From 384d406eed4bf94743e264ce74f82a00f92f6aae Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Fri, 11 Nov 2016 10:45:52 -0500 Subject: [PATCH 1/3] Systemd support for C7 package --- SOURCES/webkaos-debug.service | 15 ++++++++++ SOURCES/webkaos.init | 8 +++--- SOURCES/webkaos.service | 15 ++++++++++ webkaos-centos6.spec | 12 ++++---- webkaos-centos7.spec | 53 ++++++++++++++++++++++++++--------- 5 files changed, 80 insertions(+), 23 deletions(-) create mode 100644 SOURCES/webkaos-debug.service create mode 100644 SOURCES/webkaos.service diff --git a/SOURCES/webkaos-debug.service b/SOURCES/webkaos-debug.service new file mode 100644 index 0000000..bb293a0 --- /dev/null +++ b/SOURCES/webkaos-debug.service @@ -0,0 +1,15 @@ +[Unit] +Description=webkaos (HTTP and reverse proxy server) +Documentation=http://nginx.org/en/docs/ +After=network.target remote-fs.target nss-lookup.target + +[Service] +Type=forking +PIDFile=/var/run/webkaos.pid +ExecStart=/etc/init.d/webkaos start debug +ExecReload=/etc/init.d/webkaos reload +ExecStop=/etc/init.d/webkaos stop +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/webkaos.init b/SOURCES/webkaos.init index 376b4be..a1734b6 100644 --- a/SOURCES/webkaos.init +++ b/SOURCES/webkaos.init @@ -59,7 +59,7 @@ kv.addCommand "reload" "Reload and apply config" kv.addCommand "check" "Validate config" "check" kv.addCommand "config" "Show full (merged) config" "showConfig" -if [[ `grep 'ssl_dhparam' $conf_file` ]] ; then +if [[ $(grep 'ssl_dhparam' $conf_file) ]] ; then if [[ ! -e $dh_param ]] ; then kv.addCommand "gendhp" "Generate Diffie-Hellman parameter for EDH ciphers" "gendhp" kv.addCommandVars "gendhp" "size" @@ -316,7 +316,7 @@ upgradeService() { for i in $(seq 1 $delay_upgrade) ; do if [[ -f ${kv[pid_file]} && -f $old_pid_file ]] ; then - local old_pid=`cat $old_pid_file` + local old_pid=$(cat $old_pid_file) kv.sendSignal "${SIGNAL_QUIT}" "$old_pid" return $ACTION_OK fi @@ -363,7 +363,7 @@ cleanPagespeedCache() { } updateOwner() { - local user=`getUserFromConfig` + local user=$(getUserFromConfig) [[ -z "$user" ]] && return @@ -385,7 +385,7 @@ getUserFromConfig() { } isDHPGenRequired() { - if [[ `grep 'ssl_dhparam' $conf_file` ]] ; then + if [[ $(grep 'ssl_dhparam' $conf_file) ]] ; then [[ ! -e $dh_param ]] && return 0 || return 1 fi diff --git a/SOURCES/webkaos.service b/SOURCES/webkaos.service new file mode 100644 index 0000000..ec21dc6 --- /dev/null +++ b/SOURCES/webkaos.service @@ -0,0 +1,15 @@ +[Unit] +Description=webkaos (HTTP and reverse proxy server) +Documentation=http://nginx.org/en/docs/ +After=network.target remote-fs.target nss-lookup.target + +[Service] +Type=forking +PIDFile=/var/run/webkaos.pid +ExecStart=/etc/init.d/webkaos start +ExecReload=/etc/init.d/webkaos reload +ExecStop=/etc/init.d/webkaos stop +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/webkaos-centos6.spec b/webkaos-centos6.spec index 12ec33d..a4e1463 100644 --- a/webkaos-centos6.spec +++ b/webkaos-centos6.spec @@ -311,17 +311,17 @@ touch boringssl/.openssl/include/openssl/ssl.h %{__make} %{?_smp_mflags} %install -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} %{make_install} install -dm 755 %{buildroot}%{_datadir}/%{name} -%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf -%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/*.default -%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf +rm -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf +rm -f %{buildroot}%{_sysconfdir}/%{name}/*.default +rm -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf -%{__rm} -rf %{buildroot}%{_sysconfdir}/%{name}/html +rm -rf %{buildroot}%{_sysconfdir}/%{name}/html install -dm 755 %{buildroot}%{_sysconfdir}/%{name}/conf.d @@ -443,7 +443,7 @@ if [[ $1 -ge 1 ]] ; then fi %clean -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} ############################################################################### diff --git a/webkaos-centos7.spec b/webkaos-centos7.spec index f3e10e3..37aa4ea 100644 --- a/webkaos-centos7.spec +++ b/webkaos-centos7.spec @@ -35,6 +35,7 @@ %define __useradd %{_sbindir}/useradd %define __groupadd %{_sbindir}/groupadd %define __getent %{_bindir}/getent +%define __sysctl %{_bindir}/systemctl ############################################################################### @@ -59,7 +60,7 @@ Summary: Superb high performance web server Name: webkaos Version: 1.11.5 -Release: 1%{?dist} +Release: 2%{?dist} License: 2-clause BSD-like license Group: System Environment/Daemons Vendor: Nginx / Google / CloudFlare / ESSENTIALKAOS @@ -70,6 +71,8 @@ Source1: %{name}.logrotate Source2: %{name}.init Source3: %{name}.sysconfig Source4: %{name}.conf +Source5: %{name}.service +Source6: %{name}-debug.service Source20: pagespeed.conf Source21: pagespeed-enabled.conf @@ -98,7 +101,7 @@ Patch3: boring.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: initscripts >= 8.36 kaosv >= 2.8 +Requires: initscripts >= 8.36 systemd kaosv >= 2.10 Requires: gd libXpm libxslt libluajit BuildRequires: make gcc-c++ perl libluajit-devel cmake golang @@ -158,6 +161,7 @@ mkdir boringssl %patch2 -p1 %patch3 -p1 + %build # Fixed bug with ngx_pagespeed comilation on i386 @@ -306,18 +310,19 @@ touch boringssl/.openssl/include/openssl/ssl.h %{__make} %{?_smp_mflags} + %install -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} %{make_install} install -dm 755 %{buildroot}%{_datadir}/%{name} -%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf -%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/*.default -%{__rm} -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf +rm -f %{buildroot}%{_sysconfdir}/%{name}/nginx.conf +rm -f %{buildroot}%{_sysconfdir}/%{name}/*.default +rm -f %{buildroot}%{_sysconfdir}/%{name}/fastcgi.conf -%{__rm} -rf %{buildroot}%{_sysconfdir}/%{name}/html +rm -rf %{buildroot}%{_sysconfdir}/%{name}/html install -dm 755 %{buildroot}%{_sysconfdir}/%{name}/conf.d @@ -340,6 +345,14 @@ install -dm 755 %{buildroot}%{_initrddir} install -pm 755 %{SOURCE2} \ %{buildroot}%{_initrddir}/%{service_name} +# Install systemd stuff +install -dm 755 %{buildroot}%{_unitdir} + +install -pm 644 %{SOURCE5} \ + %{buildroot}%{_unitdir}/ +install -pm 644 %{SOURCE6} \ + %{buildroot}%{_unitdir}/ + # Install log rotation stuff install -dm 755 %{buildroot}%{_sysconfdir}/logrotate.d @@ -383,8 +396,10 @@ install -dm 755 %{buildroot}%{_sysconfdir}/%{name}/ssl ln -sf %{_sysconfdir}/%{name}/ %{buildroot}%{_sysconfdir}/nginx ln -sf %{_sysconfdir}/%{name}/%{name}.conf %{buildroot}%{_sysconfdir}/%{name}/nginx.conf ln -sf %{_logdir}/%{name}/ %{buildroot}%{_logdir}/nginx -ln -sf %{_initrddir}/%{service_name} %{buildroot}%{_initrddir}/nginx ln -sf %{_sbindir}/%{name} %{buildroot}%{_sbindir}/nginx +ln -sf %{_initrddir}/%{service_name} %{buildroot}%{_initrddir}/nginx +ln -sf %{_unitdir}/%{name}.service %{buildroot}%{_unitdir}/nginx.service +ln -sf %{_unitdir}/%{name}-debug.service %{buildroot}%{_unitdir}/nginx-debug.service ############################################################################### @@ -393,9 +408,10 @@ getent group %{service_group} >/dev/null || groupadd -r %{service_group} getent passwd %{service_user} >/dev/null || useradd -r -g %{service_group} -s /sbin/nologin -d %{service_home} %{service_user} exit 0 + %post if [[ $1 -eq 1 ]] ; then - %{__chkconfig} --add %{name} + %{__sysctl} enable %{name}.service &>/dev/null || : if [[ -d %{_logdir}/%{name} ]] ; then if [[ ! -e %{_logdir}/%{name}/access.log ]]; then @@ -429,17 +445,20 @@ fi %preun if [[ $1 -eq 0 ]] ; then - %{__service} %{service_name} stop > /dev/null 2>&1 - %{__chkconfig} --del %{service_name} + %{__sysctl} --no-reload disable %{name}.service &>/dev/null || : + %{__sysctl} stop %{name}.service &>/dev/null || : fi + %postun if [[ $1 -ge 1 ]] ; then + %{__sysctl} daemon-reload &>/dev/null || : %{__service} %{service_name} upgrade &>/dev/null || : fi + %clean -%{__rm} -rf %{buildroot} +rm -rf %{buildroot} ############################################################################### @@ -477,7 +496,9 @@ fi %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{_sysconfdir}/sysconfig/%{name} + %{_initrddir}/%{service_name} +%{_unitdir}/%{name}.service %dir %{_datadir}/%{name} %dir %{_datadir}/%{name}/html @@ -490,18 +511,24 @@ fi %files debug %defattr(-,root,root) %attr(0755,root,root) %{_sbindir}/%{name}.debug +%{_unitdir}/%{name}-debug.service %files nginx %defattr(-,root,root) %{_sysconfdir}/%{name}/nginx.conf %{_sysconfdir}/nginx %{_logdir}/nginx -%{_initrddir}/nginx %{_sbindir}/nginx +%{_initrddir}/nginx +%{_unitdir}/nginx.service +%{_unitdir}/nginx-debug.service ############################################################################### %changelog +* Fri Nov 11 2016 Anton Novojilov - 1.11.5-2 +- Added systemd support + * Wed Nov 09 2016 Anton Novojilov - 1.11.5-1 - BoringSSL updated to latest version - Lua module updated to 0.10.7 From ca0fdaa54ae10b1321b4ca65c384c18c6d70a1ae Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Sat, 12 Nov 2016 19:06:01 -0500 Subject: [PATCH 2/3] Added dynamic modules support --- webkaos-centos6.spec | 18 +++++++++++++++++- webkaos-centos7.spec | 16 +++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/webkaos-centos6.spec b/webkaos-centos6.spec index a4e1463..5fc3e65 100644 --- a/webkaos-centos6.spec +++ b/webkaos-centos6.spec @@ -59,7 +59,7 @@ Summary: Superb high performance web server Name: webkaos Version: 1.11.5 -Release: 1%{?dist} +Release: 2%{?dist} License: 2-clause BSD-like license Group: System Environment/Daemons Vendor: Nginx / Google / CloudFlare / ESSENTIALKAOS @@ -204,6 +204,8 @@ cp boringssl/build/crypto/libcrypto.a boringssl/build/ssl/libssl.a boringssl/.op ./configure \ --prefix=%{_sysconfdir}/%{name} \ --sbin-path=%{_sbindir}/%{name} \ + --modules-path=%{_libdir}/%{name}/modules \ + --modules-path=%{_libdir}/%{name}/modules \ --conf-path=%{_sysconfdir}/%{name}/%{name}.conf \ --error-log-path=%{_logdir}/%{name}/error.log \ --http-log-path=%{_logdir}/%{name}/access.log \ @@ -331,6 +333,13 @@ install -dm 755 %{buildroot}%{_cachedir}/%{name} install -dm 755 %{buildroot}%{_datadir}/%{name}/html install -dm 755 %{buildroot}%{pagespeed_cache_path} +# Install modules dirs +install -dm 755 %{buildroot}%{_libdir}/%{name}/modules +install -dm 755 %{buildroot}%{_datadir}/%{name}/modules + +ln -sf %{_datadir}/%{name}/modules \ + %{buildroot}%{_sysconfdir}/%{name}/modules + # Install html pages install -pm 644 %{SOURCE30} \ %{buildroot}%{_datadir}/%{name}/html/index.html @@ -487,9 +496,13 @@ rm -rf %{buildroot} %dir %{_datadir}/%{name}/html %{_datadir}/%{name}/html/* +%dir %{_datadir}/%{name}/modules +%dir %{_sysconfdir}/%{name}/modules + %attr(0755,%{service_user},%{service_group}) %dir %{_cachedir}/%{name} %attr(0755,%{service_user},%{service_group}) %dir %{_logdir}/%{name} %attr(0755,%{service_user},%{service_group}) %dir %{pagespeed_cache_path} +%attr(0755,%{service_user},%{service_group}) %dir %{_libdir}/%{name}/modules %files debug %defattr(-,root,root) @@ -506,6 +519,9 @@ rm -rf %{buildroot} ############################################################################### %changelog +* Sun Nov 13 2016 Anton Novojilov - 1.11.5-2 +- Added dynamic modules support + * Wed Nov 09 2016 Anton Novojilov - 1.11.5-1 - BoringSSL updated to latest version - Lua module updated to 0.10.7 diff --git a/webkaos-centos7.spec b/webkaos-centos7.spec index 37aa4ea..0b00430 100644 --- a/webkaos-centos7.spec +++ b/webkaos-centos7.spec @@ -204,6 +204,7 @@ cp boringssl/build/crypto/libcrypto.a boringssl/build/ssl/libssl.a boringssl/.op ./configure \ --prefix=%{_sysconfdir}/%{name} \ --sbin-path=%{_sbindir}/%{name} \ + --modules-path=%{_libdir}/%{name}/modules \ --conf-path=%{_sysconfdir}/%{name}/%{name}.conf \ --error-log-path=%{_logdir}/%{name}/error.log \ --http-log-path=%{_logdir}/%{name}/access.log \ @@ -261,6 +262,7 @@ touch boringssl/.openssl/include/openssl/ssl.h ./configure \ --prefix=%{_sysconfdir}/%{name} \ --sbin-path=%{_sbindir}/%{name} \ + --modules-path=%{_libdir}/%{name}/modules \ --conf-path=%{_sysconfdir}/%{name}/%{name}.conf \ --error-log-path=%{_logdir}/%{name}/error.log \ --http-log-path=%{_logdir}/%{name}/access.log \ @@ -332,6 +334,13 @@ install -dm 755 %{buildroot}%{_cachedir}/%{name} install -dm 755 %{buildroot}%{_datadir}/%{name}/html install -dm 755 %{buildroot}%{pagespeed_cache_path} +# Install modules dirs +install -dm 755 %{buildroot}%{_libdir}/%{name}/modules +install -dm 755 %{buildroot}%{_datadir}/%{name}/modules + +ln -sf %{_datadir}/%{name}/modules \ + %{buildroot}%{_sysconfdir}/%{name}/modules + # Install html pages install -pm 644 %{SOURCE30} \ %{buildroot}%{_datadir}/%{name}/html/index.html @@ -504,9 +513,13 @@ rm -rf %{buildroot} %dir %{_datadir}/%{name}/html %{_datadir}/%{name}/html/* +%dir %{_datadir}/%{name}/modules +%{_sysconfdir}/%{name}/modules + %attr(0755,%{service_user},%{service_group}) %dir %{_cachedir}/%{name} %attr(0755,%{service_user},%{service_group}) %dir %{_logdir}/%{name} %attr(0755,%{service_user},%{service_group}) %dir %{pagespeed_cache_path} +%attr(0755,%{service_user},%{service_group}) %dir %{_libdir}/%{name}/modules %files debug %defattr(-,root,root) @@ -526,7 +539,8 @@ rm -rf %{buildroot} ############################################################################### %changelog -* Fri Nov 11 2016 Anton Novojilov - 1.11.5-2 +* Sun Nov 13 2016 Anton Novojilov - 1.11.5-2 +- Added dynamic modules support - Added systemd support * Wed Nov 09 2016 Anton Novojilov - 1.11.5-1 From f95d2db228573970f2d6f8d0f78a546252a67493 Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Thu, 17 Nov 2016 05:48:53 -0500 Subject: [PATCH 3/3] Added fix for CVE-2016-1247 --- webkaos-centos6.spec | 7 ++++++- webkaos-centos7.spec | 6 +++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/webkaos-centos6.spec b/webkaos-centos6.spec index 5fc3e65..5ecf14a 100644 --- a/webkaos-centos6.spec +++ b/webkaos-centos6.spec @@ -407,6 +407,9 @@ getent passwd %{service_user} >/dev/null || useradd -r -g %{service_group} -s /s exit 0 %post +# Ensure secure permissions (CVE-2016-1247) +%{__chown} root:root %{_logdir}/%{name} + if [[ $1 -eq 1 ]] ; then %{__chkconfig} --add %{name} @@ -499,8 +502,9 @@ rm -rf %{buildroot} %dir %{_datadir}/%{name}/modules %dir %{_sysconfdir}/%{name}/modules +%dir %{_logdir}/%{name} + %attr(0755,%{service_user},%{service_group}) %dir %{_cachedir}/%{name} -%attr(0755,%{service_user},%{service_group}) %dir %{_logdir}/%{name} %attr(0755,%{service_user},%{service_group}) %dir %{pagespeed_cache_path} %attr(0755,%{service_user},%{service_group}) %dir %{_libdir}/%{name}/modules @@ -521,6 +525,7 @@ rm -rf %{buildroot} %changelog * Sun Nov 13 2016 Anton Novojilov - 1.11.5-2 - Added dynamic modules support +- Added fix for CVE-2016-1247 * Wed Nov 09 2016 Anton Novojilov - 1.11.5-1 - BoringSSL updated to latest version diff --git a/webkaos-centos7.spec b/webkaos-centos7.spec index 0b00430..d9cee14 100644 --- a/webkaos-centos7.spec +++ b/webkaos-centos7.spec @@ -419,6 +419,9 @@ exit 0 %post +# Ensure secure permissions (CVE-2013-0337) +%{__chown} root:root %{_logdir}/%{name} + if [[ $1 -eq 1 ]] ; then %{__sysctl} enable %{name}.service &>/dev/null || : @@ -516,8 +519,9 @@ rm -rf %{buildroot} %dir %{_datadir}/%{name}/modules %{_sysconfdir}/%{name}/modules +%{_logdir}/%{name} + %attr(0755,%{service_user},%{service_group}) %dir %{_cachedir}/%{name} -%attr(0755,%{service_user},%{service_group}) %dir %{_logdir}/%{name} %attr(0755,%{service_user},%{service_group}) %dir %{pagespeed_cache_path} %attr(0755,%{service_user},%{service_group}) %dir %{_libdir}/%{name}/modules