Wednesday, April 20, 2022

update net/rsync 3.2.4

"T.J. Townsend" writes:

> This is an update for rsync. I switched the zlib from the included one
> to the base system one since it's likely to get future security updates
> faster. I can undo that part if needed.

Here is an update for net/rsync 3.2.4 based on tj@'s diff which does the
following:
- move to system zlib instead of bundled zlib
- remove receiver.c patch (upstreamed)

NEWS: https://download.samba.org/pub/rsync/NEWS#3.2.4

Here are some tweaks. Additionally:
- remove compat.c patch. reproducer from sthen@ no longer triggers a
crash. https://github.com/WayneD/rsync/issues/84
- use the new switch --with-nobody-user=_rsync and remove configure.sh
patch
- install rrsync(1) man page
- fix hardcoded paths in rsync(1) and rsyncd.conf(5)

I added LOCALSTATEDIR and SYSCONFDIR throughout rsync(1) and
rsyncd.conf(5) whenever they relate specfically to the rsync port. I
left bits like /etc/passwd /etc/inetd.conf and /var/ftp/./pub alone. The
patches become rather bloated.

Questions:
1. Are SYSCONFDIR and friends obsolete? Should they be removed
altogether to trim patches?
2. rrsync script switches from perl to python. I propose not bothering to
add python in RUN_DEPENDS for this optional functionality.
3. Backport to -stable? naddy@ says rsync is not affected, but upstream
says it might be.
from NEWS: https://download.samba.org/pub/rsync/NEWS#SECURITY_FIXES-3.2.4
from naddy@: https://marc.info/?l=openbsd-ports&m=164884923114600&w=2

Tests
-----
/etc/rc.d/rsyncd launches rsync as root and anonymous rsync
(e.g., rsync 192.168.1.5:/data /tmp/data) runs as _rsync user.

`make test' is similar to before, with the addition of a new skipped
test protected-regular, which only runs on linux.

I tested the -z flag for compression with system zlib; it worked.

Feedback? OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/rsync/Makefile,v
retrieving revision 1.92
diff -u -p -u -p -r1.92 Makefile
--- Makefile 20 Apr 2022 08:43:59 -0000 1.92
+++ Makefile 20 Apr 2022 22:58:10 -0000
@@ -1,7 +1,6 @@
COMMENT = mirroring/synchronization over low bandwidth links

-DISTNAME = rsync-3.2.3
-REVISION = 1
+DISTNAME = rsync-3.2.4
CATEGORIES = net
HOMEPAGE = https://rsync.samba.org/

@@ -11,7 +10,7 @@ FLAVOR ?=
# GPLv3
PERMIT_PACKAGE = Yes

-WANTLIB = c crypto
+WANTLIB = c crypto z

MASTER_SITES = https://rsync.samba.org/ftp/rsync/src/ \
https://ftp.funet.fi/pub/mirrors/samba.org/pub/rsync/src/
@@ -22,9 +21,10 @@ CONFIGURE_ARGS =--disable-lz4 \
--disable-xxhash \
--disable-zstd \
--with-included-popt \
- --with-included-zlib \
+ --with-included-zlib=no \
--with-rsyncd-conf="${SYSCONFDIR}/rsyncd.conf" \
--with-rsh=/usr/bin/ssh \
+ --with-nobody-user=_rsync \
--with-nobody-group=_rsync

.if ${FLAVOR:Miconv}
@@ -39,11 +39,14 @@ DEBUG_PACKAGES = ${BUILD_PACKAGES}

pre-configure:
${SUBST_CMD} ${WRKSRC}/rsyncd.conf.5 \
+ ${WRKSRC}/rsync.1 \
${WRKSRC}/support/rrsync

post-install:
${INSTALL_DATA_DIR} ${DOCDIR}
${INSTALL_DATA} ${WRKSRC}/tech_report.tex ${DOCDIR}
${INSTALL_SCRIPT} ${WRKSRC}/support/rrsync ${PREFIX}/bin
+ ${INSTALL_MAN_DIR} ${PREFIX}/man/man1
+ ${INSTALL_MAN} ${WRKSRC}/rrsync.1 ${PREFIX}/man/man1

.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/rsync/distinfo,v
retrieving revision 1.31
diff -u -p -u -p -r1.31 distinfo
--- distinfo 26 Aug 2020 12:15:56 -0000 1.31
+++ distinfo 20 Apr 2022 22:58:10 -0000
@@ -1,2 +1,2 @@
-SHA256 (rsync-3.2.3.tar.gz) = vsw8UEzupJn0FnomAEDM9Nny75SZrVaDwXmmlxRs5Q4=
-SIZE (rsync-3.2.3.tar.gz) = 1069784
+SHA256 (rsync-3.2.4.tar.gz) = b3YYONCAUrC2V5z39nN9k+R/AfTaBMXSTTRHt/Kl+tE=
+SIZE (rsync-3.2.4.tar.gz) = 1114853
Index: patches/patch-compat_c
===================================================================
RCS file: patches/patch-compat_c
diff -N patches/patch-compat_c
--- patches/patch-compat_c 11 Mar 2022 19:47:20 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-https://github.com/WayneD/rsync/issues/84
-
-Index: compat.c
---- compat.c.orig
-+++ compat.c
-@@ -705,7 +705,7 @@ void setup_protocol(int f_out,int f_in)
- do_negotiated_strings = 1;
- compat_flags |= CF_VARINT_FLIST_FLAGS;
- }
-- if (strchr(client_info, 'V') != NULL) { /* Support a pre-release 'V' that got superseded */
-+ if (!local_server && strchr(client_info, 'V') != NULL) { /* Support a pre-release 'V' that got superseded */
- if (!write_batch)
- compat_flags |= CF_VARINT_FLIST_FLAGS;
- write_byte(f_out, compat_flags);
Index: patches/patch-configure_sh
===================================================================
RCS file: patches/patch-configure_sh
diff -N patches/patch-configure_sh
--- patches/patch-configure_sh 11 Mar 2022 19:47:20 -0000 1.7
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-Index: configure.sh
---- configure.sh.orig
-+++ configure.sh
-@@ -4908,7 +4908,7 @@ fi
-
-
- cat >>confdefs.h <<_ACEOF
--#define NOBODY_USER "nobody"
-+#define NOBODY_USER "_rsync"
- _ACEOF
-
-
Index: patches/patch-receiver_c
===================================================================
RCS file: patches/patch-receiver_c
diff -N patches/patch-receiver_c
--- patches/patch-receiver_c 11 Mar 2022 19:47:20 -0000 1.6
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,17 +0,0 @@
-Fixes regression introduced with commit 3a7bf54ad520 (A resumed
-partial-dir file is transferred in-place.)
-
-Fixes https://github.com/WayneD/rsync/issues/192
-
-Index: receiver.c
---- receiver.c.orig
-+++ receiver.c
-@@ -878,7 +878,7 @@ int recv_files(int f_in, int f_out, char *local_name)
- do_unlink(partialptr);
- handle_partial_dir(partialptr, PDIR_DELETE);
- }
-- } else if (keep_partial && partialptr && !one_inplace) {
-+ } else if (keep_partial && partialptr && (!one_inplace || delay_updates)) {
- if (!handle_partial_dir(partialptr, PDIR_CREATE)) {
- rprintf(FERROR,
- "Unable to create partial-dir for %s -- discarding %s.\n",
Index: patches/patch-rsync_1
===================================================================
RCS file: /cvs/ports/net/rsync/patches/patch-rsync_1,v
retrieving revision 1.9
diff -u -p -u -p -r1.9 patch-rsync_1
--- patches/patch-rsync_1 11 Mar 2022 19:47:20 -0000 1.9
+++ patches/patch-rsync_1 20 Apr 2022 22:58:10 -0000
@@ -1,12 +1,41 @@
Index: rsync.1
--- rsync.1.orig
+++ rsync.1
-@@ -4253,7 +4253,7 @@ documentation.
+@@ -3705,7 +3705,7 @@ extra details.
+ .IP "\fB\-\-config=FILE\fP"
+ This specifies an alternate config file than the default. This is only
+ relevant when \fB\-\-daemon\fP is specified. The default is
+-/etc/rsyncd.conf unless the daemon is running over a remote shell program
++${SYSCONFDIR}/rsyncd.conf unless the daemon is running over a remote shell program
+ and the remote user is not the super-user; in that case the default is
+ rsyncd.conf in the current directory (typically $HOME).
+ .IP "\fB\-\-dparam=OVERRIDE\fP, \fB\-M\fP"
+@@ -4034,8 +4034,8 @@ Some examples:
+ .RS 4
+ .P
+ .nf
+-merge /etc/rsync/default.rules
+-\&. /etc/rsync/default.rules
++merge ${SYSCONFDIR}/rsync/default.rules
++\&. ${SYSCONFDIR}/rsync/default.rules
+ dir-merge .per-dir-filter
+ dir-merge,n- .non-inherited-per-dir-excludes
+ :n- .non-inherited-per-dir-excludes
+@@ -4594,7 +4594,7 @@ does \fBnot\fP supply a password to a remote shell tra
.IP "\fBUSER\fP or \fBLOGNAME\fP"
The USER or LOGNAME environment variables are used to determine the default
username sent to an rsync daemon. If neither is set, the username defaults
--to "nobody".
-+to "_rsync".
- .IP "\fBHOME\fP"
- The HOME environment variable is used to find the user's default .cvsignore
- file.
+-to "nobody". If both are set, \fBUSER\fP takes precedence.
++to "_rsync". If both are set, \fBUSER\fP takes precedence.
+ .IP "\fBRSYNC_PARTIAL_DIR\fP"
+ This environment variable specifies the directory to use for a
+ \fB\-\-partial\fP transfer without implying that partial transfers be
+@@ -4632,7 +4632,7 @@ CONNECTING TO AN RSYNC DAEMON for full details.
+ .P
+ .SH "FILES"
+ .P
+-/etc/rsyncd.conf or rsyncd.conf
++${SYSCONFDIR}/rsyncd.conf or rsyncd.conf
+ .P
+ .SH "SEE ALSO"
+ .P
Index: patches/patch-rsyncd_conf_5
===================================================================
RCS file: /cvs/ports/net/rsync/patches/patch-rsyncd_conf_5,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 patch-rsyncd_conf_5
--- patches/patch-rsyncd_conf_5 11 Mar 2022 19:47:20 -0000 1.10
+++ patches/patch-rsyncd_conf_5 20 Apr 2022 22:58:10 -0000
@@ -1,7 +1,7 @@
Index: rsyncd.conf.5
--- rsyncd.conf.5.orig
+++ rsyncd.conf.5
-@@ -68,12 +68,11 @@ and a single line something like this to /etc/inetd.co
+@@ -71,12 +71,11 @@ and a single line something like this to /etc/inetd.co
.RS 4
.P
.nf
@@ -16,7 +16,25 @@ Index: rsyncd.conf.5
reread its config file.
.P
Note that you should \fBnot\fP send the rsync daemon a HUP signal to force it to
-@@ -438,7 +437,7 @@ This parameter specifies the user name or user ID that
+@@ -191,7 +190,7 @@ hierarchy. Doing this guards against unintended libra
+ those absolute paths will not be inside the transfer hierarchy unless you
+ have used an unwise pathname), and lets you setup libraries for the chroot
+ that are outside of the transfer. For example, specifying
+-"/var/rsync/./module1" will chroot to the "/var/rsync" directory and set
++"${LOCALSTATEDIR}/rsync/./module1" will chroot to the "${LOCALSTATEDIR}/rsync" directory and set
+ the inside-chroot path to "/module1". If you had omitted the dot-dir, the
+ chroot would have used the whole path, and the inside-chroot path would
+ have been "/".
+@@ -396,7 +395,7 @@ output debug TIME2 and FLIST3.
+ This parameter specifies the file to use to support the "max connections"
+ parameter. The rsync daemon uses record locking on this file to ensure that
+ the max connections limit is not exceeded for the modules sharing the lock
+-file. The default is \fB/var/run/rsyncd.lock\fP.
++file. The default is \fB${LOCALSTATEDIR}/run/rsyncd.lock\fP.
+ .IP "\fBread\ only\fP"
+ This parameter determines whether clients will be able to upload files or
+ not. If "read only" is true then any attempted uploads will fail. If
+@@ -441,7 +440,7 @@ This parameter specifies the user name or user ID that
and from that module should take place as when the daemon was run as root.
In combination with the "gid" parameter this determines what file
permissions are available. The default when run by a super-user is to
@@ -25,7 +43,7 @@ Index: rsyncd.conf.5
to not try to change the user. See also the "gid" parameter.
.IP
The RSYNC_USER_NAME environment variable may be used to request that rsync
-@@ -458,7 +457,7 @@ accessing the module. The first one will be the defau
+@@ -461,7 +460,7 @@ accessing the module. The first one will be the defau
extra ones be set as supplemental groups. You may also specify a "\fB*\fP" as
the first gid in the list, which will be replaced by all the normal groups
for the transfer's user (see "uid"). The default when run by a super-user
@@ -34,16 +52,45 @@ Index: rsyncd.conf.5
other supplementary groups. The default for a non-super-user is to not
change any group attributes (and indeed, your OS may not allow a
non-super-user to try to change their group settings).
-@@ -632,7 +631,7 @@ require that you specify a group password if you do no
+@@ -635,7 +634,7 @@ require that you specify a group password if you do no
passwords.
.IP
There is no default for the "secrets file" parameter, you must choose a
-name (such as \fB/etc/rsyncd.secrets\fP). The file must normally not be
+name (such as \fB${SYSCONFDIR}/rsyncd.secrets\fP). The file must normally not be
readable by "other"; see "strict modes". If the file is not found or is
- rejected, no logins for a "user auth" module will be possible.
+ rejected, no logins for an "auth users" module will be possible.
.IP "\fBstrict\ modes\fP"
-@@ -1192,8 +1191,8 @@ A more sophisticated example would be:
+@@ -1101,21 +1100,21 @@ that can be included into multiple module definitions,
+ global values that will affect connections (such as \fBmotd\ file\fP), or globals
+ that will affect other include files.
+ .P
+-For example, this is a useful /etc/rsyncd.conf file:
++For example, this is a useful ${SYSCONFDIR}/rsyncd.conf file:
+ .RS 4
+ .P
+ .nf
+ port = 873
+-log file = /var/log/rsync.log
+-pid file = /var/lock/rsync.lock
++log file = ${LOCALSTATEDIR}/log/rsync.log
++pid file = ${LOCALSTATEDIR}/lock/rsync.lock
+
+-&merge /etc/rsyncd.d
+-&include /etc/rsyncd.d
++&merge ${SYSCONFDIR}/rsyncd.d
++&include ${SYSCONFDIR}/rsyncd.d
+ .fi
+ .RE
+ .P
+-This would merge any \fB/etc/rsyncd.d/*.inc\fP files (for global values that should
+-stay in effect), and then include any \fB/etc/rsyncd.d/*.conf\fP files (defining
++This would merge any \fB${SYSCONFDIR}/rsyncd.d/*.inc\fP files (for global values that should
++stay in effect), and then include any \fB${SYSCONFDIR}/rsyncd.d/*.conf\fP files (defining
+ modules without any global-value cross-talk).
+ .P
+ .SH "AUTHENTICATION STRENGTH"
+@@ -1201,12 +1200,12 @@ A more sophisticated example would be:
.RS 4
.P
.nf
@@ -54,7 +101,12 @@ Index: rsyncd.conf.5
use chroot = yes
max connections = 4
syslog facility = local5
-@@ -1219,7 +1218,7 @@ pid file = /var/run/rsyncd.pid
+-pid file = /var/run/rsyncd.pid
++pid file = ${LOCALSTATEDIR}/run/rsyncd.pid
+
+ [ftp]
+ path = /var/ftp/./pub
+@@ -1228,11 +1227,11 @@ pid file = /var/run/rsyncd.pid
path = /data/cvs
comment = CVS repository (requires authentication)
auth users = tridge, susan
@@ -63,7 +115,12 @@ Index: rsyncd.conf.5
.fi
.RE
.P
-@@ -1234,7 +1233,7 @@ susan:herpass
+-The /etc/rsyncd.secrets file would look something like this:
++The ${SYSCONFDIR}/rsyncd.secrets file would look something like this:
+ .RS 4
+ .P
+ .nf
+@@ -1243,7 +1242,7 @@ susan:herpass
.P
.SH "FILES"
.P
Index: patches/patch-support_rrsync
===================================================================
RCS file: /cvs/ports/net/rsync/patches/patch-support_rrsync,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 patch-support_rrsync
--- patches/patch-support_rrsync 11 Mar 2022 19:47:20 -0000 1.4
+++ patches/patch-support_rrsync 20 Apr 2022 22:58:10 -0000
@@ -1,12 +1,12 @@
Index: support/rrsync
--- support/rrsync.orig
+++ support/rrsync
-@@ -11,7 +11,7 @@ use File::Glob ':glob';
+@@ -10,7 +10,7 @@

- # You may configure these values to your liking. See also the section
- # of options if you want to disable any options that rsync accepts.
--use constant RSYNC => '/usr/bin/rsync';
-+use constant RSYNC => '${PREFIX}/bin/rsync';
- use constant LOGFILE => 'rrsync.log';
+ # You may configure these 2 values to your liking. See also the section of
+ # short & long options if you want to disable any options that rsync accepts.
+-RSYNC = '/usr/bin/rsync'
++RSYNC = '${PREFIX}/bin/rsync'
+ LOGFILE = 'rrsync.log' # NOTE: the file must exist for a line to be appended!

- my $Usage = <<EOM;
+ # The following options are mainly the options that a client rsync can send
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/rsync/pkg/PLIST,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 PLIST
--- pkg/PLIST 11 Mar 2022 19:47:20 -0000 1.16
+++ pkg/PLIST 20 Apr 2022 22:58:10 -0000
@@ -4,6 +4,7 @@
bin/rrsync
@bin bin/rsync
bin/rsync-ssl
+@man man/man1/rrsync.1
@man man/man1/rsync-ssl.1
@man man/man1/rsync.1
@man man/man5/rsyncd.conf.5

No comments:

Post a Comment