--- shibboleth-sp2-2.3.1+dfsg.orig/configs/Makefile.am
+++ shibboleth-sp2-2.3.1+dfsg/configs/Makefile.am
@@ -4,8 +4,8 @@
pkglibdir = ${libdir}/@PACKAGE@
pkglogdir = ${localstatedir}/log/@PACKAGE@
-pkgdocdir = $(datadir)/doc/@PACKAGE@-@PACKAGE_VERSION@
-shirelogdir = ${localstatedir}/log/httpd
+pkgdocdir = ${datadir}/doc/@PACKAGE@
+shirelogdir = ${localstatedir}/log/apache2
pkgxmldir = $(datadir)/xml/@PACKAGE@
pkgrundir = $(localstatedir)/run/@PACKAGE@
pkgsysconfdir = $(sysconfdir)/@PACKAGE@
--- shibboleth-sp2-2.3.1+dfsg.orig/configs/metagen.sh
+++ shibboleth-sp2-2.3.1+dfsg/configs/metagen.sh
@@ -1,4 +1,4 @@
-#! /bin/sh
+#! /bin/bash
while getopts a:c:e:h:n:o:s:t: c
do
--- shibboleth-sp2-2.3.1+dfsg.orig/configs/native.logger.in
+++ shibboleth-sp2-2.3.1+dfsg/configs/native.logger.in
@@ -26,10 +26,23 @@
# define the appender
-log4j.appender.native_log=org.apache.log4j.RollingFileAppender
-log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
-log4j.appender.native_log.maxFileSize=1000000
-log4j.appender.native_log.maxBackupIndex=10
-#log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
-log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
-log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+# This is the default, but it's essentially useless under normal
+# circumstances since Apache doesn't have access to write to that
+# directory.
+#log4j.appender.native_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log
+#log4j.appender.native_log.maxFileSize=1000000
+#log4j.appender.native_log.maxBackupIndex=10
+##log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
+#log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+# Use syslog instead, since then at least the messages will go somewhere.
+# That facility is (3 << 3) or LOG_DAEMON, since log4cpp apparently
+# doesn't recognize symbolic log facilities.
+#
+# This is a Debian-specific change.
+log4j.appender.native_log=org.apache.log4j.LocalSyslogAppender
+log4j.appender.native_log.syslogName=shibboleth-sp
+log4j.appender.native_log.facility=24
+log4j.appender.native_log.layout=org.apache.log4j.BasicLayout
--- shibboleth-sp2-2.3.1+dfsg.orig/configs/keygen.sh
+++ shibboleth-sp2-2.3.1+dfsg/configs/keygen.sh
@@ -1,5 +1,10 @@
#! /bin/sh
+# Added for Debian. The upstream version is installed in /etc/shibboleth and
+# for Debian we wanted to move it to /usr/bin, so change directories so that
+# it puts files in the correct location.
+cd /etc/shibboleth
+
while getopts h:e:y:bf c
do
case $c in
@@ -26,8 +31,9 @@
exit 0
fi
+# --fqdn flag added for Debian to generate better names for certificates.
if [ -z "$FQDN" ] ; then
- FQDN=`hostname`
+ FQDN=`hostname --fqdn`
fi
if [ -z "$YEARS" ] ; then
@@ -60,6 +66,11 @@
subjectKeyIdentifier=hash
EOF
+# Added for Debian. Make the key mode 640 and readable by group _shibd so
+# that the Debian shibd can use a non-root user.
+touch sp-key.pem
+chgrp _shibd sp-key.pem
+chmod 640 sp-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
else
@@ -67,7 +78,3 @@
fi
rm sp-cert.cnf
-
-if [ -s sp-key.pem ] ; then
- chmod 600 sp-key.pem
-fi
--- shibboleth-sp2-2.3.1+dfsg.orig/configs/shibd-debian.in
+++ shibboleth-sp2-2.3.1+dfsg/configs/shibd-debian.in
@@ -7,8 +7,8 @@
# Default-Stop: 0 1 6
# Short-Description: Shibboleth 2 Service Provider Daemon
# Description: Starts the separate daemon used by the Shibboleth
-# Apache module to manage sessions and to retrieve
-# attributes from Shibboleth Identity Providers.
+# Apache module to manage sessions and to retrieve
+# attributes from Shibboleth Identity Providers.
### END INIT INFO
#
# Written by Quanah Gibson-Mount <quanah@stanford.edu>
@@ -29,6 +29,7 @@
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=@-PKGRUNDIR-@/$NAME.pid
DAEMON_OPTS=""
+DAEMON_USER=_shibd
# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"
@@ -51,15 +52,47 @@
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
+prepare_environment () {
+ # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system.
+ [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
+
+ # If $DAEMON_USER is set, try to run shibd as that user. However,
+ # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
+ # and the local administrator may not have made the server's private key
+ # readable by $DAEMON_USER. We therefore test first by running shibd -t
+ # and looking for the error code indicating that the private key could not
+ # be read. If we get that error, we fall back on running shibd as root.
+ if [ -n "$DAEMON_USER" ]; then
+ DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
+ if [ $? = 0 ] ; then
+ # openssl errstr 200100D (hex for 33558541) says:
+ # error:0200100D:system library:fopen:Permission denied
+ ERROR='ERROR OpenSSL : error code: 33558541 '
+ if echo "$DIAG" | fgrep -q "$ERROR" ; then
+ unset DAEMON_USER
+ echo "$NAME warning: file permissions require running as root"
+ else
+ chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
+ fi
+ else
+ unset DAEMON_USER
+ echo "$NAME error: unable to run config check as user $DAEMON_USER"
+ fi
+ unset DIAG
+ fi
+}
+
case "$1" in
start)
+ prepare_environment
+
# Don't start shibd if NO_START is set.
if [ "$NO_START" = 1 ] ; then
echo "Not starting $DESC (see /etc/default/$NAME)"
exit 0
fi
echo -n "Starting $DESC: "
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
@@ -70,11 +103,13 @@
echo "$NAME."
;;
restart|force-reload)
+ prepare_environment
+
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
sleep 1
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
--- shibboleth-sp2-2.3.1+dfsg.orig/shibd/shibd.cpp
+++ shibboleth-sp2-2.3.1+dfsg/shibd/shibd.cpp
@@ -387,7 +387,7 @@
fprintf(stderr, "listener failure during service\n");
listener->term();
conf.term();
- if (pidfile)
+ if (daemonize && pidfile)
unlink(pidfile);
return -3;
}
@@ -395,7 +395,7 @@
}
conf.term();
- if (pidfile)
+ if (daemonize && pidfile)
unlink(pidfile);
return 0;
}
--- shibboleth-sp2-2.3.1+dfsg.orig/schemas/Makefile.am
+++ shibboleth-sp2-2.3.1+dfsg/schemas/Makefile.am
@@ -12,8 +12,7 @@
shibboleth-2.0-afp-mf-basic.xsd \
shibboleth-2.0-afp-mf-saml.xsd \
shibboleth-2.0-attribute-map.xsd \
- shibboleth-2.0-sp-notify.xsd \
- WS-Trust.xsd
+ shibboleth-2.0-sp-notify.xsd
pkgxml_DATA = \
catalog.xml \
--- shibboleth-sp2-2.3.1+dfsg.orig/schemas/catalog.xml.in
+++ shibboleth-sp2-2.3.1+dfsg/schemas/catalog.xml.in
@@ -8,5 +8,7 @@
<system systemId="urn:mace:shibboleth:2.0:attribute-map" uri="@-PKGXMLDIR-@/shibboleth-2.0-attribute-map.xsd"/>
<system systemId="urn:mace:shibboleth:2.0:sp:notify" uri="@-PKGXMLDIR-@/shibboleth-2.0-sp-notify.xsd"/>
<system systemId="urn:mace:shibboleth:1.0" uri="@-PKGXMLDIR-@/shibboleth.xsd"/>
+ <!-- WS-Trust.xsd has been removed from the Debian package because of license problems
<system systemId="http://schemas.xmlsoap.org/ws/2005/02/trust" uri="@-PKGXMLDIR-@/WS-Trust.xsd"/>
+ -->
</catalog>
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)