Install a "refuse" file to protect the mirror's scripts and

configuration files from a malicious or compromised master site.

net/cvsup-mirror/Makefile

@@ -22,6 +22,7 @@ NO_PACKAGE=	too interactive
 SCRIPTS_ENV=	USA_RESIDENT=${USA_RESIDENT}
 
 base=${PREFIX}/etc/cvsup
+distrib=${base}/sup.client/distrib
 rc=${PREFIX}/etc/rc.d
 
 do-extract:
@@ -29,13 +30,14 @@ do-extract:
 
 do-install:
 	@${ECHO_MSG} "Installing files"
-	@test -d ${base} || ${MKDIR} ${base}
+	@test -d ${distrib} || ${MKDIR} ${distrib}
 	@test -d ${rc} || ${MKDIR} ${rc}
 	@${INSTALL_DATA} ${WRKSRC}/config.sh ${base}
 	@${INSTALL_SCRIPT} ${FILESDIR}/update.sh ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile.crypto ${base}
 	@${INSTALL_DATA} ${FILESDIR}/supfile.non-crypto ${base}
+	@${INSTALL_DATA} ${FILESDIR}/refuse.self ${distrib}
 	@${INSTALL_SCRIPT} ${FILESDIR}/cvsupd.sh ${rc}
 	@${CP} /dev/null ${base}/.start_server
 

net/cvsup-mirror/files/refuse.self

@@ -0,0 +1,6 @@
+*.sh
+cvsupd.access
+cvsupd.passwd
+prefixes
+sup.client
+supfile*

net/cvsup-mirror/pkg-plist

@@ -1,4 +1,5 @@
 etc/cvsup/config.sh
+etc/cvsup/sup.client/distrib/refuse.self
 etc/cvsup/supfile
 etc/cvsup/supfile.crypto
 etc/cvsup/supfile.non-crypto