ufdbGuard.spec.CentOS7

# ufdbGuard.spec.CentOS7

%global _hardened_build 1
%global version 1.33.7

# no stripping of the binaries
%global __os_install_post      %{nil}
%define debug_package          %{nil}
%define __strip                /bin/true

### %__global_cflags        -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags}
%define __global_cflags     -O2 -g -pipe -Wall -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags} 

Name: ufdbGuard
Version: %{version}
Release: DenyMode6.CentOS7
Summary: ufdbGuard is a URL filter for Squid
License: GNU General Public License v2.0 only
Group: Internet/Proxy

# FHS says no package may have files under /usr/local nor /opt
# Prefix: /usr/local/ufdbguard
Prefix: /usr

Provides: ufdbguardd
Provides: ufdbgclient
Provides: ufdbhttpd
Provides: ufdbsignal
Provides: ufdb-pstack
Provides: ufdbpeek
Provides: ufdbGenTable, ufdbConvertDB
Provides: ufdbUpdate
Provides: ufdbAnalyse
Provides: ufdb_analyse_urls, ufdb_analyse_users, ufdb_top_urls, ufdb_top_users

URL: http://www.urlfilterdb.com/

# The sources for many versions of ufdbGuard are on sourceforge.net (Source0)
# The latest version can also be downloaded from URLfilterDB (Source1)
Source: https://www.urlfilterdb.com/files/downloads/%{name}-%{version}.tar.gz
# Source0: http://sourceforge.net/projects/ufdbguard/
# Source1: http://www.urlfilterdb.com/en/downloads/software_doc.html

# Buildroot: /local/src/ufdbGuard-%{version}
# Buildroot: .
BuildRoot:              %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)

# required packages for ufdbguardd
Requires: glibc >= 2.17
Requires: openssl >= 1.0.1e
Requires: bzip2-libs >= 1.0.6
Requires: zlib >= 1.2.7
# required packages for ufdbUpdate
Requires: wget >= 1.14
Requires: tar, gzip
# require packages for ufdb-pstack
Requires: gdb >= 7.6.1
# Requires: yum-utils >= 1.1.31
# required packages for installation
# Requires: at
# required packages for analysis scripts
Requires: perl
%global __requires_exclude %{?__requires_exclude}|perl\\(CGI::|perl\\(FCGI::
# squid is required but may be installed from source and not using an RPM,
# or ufdbguard is used on a system where squid is not installed.
# Requires: squid

Buildrequires: openssl-devel >= 1.0.1e
Buildrequires: bzip2-devel >= 1.0.6
Buildrequires: zlib-devel >= 1.2.7
Buildrequires: make, gcc, bison, flex
Buildrequires: bind-utils

# TODO: %_initddir is macro for /etc/rc.d/init.d
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(pre): shadow-utils

%description
ufdbGuard is a free URL filter for Squid with additional features like
SafeSearch enforcement for a large number of search engines, safer HTTPS 
visits and dynamic detection of proxies (URL filter circumventors).

ufdbGuard supports free and commercial URL databases that can be
downloaded from various sites and vendors.
You can also make your own URL database for ufdbGuard.


%post

echo >&2
echo "ufdbGuard is installed." >&2
echo "See the Reference Manual for further instructions and configuration." >&2
echo "Seek help at https://www.urlfilterdb.com in case you have a question or an issue." >&2
echo >&2

job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" `
if [ "$job" = "" ]
then
   echo "There is not yet a cron job for ufdbUpdate  *****" >&2
   echo >&2
fi

# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add ufdb
#
# echo "#!/bin/sh" > /tmp/ufdb.postinstall
# echo "echo Updating debuginfo ..." >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q glibc >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q zlib >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q bzip2 >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q openssl >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# chmod +x /tmp/ufdb.postinstall
# #
# echo "The installation of the ufdbGuard package is almost finished." >&2
# echo "Execute /tmp/ufdb.postinstall to update debuginfo for glibc, zlib, bzip2 and openssl.  *****" >&2
# echo >&2

/usr/bin/sh >/tmp/ufdbguardd.postinstall.log 2>&1 <<EOF &
sleep 180
debuginfo-install -y -q glibc   >/dev/null 2>&1
debuginfo-install -y -q zlib    >/dev/null 2>&1
debuginfo-install -y -q bzip2   >/dev/null 2>&1
debuginfo-install -y -q openssl >/dev/null 2>&1
EOF

#
# TODO: run check_dns

%preun
if [ $1 = 0 ] ; then
   /sbin/service ufdb stop >/dev/null 2>&1
   /sbin/chkconfig --del ufdb
fi


# for pre-F13:
%clean
[ %{buildroot} != "/" ] && echo rm -rf %{buildroot}

# ufdbGuard is installed with user ufdb and group ufdb
%pre
# set -x
getent group ufdb >/dev/null || groupadd -r ufdb
getent passwd ufdb >/dev/null || \
useradd -r -g ufdb -d /var/ufdbguard -M -s /usr/bin/sh \
-c "ufdbGuard URL filter" ufdb
exit 0

%prep
# echo prep in %{buildroot}
# set -x
# TODO %setup -q
%setup -q

%build
echo build in `pwd`
%configure \
	--with-ufdb-user=ufdb \
	--prefix=/usr \
	--with-ufdb-bindir=/usr/sbin \
	--with-ufdb-piddir=/var/run/ufdbguard \
	--with-ufdb-mandir=/usr/share/man \
	--with-ufdb-images_dir=/var/ufdbguard/images \
	--with-ufdb-logdir=/var/ufdbguard/logs \
	--with-ufdb-samplesdir=/var/ufdbguard/samples \
	--with-ufdb-config=/etc/ufdbguard \
	--with-ufdb-dbhome=/var/ufdbguard/blacklists 

%{__make} %{?_smp_mflags}

%install
# echo install
# env
[ %{buildroot} != "/" ] &&   rm -rf %{buildroot}
%{__make} DESTDIR=%{buildroot} mkdirsredhatcentos install
# the install makes a backup of the conf file that we do not want in the package
rm -f %{buildroot}/etc/ufdbguard/ufdbGuard.conf.pre-v1.*

# echo
# echo "The configuration file of ufdbGuard is /etc/ufdbguard/ufdbGuard.conf"
# echo "The system configuration file for the ufdbGuard Software Suite is /etc/sysconfig/ufdbguard"

# ufdbsignal is suid-root since it must be able to send a signal to ufdbguardd.
# ufdbsignal is a very simple program which checks the uid to see if the user is permitted to send a signal.
# ufdbsignal reads the pid from /var/run/ufdbguardd/ufdbguardd.pid.

%verifyscript

if [ ! -f /etc/sysconfig/ufdbguard ]
then
   echo "/etc/sysconfig/ufdbguard does not exist." >&2
else
   eval `grep "^DOWNLOAD_USER=" /etc/sysconfig/ufdbguard`
   if [ "$DOWNLOAD_USER" = "" ]
   then
      echo "The username for periodical downloads of the URL database is not set." >&2
      echo "Edit /etc/sysconfig/ufdbguard and set DOWNLOAD_USER and DOWNLOAD_PASSWORD." >&2
   else
      echo "DOWNLOAD_USER is set to $DOWNLOAD_USER in /etc/sysconfig/ufdbguard"
   fi
fi

if [ ! -f /etc/ufdbguard/ufdbGuard.conf ]
then
   echo "/etc/ufdbguard/ufdbGuard.conf does not exist."
else
   set -- `grep ^dbhome /etc/ufdbguard/ufdbGuard.conf`
   # must get rid of quotes or else "if [ ! -d $DBDIR ]" fails :-(
   DBDIR=`echo ${2:-notset} | sed -e 's,",,g' `
   if [ $DBDIR = notset ]
   then
      DBDIR=/var/ufdbguard/blacklists
      echo "/etc/ufdbguard/ufdbGuard.conf: dbhome is not set" >&2
      echo "Using default value for dbhome: $DBDIR" >&2
   fi
   if [ ! -d $DBDIR ]
   then
      echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR: directory does not exist" >&2
   else
      if [ ! -d $DBDIR/adult  -o  ! -d $DBDIR/checked ]
      then
	 echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR:" >&2
         echo "The directory for the URL database does not contain subdirectories for adult and/or checked." >&2
	 echo "This means that the URL database of URLfilterDB is not used." >&2
	 echo "If you intend to use the URL database of URLfilterDB, make sure that " >&2
	 echo "\"ufdbUpdate [-v]\" runs without errors to download the URL database." >&2
	 echo "See the Reference Manual for more information." >&2
      fi
   fi
fi

exit 0


%postun

job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" `
if [ "$job" != "" ]
then
   echo "Note: there is still a cron job for ufdbUpdate." >&2
fi

exit 0


# %config
# /etc/sysconfig/ufdbguard
# /etc/ufdbguard/ufdbGuard.conf

%files
%defattr(-,root,root,-)
/etc/init.d/ufdb
%config(noreplace) %attr(-,ufdb,ufdb) /etc/sysconfig/ufdbguard
%config(noreplace) %attr(-,ufdb,ufdb) /etc/ufdbguard/ufdbGuard.conf
/var/ufdbguard/images/default.flv
/var/ufdbguard/images/default.mp3
/var/ufdbguard/images/default.mpeg
/var/ufdbguard/images/default.wmv
/var/ufdbguard/images/forbidden-normal-de.png
/var/ufdbguard/images/forbidden-normal-en.png
/var/ufdbguard/images/forbidden-normal-es.png
/var/ufdbguard/images/forbidden-normal-fr.png
/var/ufdbguard/images/forbidden-normal-it.png
/var/ufdbguard/images/forbidden-normal-nl.png
/var/ufdbguard/images/forbidden-normal-pl.png
/var/ufdbguard/images/forbidden-normal-pt.png
/var/ufdbguard/images/forbidden-normal-sv.png
/var/ufdbguard/images/forbidden-normal-tr.png
/var/ufdbguard/images/no-ads.png
/var/ufdbguard/images/smallcross.png
/var/ufdbguard/images/square.png
/var/ufdbguard/images/transparent.png
/var/ufdbguard/samples/execdomainlist.sh
/var/ufdbguard/samples/execuserlist.sh
/var/ufdbguard/samples/URLblocked.cgi
/usr/sbin/ufdb-pstack
/usr/sbin/ufdbAnalyse
/usr/sbin/ufdbConvertDB
/usr/sbin/ufdbGenTable
/usr/sbin/ufdbUpdate
/usr/sbin/ufdb_analyse_urls
/usr/sbin/ufdb_analyse_users
/usr/sbin/ufdb_top_urls
/usr/sbin/ufdb_top_users
/usr/sbin/ufdbgclient
/usr/sbin/ufdbguardd
/usr/sbin/ufdbhttpd
%attr(4755,root,root) /usr/sbin/ufdbsignal
/usr/share/man/man1/ufdb_analyse_urls.1
/usr/share/man/man1/ufdb_analyse_users.1
/usr/share/man/man1/ufdb_top_urls.1
/usr/share/man/man1/ufdb_top_users.1
/usr/share/man/man1/ufdbAnalyse.1
/usr/share/man/man8/ufdbgclient.8
/usr/share/man/man8/ufdbguardd.8
/usr/share/man/man8/ufdbhttpd.8
/usr/share/man/man8/ufdbupdate.8
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists/security
# The cacerts get updated by ufdbUpdate:
%verify(not md5 size mtime) %attr(644,ufdb,ufdb) /var/ufdbguard/blacklists/security/cacerts
# log files go to /var/ufdbguard/logs
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/logs
# pid files go to /var/run/ufdbguard
%dir %attr(755,ufdb,ufdb) /var/run/ufdbguard

%doc README CHANGELOG
# TODO

%changelog
* Thu Dec 06 2018 Evgeny Sinelnikov <sin@altlinux.org> - 1.33.7-DenyMode6
Add: new option firewall-mode, which search acl for all sources rule by rule

* Thu Nov 29 2018 Evgeny Sinelnikov <sin@altlinux.org> - 1.33.7-DenyMode5
Fix: set redirect-https by default to: https://127.0.0.1:55555/123asd.html

* Mon Oct 15 2018 Evgeny Sinelnikov <sin@altlinux.org> - 1.33.7-DenyMode4
Add: support redirect-static-url option (enabled by default)

* Sun Oct 14 2018 Evgeny Sinelnikov <sin@altlinux.org> - 1.33.7-DenyMode3
Add: support redirect-default-url option
(as "http://cgibin.urlfilterdb.com/cgi-bin/URLblocked.cgi?" prefix for redirect)

* Wed Oct 10 2018 Evgeny Sinelnikov <sin@altlinux.org> - 1.33.7-DenyMode2
Add: support reuse-acl-names option (enabled by default)

* Mon Oct 08 2018 Evgeny Sinelnikov <sin@altlinux.org> - 1.33.7-DenyMode1
Add: support deny-mode option (enabled by default)

* Wed Jul 25 2018 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.7
Fix: implement workaround for fatal bug in gcc 4.x with -O3 that causes ufdbguardd to dump core
Fix: the pidfile parameter was not used and the pid was written to the default pidfile
Fix: on blocking https sites, the final block page was not shown without ssl_bump

* Mon May 28 2018 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.6
Fix: ufdbguardd incorrectly blocked URLs that use HTTPS

* Thu Apr 19 2018 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.5
Fix: ufdbguardd may crash during a database refresh
Fix: empty pass statements in acls may cause a crash.
Fix: SSH tunnels were detected but access was not blocked
Fix: sometimes the SSL/TLS certificate was not checked to be signed by a CA
Fix: skip acls with "pass any" if the source has the continue flag set

* Thu Sep 21 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.4
Fix: URLs with very long domainnames may cause a crash if the URL is not in the URL database
Fix: ufdbguardd did not obey 'continue' inside a source
Fix: the logfile did not not contain "PASS URL" for all allowed URLs
Fix: suppress another warning by ufdbGenTable if the -q option is used
Fix: execuserlist with large arguments cannot be cached
Fix: ufdbguardd sometimes does not use the correct source for its decision
Fix: in-addr also matched URLs without an IP address
Configuration: the option squid-uses-active-bumping was missing in the default configuration file

* Tue Jun  6 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.3
Fix: ufdbgclient truncates Squid request lines to 8K which means that very long URLs cannot be filtered
Fix: ufdbGenTable erroneously warned about URLs inside a comment
Fix: make ufdbGuard compile on FreeBSD
Fix: when evaluate-and IPv4/6 is used in a source definition, the source may not matched
Fix: ufdbguardd did not accept the IPv6 address '::'
Enhancement: several warnings for IPv4 and IPv6 addresses inside a source were implemented

* Tue May 23 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.2
Fix: ufdbguardd may incorrectly abort with a fatal error cannot-get-rwlock-for-database-refresh-after-many-attempts
Fix: safesearch did not work in 2 out of 3 cases
Fix: ufdbguard did not compile on FreeBSD.
Fix: crash due to stack overwrite in uploadStatistics/logStatistics
Documentation: added use-ipv6-on-wan option to Reference Manual

* Wed Mar 15 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.1
Enhancement: IPv6 support for sources with new keywords ipv6 and ipv6list
Enhancement: detect certificates of ucweb.com and uc.cn of the ucweb browser that circumvents URL filters
Enhancement: ufdbgclient has new -m parameter to use multithreading and improve performance
Enhancement: make ufdbguardd.pid world-readable
Enhancement: allow UTF8 characters in URLs
Enhancement: new keyword ufdb-log-url-details controls if URLs in the log file have parameters or not
Fix: on the ARM platform generated URL tables were corrupt
Fix: implicitly allowed URLs were logged with category "any" instead of the correct category ID
Fix: prevent false positives with Tor proxy detection on port 443
Fix: failed probes for <IP>:443 were not properly cached and resulted in too many probes for IP
Fix: when reverse IP lookups are used, the URL category was not logged correctly (was logged as "any")
Fix: ufdbGenTable uses less memory
Fix: the feature "block-bumped-connect on" never blocked a CONNECT request