Further improved ebuild, using EAPI 2: depend on the presence of unique_id Apache module; create a secured data directory instead of using /tmp; avoid changing the server signature by default (USE=-vanilla).

Package-Manager: portage-2.2_rc51/cvs/Linux x86_64

3 files changed, 161 insertions, 5 deletions

diff --git a/www-apache/mod_security/ChangeLog b/www-apache/mod_security/ChangeLog
index db88ca98ecf6..69fe419ebfb1 100644
--- a/www-apache/mod_security/ChangeLog
+++ b/www-apache/mod_security/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for www-apache/mod_security
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.33 2009/11/21 13:13:47 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/ChangeLog,v 1.34 2009/11/26 09:48:42 flameeyes Exp $
+
+*mod_security-2.5.11-r2 (26 Nov 2009)
+
+  26 Nov 2009; Diego E. Pettenò <flameeyes@gentoo.org>
+  +mod_security-2.5.11-r2.ebuild:
+  Further improved ebuild, using EAPI 2: depend on the presence of unique_id
+  Apache module; create a secured data directory instead of using /tmp;
+  avoid changing the server signature by default (USE=-vanilla).
 
 *mod_security-2.5.11-r1 (21 Nov 2009)
 
diff --git a/www-apache/mod_security/Manifest b/www-apache/mod_security/Manifest
index 2a70badabba9..cd91f9fe8bdd 100644
--- a/www-apache/mod_security/Manifest
+++ b/www-apache/mod_security/Manifest
@@ -11,14 +11,15 @@ AUX mod_security-2.5.9-broken-autotools.patch 2103 RMD160 795e3fc59b881bf02fa5a6
 DIST modsecurity-apache_2.5.11.tar.gz 1338425 RMD160 1d9769bda6ddc0c65f5e7be452515c4f1980b8c1 SHA1 aa8ec8d637efb0c646c41eb6880e684df04f8214 SHA256 fd81a8998327ef2010426fcc2899312eddfe4dc462c417e9e7aeb64a6d4ed2bf
 DIST modsecurity-apache_2.5.9.tar.gz 1252295 RMD160 adab10e5eab50f0d114e3ccb47c343e744119c8f SHA1 875919332a918956371fe8e2f7e46d88081857cf SHA256 02352221ea268f8ae9aae5b84507f51eba2a67c0f7d2efd5cc88e85f1f394056
 EBUILD mod_security-2.5.11-r1.ebuild 3762 RMD160 19e9c0edf1250d84369b409f8e2e74762bb1eb21 SHA1 8a98eda2d91db6914e242289a010d9aac4178e73 SHA256 52766e95d61b253988f3671930f8358e10e67aa882503f44167201c39f719f3f
+EBUILD mod_security-2.5.11-r2.ebuild 4177 RMD160 3fce2ec1a4640cbf627b35047200112b9e78439b SHA1 6641c5141684d858f89d5aca046c9e50d5be9538 SHA256 de3dba2f3677a57a9eaf55ea158a919323b4af73490ea0c295c8bebd147916ca
 EBUILD mod_security-2.5.9-r1.ebuild 2786 RMD160 d230031141a0627fd4f887affcb035457c8166de SHA1 8c2ca8d0e3bf946021202cfff5f4846f69f081cf SHA256 48719494c48d57034bb54e39994511f2957bef6dc15cca1e15ce71190ca6e609
 EBUILD mod_security-2.5.9.ebuild 1944 RMD160 2007bd7cea81b0179a487ac2c96e1901791b02bb SHA1 0c3a515418374db4cd7e11d95bf6dac31fb5374b SHA256 aa0c4b31738d2c5da6e7ace0d766fceaf9fd5c8cccd8f8707ad9ef36a1912c88
-MISC ChangeLog 10256 RMD160 bd19501a7ee69766aa731d1428d410b3c4cea30c SHA1 bdc4f404b3fdd38a7393ba1d8c3e4cc9d6aee595 SHA256 591a3c54fda10b7a84da0b132c8499c068b6c5fcb88d92c7517ca7892fd901a9
+MISC ChangeLog 10600 RMD160 eadfdbbc84dd34e32bcf44c2106f3b08f4c1b27c SHA1 75dec3c2a08c5ced191ec2c75661f517110280b6 SHA256 5a97d9de3d9fc1f8a4b999da1a1e8964224d9d501fda220c1d466115aebe86cb
 MISC metadata.xml 998 RMD160 e30606be3e29eac90df052ec81b5823f85256b35 SHA1 a1f10963249cd650e892cefc82c82fd09c675aa5 SHA256 58f671589c6c1dbaa7cd9d7866dfb9b9b563b400b5fe97c42fa74f246a70f42d
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.13 (GNU/Linux)
 
-iEYEARECAAYFAksH55AACgkQAiZjviIA2XjtGACgvHkjjyCS/5K6ehpmLS5yPYMc
-cbwAn0iNvqU04U3JRwQTAmjr5aTTfKSk
-=pcPN
+iEYEARECAAYFAksOTvMACgkQAiZjviIA2XgGyQCfdS4Xsc5ZbK9y+AukYdKJhUVB
+4FIAoLnnRbHBydkVZ/CddgMW1fxLb+FW
+=CNWt
 -----END PGP SIGNATURE-----
diff --git a/www-apache/mod_security/mod_security-2.5.11-r2.ebuild b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild
new file mode 100644
index 000000000000..abcaa02e0f18
--- /dev/null
+++ b/www-apache/mod_security/mod_security-2.5.11-r2.ebuild
@@ -0,0 +1,147 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/mod_security/mod_security-2.5.11-r2.ebuild,v 1.1 2009/11/26 09:48:42 flameeyes Exp $
+
+EAPI=2
+
+inherit apache-module autotools
+
+MY_P=${P/mod_security-/modsecurity-apache_}
+MY_P=${MY_P/_rc/-rc}
+
+DESCRIPTION="Web application firewall and Intrusion Detection System for Apache."
+HOMEPAGE="http://www.modsecurity.org/"
+SRC_URI="http://www.modsecurity.org/download/${MY_P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~mips ~ppc ~sparc ~x86"
+IUSE="lua perl vanilla"
+
+DEPEND="dev-libs/libxml2
+	perl? ( dev-perl/libwww-perl )
+	lua? ( >=dev-lang/lua-5.1 )
+	www-servers/apache[apache2_modules_unique_id]"
+RDEPEND="${DEPEND}"
+
+S="${WORKDIR}/${MY_P}"
+
+APACHE2_MOD_FILE="apache2/.libs/${PN}2.so"
+APACHE2_MOD_CONF="2.5.10/99_mod_security"
+APACHE2_MOD_DEFINE="SECURITY"
+
+need_apache2
+
+src_prepare() {
+	if ! use vanilla; then
+		# Disabling rules here
+		epatch "${FILESDIR}"/${PN}-2.5.11-disable-http-pollution.patch
+		sed -i -e 's:^SecServerSignature:#\0:' \
+			rules/modsecurity_crs_10_global_config.conf || die
+	fi
+
+	sed -i -e '/^SecDataDir/s: .*: /var/cache/mod_security:' \
+		rules/modsecurity_crs_10_global_config.conf || die
+
+	epatch "${FILESDIR}"/${PN}-2.5.10-broken-autotools.patch
+	epatch "${FILESDIR}"/${PN}-2.5.10-as-needed.patch
+
+	cd apache2
+	eautoreconf
+}
+
+src_configure() {
+	cd apache2
+
+	econf --with-apxs="${APXS}" \
+		--without-curl \
+		$(use_with lua) \
+		|| die "econf failed"
+}
+
+src_compile() {
+	cd apache2
+
+	APXS_FLAGS=
+	for flag in ${CFLAGS}; do
+		APXS_FLAGS="${APXS_FLAGS} -Wc,${flag}"
+	done
+
+	# Yes we need to prefix it _twice_
+	for flag in ${LDFLAGS}; do
+		APXS_FLAGS="${APXS_FLAGS} -Wl,${flag}"
+	done
+
+	emake \
+		APXS_CFLAGS="${CFLAGS}" \
+		APXS_LDFLAGS="${LDFLAGS}" \
+		APXS_EXTRA_CFLAGS="${APXS_FLAGS}" \
+		|| die "emake failed"
+}
+
+src_test() {
+	cd apache2
+	emake test || die
+}
+
+src_install() {
+	apache-module_src_install
+
+	# install rules updater only if perl is enabled (optionally)
+	if use perl; then
+		newsbin tools/rules-updater.pl modsec-rules-updater || die
+	fi
+
+	# install documentation
+	dodoc CHANGES || die
+	newdoc rules/CHANGELOG CHANGES.crs || die
+	newdoc rules/README README.crs || die
+	dohtml -r doc/* || die
+
+	# Prepare the core ruleset
+	cd "${S}"/rules/
+
+	sed -i -e 's:logs/:/var/log/apache2/:g' *.conf || die
+
+	insinto ${APACHE_MODULES_CONFDIR}/mod_security/
+	doins *.conf base_rules/* || die
+
+	insinto ${APACHE_MODULES_CONFDIR}/mod_security/optional_rules
+	doins optional_rules/* || die
+
+	if ! use vanilla; then
+		mv "${D}"${APACHE_MODULES_CONFDIR}/mod_security/modsecurity_*{41_phpids,50_outbound}* \
+			"${D}"${APACHE_MODULES_CONFDIR}/mod_security/optional_rules || die
+	fi
+
+	keepdir /var/cache/mod_security || die
+	fowners apache:apache /var/cache/mod_security || die
+	fperms 0770 /var/cache/mod_security || die
+}
+
+pkg_postinst() {
+	if ! use vanilla; then
+		elog "Please note that the core rule set distributed with mod_security is quite"
+		elog "draconic; to make it more usable, the Gentoo distribution disables a few"
+		elog "rule set files, that are relevant for PHP-only websites or that would make it"
+		elog "kill a website that discussed of source code."
+		elog
+		elog "Furthermore we disable the 'HTTP Parameter Pollution' tests that disallow"
+		elog "multiple parameters with the same name, because that's common practice both"
+		elog "for Rails-based web-applications and Bugzilla."
+		if use perl; then
+			elog
+			elog "You want to install the Perl-based updater script for the Core Rule Set."
+			elog "Be warned that the script will update the rules iwth the original, draconic"
+			elog "rules, so you might end up with unusable web applications."
+		fi
+	else
+		elog "You decided to enable the original Core Rule Set from ModSecurity."
+		elog "Be warned that the original Core Rule Set is draconic and most likely will"
+		elog "render your web application unusable if you don't disable at leat some of"
+		elog "the rules."
+	fi
+		elog
+	elog "If you want to enable further rules, check the following directory:"
+	elog "	${APACHE_MODULES_CONFDIR}/mod_security/optional_rules"
+}