Requires: openssl
PreReq: xmltooling-schemas, opensaml-schemas
%if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
-PreReq: %{insserv_prereq}
+PreReq: %{insserv_prereq} %{fillup_prereq}
BuildRequires: libXerces-c-devel >= 2.8.0
%else
BuildRequires: libxerces-c-devel >= 2.8.0
Requires: libcurl-openssl >= 7.21.7
BuildRequires: chrpath
%endif
-BuildRequires: gcc-c++, zlib-devel
+BuildRequires: gcc-c++, zlib-devel, boost-devel >= 1.32.0
%{!?_without_doxygen:BuildRequires: doxygen}
%{!?_without_odbc:BuildRequires:unixODBC-devel}
%{?_with_fastcgi:BuildRequires: fcgi-devel}
+%if 0%{?centos_version} >= 600
+BuildRequires: libmemcached-devel
+%endif
+%{?_with_memcached:BuildRequires: libmemcached-devel}
%if "%{_vendor}" == "redhat"
%{!?_without_builtinapache:BuildRequires: httpd-devel}
BuildRequires: redhat-rpm-config
+Requires(pre): shadow-utils
+Requires(post): chkconfig
+Requires(preun): chkconfig, initscripts
%endif
%if "%{_vendor}" == "suse"
+Requires(pre): pwdutils
%{!?_without_builtinapache:BuildRequires: apache2-devel}
%endif
+%define runuser shibd
%if "%{_vendor}" == "suse"
%define pkgdocdir %{_docdir}/%{name}
%else
%setup -q
%build
-%configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{?_with_memcached} %{?shib_options}
+%if 0%{?centos_version} >= 600
+ %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{!?_without_memcached:--with-memcached} %{?shib_options}
+%else
+ %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{?_with_memcached} %{?shib_options}
+%endif
%{__make} pkgdocdir=%{pkgdocdir}
%install
%{__sed} -i "s/\/var\/log\/httpd/\/var\/log\/apache2/g" \
$RPM_BUILD_ROOT%{_sysconfdir}/%{name}/native.logger
%endif
-%if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
- %{__sed} -i "s/#_RHEL6_//g" \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-redhat
- %{__sed} -i "s/\/opt\/shibboleth\/lib/\/opt\/shibboleth\/%{_lib}/g" \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-redhat
- chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
- chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
- chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
-%endif
# Plug the SP into the built-in Apache on a recognized system.
touch rpm.filelist
if [ -f $RPM_BUILD_ROOT%{_libdir}/%{name}/mod_shib_22.so ] ; then
APACHE_CONFIG="apache22.config"
fi
+if [ -f $RPM_BUILD_ROOT%{_libdir}/%{name}/mod_shib_24.so ] ; then
+ APACHE_CONFIG="apache24.config"
+fi
%{?_without_builtinapache:APACHE_CONFIG="no"}
if [ "$APACHE_CONFIG" != "no" ] ; then
APACHE_CONFD="no"
if [ "$APACHE_CONFD" != "no" ] ; then
%{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD
%{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
- echo "%config(noreplace) $APACHE_CONFD/shib.conf" > rpm.filelist
+ echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist
fi
fi
+# Establish location of sysconfig file, if any.
+SYSCONFIG_SHIBD="no"
+%if "%{_vendor}" == "redhat"
+ %{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
+ echo "%config(noreplace) %{_sysconfdir}/sysconfig/shibd" >> rpm.filelist
+ SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/shibd"
+%endif
+%if "%{_vendor}" == "suse"
+ %{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates
+ echo "%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" >> rpm.filelist
+ SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.shibd"
+%endif
+if [ "$SYSCONFIG_SHIBD" != "no" ] ; then
+ # Populate the sysconfig file.
+ cat > $SYSCONFIG_SHIBD <<EOF
+# Shibboleth SP init script customization
+
+# User account for shibd
+SHIBD_USER=%{runuser}
+EOF
+ %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
+ cat >> $SYSCONFIG_SHIBD <<EOF
+
+# Override OS-supplied libcurl
+export LD_LIBRARY_PATH=/opt/shibboleth/%{_lib}
+EOF
+ # Strip existing rpath to libcurl.
+ chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
+ chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
+ chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
+ %endif
+fi
+
%if "%{_vendor}" == "redhat" || "%{_vendor}" == "suse"
# %{_initddir} not yet in RHEL5, use deprecated %{_initrddir}
install -d -m 0755 $RPM_BUILD_ROOT%{_initrddir}
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT
+%pre
+getent group %{runuser} >/dev/null || groupadd -r %{runuser}
+getent passwd %{runuser} >/dev/null || useradd -r -g %{runuser} \
+ -d %{_localstatedir}/run/%{name} -s /sbin/nologin -c "Shibboleth SP daemon" %{runuser}
+exit 0
+
%post
%ifnos solaris2.8 solaris2.9 solaris2.10
/sbin/ldconfig
%endif
-# Key generation
+# Key generation or ownership fix
cd %{_sysconfdir}/%{name}
-sh ./keygen.sh -b
-
-if [ "$1" -gt "1" ] ; then
- # On systems with shib.conf installed, clean up old Alias commands
- # by pointing them at new version-independent /usr/share/share tree.
- # Any Aliases we didn't create we assume are custom files.
- # This is to accomodate making shib.conf a noreplace config file.
- APACHE_CONF="no"
- if [ -f %{_sysconfdir}/httpd/conf.d/shib.conf ] ; then
- APACHE_CONF="%{_sysconfdir}/httpd/conf.d/shib.conf"
- fi
- if [ -f %{_sysconfdir}/apache2/conf.d/shib.conf ] ; then
- APACHE_CONF="%{_sysconfdir}/apache2/conf.d/shib.conf"
- fi
- if [ "$APACHE_CONF" != "no" ] ; then
- %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/main\.css/\/usr\/share\/shibboleth\/main.css/g" \
- $APACHE_CONF
- %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/logo\.jpg/\/usr\/share\/shibboleth\/logo.jpg/g" \
- $APACHE_CONF
- fi
+if [ -f sp-key.pem ] ; then
+ %{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
+else
+ sh ./keygen.sh -b -u %{runuser} -g %{runuser}
fi
+# Fix ownership of log files (even on new installs, if they're left from an older one).
+%{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/%{name}/* 2>/dev/null || :
+
%if "%{_vendor}" == "redhat"
+ if [ "$1" -gt "1" ] ; then
+ # On Red Hat with shib.conf installed, clean up old Alias commands
+ # by pointing them at new version-independent /usr/share/share tree.
+ # Any Aliases we didn't create we assume are custom files.
+ # This is to accomodate making shib.conf a noreplace config file.
+ # We can't do this for SUSE, because they disallow changes to
+ # packaged files in scriplets.
+ APACHE_CONF="no"
+ if [ -f %{_sysconfdir}/httpd/conf.d/shib.conf ] ; then
+ APACHE_CONF="%{_sysconfdir}/httpd/conf.d/shib.conf"
+ fi
+ if [ "$APACHE_CONF" != "no" ] ; then
+ %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/main\.css/\/usr\/share\/shibboleth\/main.css/g" \
+ $APACHE_CONF
+ %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/logo\.jpg/\/usr\/share\/shibboleth\/logo.jpg/g" \
+ $APACHE_CONF
+ fi
+ fi
+
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add shibd
+
# On upgrade, restart components if they're already running.
+ # This gets repeated now down in %postun, and the next release
+ # should remove this copy. If we yank it now, we'll break upgrades.
if [ "$1" -gt "1" ] ; then
/etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
%{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
%endif
%if "%{_vendor}" == "suse"
# This adds the proper /etc/rc*.d links for the script
+ # and populates the sysconfig/shibd file.
cd /
+ %{fillup_only -n shibd}
%insserv_force_if_yast shibd
%endif
%preun
+# On final removal, stop shibd and remove service, restart Apache if running.
%if "%{_vendor}" == "redhat"
- if [ "$1" = 0 ] ; then
+ if [ "$1" -eq 0 ] ; then
/sbin/service shibd stop >/dev/null 2>&1
/sbin/chkconfig --del shibd
%{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
%endif
%if "%{_vendor}" == "suse"
%stop_on_removal shibd
- if [ "$1" = 0 ] ; then
+ if [ "$1" -eq 0 ] ; then
%{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null}
fi
%endif
%ifnos solaris2.8 solaris2.9 solaris2.10
/sbin/ldconfig
%endif
+%if "%{_vendor}" == "redhat"
+ # On upgrade, restart components if they're already running.
+ if [ "$1" -ge "1" ] ; then
+ /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
+ %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
+ exit 0
+ fi
+%endif
%if "%{_vendor}" == "suse"
-cd /
-%restart_on_update shibd
-%{!?_without_builtinapache:%restart_on_update apache2}
-%{insserv_cleanup}
+ cd /
+ %restart_on_update shibd
+ %{!?_without_builtinapache:%restart_on_update apache2}
+ %{insserv_cleanup}
%endif
%posttrans
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/*
%exclude %{_libdir}/%{name}/*.la
-%attr(0750,root,root) %dir %{_localstatedir}/log/%{name}
-%dir %{_localstatedir}/run/%{name}
+%attr(0750,%{runuser},%{runuser}) %dir %{_localstatedir}/log/%{name}
+%attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/run/%{name}
+%attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/cache/%{name}
%dir %{_datadir}/xml/%{name}
%{_datadir}/xml/%{name}/*
%dir %{_datadir}/%{name}
%doc %{pkgdocdir}/api
%changelog
-* Tue Aug 9 2011 Scott Cantor <cantor.2@osu.edu> - 2.5-1
+* Thu Mar 1 2012 Scott Cantor <cantor.2@osu.edu> - 2.5-1
- Move logo and stylesheet to version-independent tree
- Make shib.conf noreplace
- Post-fixup of Alias commands in older shib.conf
+- Changes to run shibd as non-root shibboleth user
+- Move init customizations to /etc/sysconfig/shibd
+- Copy shibd restart for Red Hat to postun
+- Add boost-devel dependency
+- Build memcache plugin on RH6
+- Add cachedir to install
+- Add Apache 2.4 to install
* Sun Jun 26 2011 Scott Cantor <cantor.2@osu.edu> - 2.4.3-1
- Log files shouldn't be world readable.
projects / shibboleth / cpp-sp.git / blobdiff