. Bump PKGREVISION.
NetBSD · Apr 16, 2020 · 2f199b7 · 2f199b7
1 parent 0553638
commit 2f199b7
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 19 deletions.
diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.106 2020/04/08 09:42:05 adam Exp $
+# $NetBSD: Makefile,v 1.107 2020/04/16 15:49:30 jperkin Exp $
 
 .include "Makefile.common"
 
 PKGNAME=	${DISTNAME:S/-server//}
+PKGREVISION=	1
 COMMENT=	Free RADIUS server implementation
 
 BUILD_DEFS+=		VARBASE
@@ -29,6 +30,7 @@ CONFIGURE_ARGS+=	--without-rlm_sql_postgresql
 CONFIGURE_ARGS+=	--without-rlm_sql_unixodbc
 
 RCD_SCRIPTS=		radiusd
+SMF_METHODS=		radiusd
 RADIUS_GROUP?=		radiusd
 RADIUS_USER?=		radiusd
 PKG_GROUPS=		${RADIUS_GROUP}
@@ -42,6 +44,12 @@ OWN_DIRS_PERMS+=	${VARBASE}/run/radiusd \
 
 PKG_SYSCONFSUBDIR=	raddb
 
+SUBST_CLASSES+=		secconf
+SUBST_STAGE.secconf=	post-configure
+SUBST_MESSAGE.secconf=	Substituting user and group in radiusd.conf
+SUBST_FILES.secconf=	raddb/radiusd.conf
+SUBST_VARS.secconf=	RADIUS_USER RADIUS_GROUP
+
 FILES_SUBST+=		RADIUS_USER=${RADIUS_USER} RADIUS_GROUP=${RADIUS_GROUP}
 MESSAGE_SUBST+=		BOOTSTRAP=${PKG_SYSCONFDIR}/certs/bootstrap
 
@@ -175,19 +183,19 @@ EGFILES=		certs/ca.cnf certs/client.cnf certs/inner-server.cnf \
 			users templates.conf trigger.conf
 
 EGDIRS=			certs mods-available mods-config mods-config/attr_filter mods-config/files \
-			mods-config/perl mods-config/preprocess mods-config/sql mods-config/sql/counter  \
-			mods-config/sql/counter/mysql mods-config/sql/counter/postgresql  \
-			mods-config/sql/counter/sqlite mods-config/sql/cui mods-config/sql/cui/mysql  \
-			mods-config/sql/cui/postgresql mods-config/sql/cui/sqlite mods-config/sql/ippool  \
-			mods-config/sql/ippool-dhcp mods-config/sql/ippool-dhcp/mysql  \
-			mods-config/sql/ippool-dhcp/oracle mods-config/sql/ippool-dhcp/sqlite  \
-			mods-config/sql/ippool/mysql mods-config/sql/ippool/oracle  \
-			mods-config/sql/ippool/postgresql mods-config/sql/ippool/sqlite  \
-			mods-config/sql/main mods-config/sql/main/mssql mods-config/sql/main/mysql  \
-			mods-config/sql/main/mysql/extras mods-config/sql/main/mysql/extras/wimax  \
-			mods-config/sql/main/ndb mods-config/sql/main/oracle  \
-			mods-config/sql/main/postgresql mods-config/sql/main/postgresql/extras  \
-			mods-config/sql/main/sqlite mods-config/unbound mods-enabled  \
+			mods-config/perl mods-config/preprocess mods-config/sql mods-config/sql/counter \
+			mods-config/sql/counter/mysql mods-config/sql/counter/postgresql \
+			mods-config/sql/counter/sqlite mods-config/sql/cui mods-config/sql/cui/mysql \
+			mods-config/sql/cui/postgresql mods-config/sql/cui/sqlite mods-config/sql/ippool \
+			mods-config/sql/ippool-dhcp mods-config/sql/ippool-dhcp/mysql \
+			mods-config/sql/ippool-dhcp/oracle mods-config/sql/ippool-dhcp/sqlite \
+			mods-config/sql/ippool/mysql mods-config/sql/ippool/oracle \
+			mods-config/sql/ippool/postgresql mods-config/sql/ippool/sqlite \
+			mods-config/sql/main mods-config/sql/main/mssql mods-config/sql/main/mysql \
+			mods-config/sql/main/mysql/extras mods-config/sql/main/mysql/extras/wimax \
+			mods-config/sql/main/ndb mods-config/sql/main/oracle \
+			mods-config/sql/main/postgresql mods-config/sql/main/postgresql/extras \
+			mods-config/sql/main/sqlite mods-config/unbound mods-enabled \
 			policy.d sites-available sites-enabled
 
 REPLACE_PERL+=		scripts/sql/radsqlrelay \

diff --git a/net/freeradius/distinfo b/net/freeradius/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2020/04/08 09:42:05 adam Exp $
+$NetBSD: distinfo,v 1.41 2020/04/16 15:49:30 jperkin Exp $
 
 SHA1 (freeradius-server-3.0.21.tar.bz2) = 3d90d63bf1452794cf9d0b04147745a254872c3f
 RMD160 (freeradius-server-3.0.21.tar.bz2) = 04a038b701f19d9c598e826a795a0cdaacd3768b
@@ -8,4 +8,5 @@ SHA1 (patch-ai) = e32ffd24b93e2cef2e72ef9a8ea59d49e1571dc0
 SHA1 (patch-configure.ac) = ffec1f851d23f560797c12eba5092f2940e4d662
 SHA1 (patch-main_command.c) = 1c79b29eb13df341906c710c8dd41860a27473dd
 SHA1 (patch-main_util.c) = e8814255c32c8469e81d62f2c7092e8d42744e85
+SHA1 (patch-raddb_radiusd.conf.in) = 353cbed35013777bf055a77cc610b50a637ae7b7
 SHA1 (patch-src_lib_udpfromto.c) = 2457f0a7223b1f3ef86d0af020290b26380e6319
diff --git a/net/freeradius/files/smf/manifest.xml b/net/freeradius/files/smf/manifest.xml
@@ -19,10 +19,8 @@
     <dependency name='system-log' grouping='optional_all' restart_on='none' type='service'>
       <service_fmri value='svc:/system/system-log' />
     </dependency>
-    <method_context>
-      <method_credential user='@RADIUS_USER@' group='@RADIUS_GROUP@' />
-    </method_context>
-    <exec_method name='start' type='method' exec='@PREFIX@/sbin/radiusd' timeout_seconds='60' />
+    <method_context></method_context>
+    <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.radiusd@' timeout_seconds='60' />
     <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60' />
     <property_group name='startd' type='framework'>
       <propval name='ignore_error' type='astring' value='core,signal' />

diff --git a/net/freeradius/files/smf/radiusd.sh b/net/freeradius/files/smf/radiusd.sh
@@ -0,0 +1,14 @@
+#!@SMF_METHOD_SHELL@
+#
+# $NetBSD: radiusd.sh,v 1.1 2020/04/16 15:49:30 jperkin Exp $
+#
+
+. /lib/svc/share/smf_include.sh
+
+if [ ! -d @VARBASE@/run/radiusd ]; then
+	@MKDIR@ @VARBASE@/run/radiusd
+	@CHMOD@ 0750 @VARBASE@/run/radiusd
+	@CHOWN@ @RADIUS_USER@:@RADIUS_GROUP@ @VARBASE@/run/radiusd
+fi
+
+@PREFIX@/sbin/radiusd "$@"
diff --git a/net/freeradius/patches/patch-raddb_radiusd.conf.in b/net/freeradius/patches/patch-raddb_radiusd.conf.in
@@ -0,0 +1,17 @@
+$NetBSD: patch-raddb_radiusd.conf.in,v 1.1 2020/04/16 15:49:30 jperkin Exp $
+
+Update example radiusd.conf to include the correct user/group
+
+--- raddb/radiusd.conf.in.orig	2020-04-15 11:59:38.209113301 +0000
++++ raddb/radiusd.conf.in	2020-04-15 12:00:19.973538936 +0000
+@@ -501,8 +501,8 @@
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-#	user = radius
+-#	group = radius
++	user = @RADIUS_USER@
++	group = @RADIUS_GROUP@
+
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.