From 1b40612d2a66f6bc055f658d682ba00f5f7abea6 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Apr 13 2012 15:19:35 +0000 Subject: Harden build, remove old cruft - Do hardened (PIE) builds where possible - Drop %defattr, redundant since rpm 4.4 - Always look for TLS certs in /etc/pki/tls/certs --- diff --git a/proftpd.conf b/proftpd.conf index b61c5c2..357def8 100644 --- a/proftpd.conf +++ b/proftpd.conf @@ -293,8 +293,8 @@ ControlsLog /var/log/proftpd/controls.log TLSEngine on TLSRequired on - TLSRSACertificateFile @PKIDIR@/certs/proftpd.pem - TLSRSACertificateKeyFile @PKIDIR@/certs/proftpd.pem + TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem + TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off diff --git a/proftpd.spec b/proftpd.spec index 52493b1..61d72bd 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -22,14 +22,6 @@ %global rundir_tmpfs 1 %endif -# Use certs in %%{_sysconfdir}/pki/tls/certs if available (FC4, RHEL5 onwards) -%global use_pki %(if [ -d %{_sysconfdir}/pki/tls/certs ]; then echo 1; else echo 0; fi) -%if %{use_pki} -%global pkidir %{_sysconfdir}/pki/tls -%else -%global pkidir %{_datadir}/ssl -%endif - # For PCRE support we need pcre >= 7.0, not available in EL prior to EL-6 %if 0%{?rhel} > 5 || 0%{?fedora} %global use_pcre 1 @@ -40,8 +32,11 @@ %global have_libmemcached 1 %endif +# Do a hardened build where possible +%define _hardened_build 1 + #global prever rc3 -%global rpmrel 7 +%global rpmrel 8 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd @@ -217,6 +212,9 @@ cp -p mod_vroot/t/modules/mod_vroot.t tests/t/modules/ cp -p mod_geoip/mod_geoip.c contrib/ cp -p mod_geoip/mod_geoip.html doc/contrib/ +# Copy default config file into place +cp -p %{SOURCE1} proftpd.conf + # Use my_make_scrambled_password rather than the deprecated # make_scrambled_password, which isn't exported from Fedora's MySQL # in F-15 onwards (#718327, upstream bug 3669) @@ -307,10 +305,6 @@ cp -p mod_geoip/mod_geoip.html doc/contrib/ # Avoid documentation name conflicts mv contrib/README contrib/README.contrib -# Set up directory names in config file -sed -e 's#@PKIDIR@#%{pkidir}#g' \ - %{SOURCE1} > proftpd.conf - # If we don't have libmemcached support, remove the mod_tls_memcache # snippet from the config file %if 0%{!?have_libmemcached:1} @@ -496,7 +490,6 @@ else fi %files -f proftpd.lang -%defattr(-,root,root,-) %doc COPYING CREDITS ChangeLog NEWS README %doc README.DSO README.modules README.IPv6 README.PAM %doc README.capabilities README.classes README.controls README.facl @@ -571,27 +564,22 @@ fi %attr(750, root, root) %dir %{_localstatedir}/log/proftpd/ %files devel -%defattr(-,root,root) %{_bindir}/prxs %{_includedir}/proftpd/ %{_libdir}/pkgconfig/proftpd.pc %files ldap -%defattr(-,root,root,-) %doc README.LDAP contrib/mod_quotatab_ldap.ldif contrib/mod_quotatab_ldap.schema %{_libexecdir}/proftpd/mod_ldap.so %{_libexecdir}/proftpd/mod_quotatab_ldap.so %files mysql -%defattr(-,root,root,-) %{_libexecdir}/proftpd/mod_sql_mysql.so %files postgresql -%defattr(-,root,root,-) %{_libexecdir}/proftpd/mod_sql_postgres.so %files utils -%defattr(-,root,root,-) %doc contrib/xferstats.holger-preiss %{_bindir}/ftpasswd %{_bindir}/ftpcount @@ -607,6 +595,11 @@ fi %{_mandir}/man1/ftpwho.1* %changelog +* Fri Apr 13 2012 Paul Howarth 1.3.4a-8 +- Do hardened (PIE) builds where possible +- Drop %%defattr, redundant since rpm 4.4 +- Always look for TLS certs in /etc/pki/tls/certs + * Mon Mar 12 2012 Paul Howarth 1.3.4a-7 - Tweak logrotate script for systemd compatibility (#802178) - Fix leaked file descriptors for log files (as per bug 3751)