From nobody Mon Jul 11 13:42:37 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2FE161D027AD; Mon, 11 Jul 2022 13:42:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LhQ720pVLz3lKs; Mon, 11 Jul 2022 13:42:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657546958; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2E+q3w4KUHPLg+LwcM8A84CMmorm9q+rbFUjKuP1VC0=; b=Wvx93QE5ugqWB7/exxmSAVm2ueC3i2sinkjqGorART9jCpTiC144lV35RpnizGnzAHZyn5 OCZU/+ozrMnjfeBAGF8CRouivNpwZBKIdcyJSMf4jC/jG2CNN2jj+7p1en7EWTc7V2Ao13 AxC74+2JFDt4MoKW3EgTNXbHtnksE1IVWOdS0cZHP/KJjy3u0s/yTbpPswWXcyHCV81unm 14yykuyWL3fxO7N3gC4UBCuYqnzpm82xsDSBU+Rj86TlcwSpRpRjyHh6tg03tmmaUf279c 4+hdVrBjcdkqByq0TNX/cnOcsfjzPfa7uZ1c9am7+EP1R3GGDpZWlWQlBxpOVA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LhQ7170Vkz15LP; Mon, 11 Jul 2022 13:42:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26BDgbc9097824; Mon, 11 Jul 2022 13:42:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26BDgb8j097823; Mon, 11 Jul 2022 13:42:37 GMT (envelope-from git) Date: Mon, 11 Jul 2022 13:42:37 GMT Message-Id: <202207111342.26BDgb8j097823@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Ryan Steinmetz Subject: git: 7b6aed9ac322 - main - security/stunnel: Drop privs by default, update PID file location List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zi X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657546958; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2E+q3w4KUHPLg+LwcM8A84CMmorm9q+rbFUjKuP1VC0=; b=a8SW9s0WQcxihBBLY/3H7xLc6d7QntS4wXzNtg1zcbrcXtMl1iDc/uz/6N2ygZ1sLJGFnD VxjxWjCihzr8cpZQtudvolDzHBWlnec7WQdP22lZ8fUbGW6/2AL3aueOtVaKnYgFbUkr8J 9ARpZPFLUUNr+FpHIzsaiRk/6Gu3HTwzyVrGsG5GMXszcTGJwT9dn0yOvCJf0ElYhD8TVc jj3BUrsccQbtatCf/fafzFUVB+PQW/jdwVWkXZyefoRsRynBV7Qo1SCRgqW9x+puRvBep2 M4rCPveZzyzXfrk1mbvnMXFNvIRyrka/6/7oyn7SD50PKcRa8FluLHoC2+mYAQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657546958; a=rsa-sha256; cv=none; b=pyno3cVfNDf25e09INPJxdviBJ6UDIuAx9Mx+LmS1cXI55f33nvhpQr+1Ouy+/Bza+vl7J jvYzVj543qDx535wG9waq7U63plJ6Hxwg/SNJ6j4OW+bjiGbWK8z42Bq3IZxwEBRxTqSlr gTz5krkEcgT4S6WKiMtU26oo2nNWe11o1brjFB7urMBNwt96zoYi9TmUC4UR5MP6RH6cAU AcTKdrgLYTw3phDajlYQcct4AFng1PUgC5CnYWkXtyoSL5h/Y9A66Vxn91lynC2AuusSYm uNYp/f2Rz3ifOQpoIjY/XVZrWDCgZslFOrTYwEhbnGPrX4HJTpKrWzIrtMSHwg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by zi: URL: https://cgit.FreeBSD.org/ports/commit/?id=7b6aed9ac322d8a3820d8f0615eb623bb815f7ee commit 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee Author: Ryan Steinmetz AuthorDate: 2022-07-11 13:41:15 +0000 Commit: Ryan Steinmetz CommitDate: 2022-07-11 13:41:15 +0000 security/stunnel: Drop privs by default, update PID file location - Document changes in UPDATING PR: 249151 Reported by: Tatsuki Makino --- UPDATING | 13 +++++++++++++ security/stunnel/Makefile | 9 +++++++-- security/stunnel/files/daemon.conf.in | 3 +++ security/stunnel/files/pid.conf | 1 - security/stunnel/files/stunnel.in | 18 ++++++++++++++++-- security/stunnel/pkg-plist | 2 +- 6 files changed, 40 insertions(+), 6 deletions(-) diff --git a/UPDATING b/UPDATING index 9e1dc3faf14d..6d76e6add9b7 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,19 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20220711: + AFFECTS: users of security/stunnel + AUTHOR: zi@FreeBSD.org + + The stunnel port has been updated to drop privileges to the stunnel + user by default. + + As a result of this change, the pid file location has changed. If + you have a running copy of stunnel, you should stop the process + before performing the upgrade. Alternatively, you will need to + # pkill stunnel;service stunnel start + after the upgrade has been completed. + 20220628: AFFECTS: users of Erlang and Elixir AUTHOR: dch@FreeBSD.org diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile index 6db2dad118db..ea08a6fc6780 100644 --- a/security/stunnel/Makefile +++ b/security/stunnel/Makefile @@ -16,7 +16,7 @@ LICENSE= GPLv2 GPLv3 LICENSE_COMB= dual BROKEN_SSL= libressl libressl-devel -BROKEN_SSL_REASON= Missing upstream support +BROKEN_SSL_REASON= missing upstream support USES= cpe libtool perl5 shebangfix ssl USE_PERL5= build @@ -27,6 +27,10 @@ GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var/tmp --enable-static --disable-systemd \ --with-ssl="${OPENSSLBASE}" SHEBANG_FILES= src/stunnel3.in +SUB_FILES= daemon.conf +SUB_LIST= STUNNEL_PIDFILE=${STUNNEL_PIDFILE} \ + STUNNEL_USER=${STUNNEL_USER} \ + STUNNEL_GROUP=${STUNNEL_GROUP} OPTIONS_DEFINE= DOCS EXAMPLES FIPS IPV6 LIBWRAP OPTIONS_SINGLE= THREAD @@ -42,6 +46,7 @@ FORK_DESC= Use the fork(3) threading model PTHREAD_DESC= Use the pthread(3) threading model UCONTEXT_DESC= Use the ucontext(3) threading model +STUNNEL_PIDFILE=/var/run/stunnel/stunnel.pid STUNNEL_USER?= stunnel STUNNEL_GROUP?= stunnel @@ -101,7 +106,7 @@ post-build: post-install: ${MKDIR} ${STAGEDIR}${ETCDIR}/conf.d/ - ${INSTALL_DATA} ${FILESDIR}/pid.conf ${STAGEDIR}${ETCDIR}/conf.d/00-pid.conf + ${INSTALL_DATA} ${WRKDIR}/daemon.conf ${STAGEDIR}${ETCDIR}/conf.d/00-daemon.conf cert: @${ECHO} "" diff --git a/security/stunnel/files/daemon.conf.in b/security/stunnel/files/daemon.conf.in new file mode 100644 index 000000000000..af40302a0927 --- /dev/null +++ b/security/stunnel/files/daemon.conf.in @@ -0,0 +1,3 @@ +pid = %%STUNNEL_PIDFILE%% +setuid = %%STUNNEL_USER%% +setgid = %%STUNNEL_GROUP%% diff --git a/security/stunnel/files/pid.conf b/security/stunnel/files/pid.conf deleted file mode 100644 index f2b23cc181bb..000000000000 --- a/security/stunnel/files/pid.conf +++ /dev/null @@ -1 +0,0 @@ -pid = /var/run/stunnel.pid diff --git a/security/stunnel/files/stunnel.in b/security/stunnel/files/stunnel.in index a36dd7eb01ed..0d90942e1827 100644 --- a/security/stunnel/files/stunnel.in +++ b/security/stunnel/files/stunnel.in @@ -13,9 +13,11 @@ # Set it to the full path to the config file # that stunnel will use during the automated # start-up. -# stunnel_pidfile (str): Default "%%PREFIX%%/var/stunnel/stunnel.pid" +# stunnel_pidfile (str): Default "%%STUNNEL_PIDFILE%%" # Set it to the value of 'pid' in # the stunnel.conf file. +# stunnel_uid (str): Default "%%STUNNEL_USER%%" +# stunnel_gid (str): Default "%%STUNNEL_GROUP%%" # . /etc/rc.subr @@ -27,7 +29,9 @@ load_rc_config $name : ${stunnel_enable="NO"} : ${stunnel_config="%%ETCDIR%%/${name}.conf"} -: ${stunnel_pidfile="/var/run/${name}.pid"} +: ${stunnel_pidfile="%%STUNNEL_PIDFILE%%"} +: ${stunnel_uid="%%STUNNEL_USER%%"} +: ${stunnel_gid="%%STUNNEL_GROUP%%"} command="%%PREFIX%%/bin/stunnel" command_args=${stunnel_config} @@ -35,4 +39,14 @@ pidfile=${stunnel_pidfile} required_files="${stunnel_config}" +start_precmd=stunnel_start_precmd + +stunnel_start_precmd () { + local piddir + piddir=`/usr/bin/dirname "${pidfile}"` + if [ ! -d "${piddir}" ] ; then + /usr/bin/install -d -o "${stunnel_uid}" -g "${stunnel_gid}" "${piddir}" + fi +} + run_rc_command "$1" diff --git a/security/stunnel/pkg-plist b/security/stunnel/pkg-plist index f886b2582c5a..2e74830fd335 100644 --- a/security/stunnel/pkg-plist +++ b/security/stunnel/pkg-plist @@ -1,7 +1,7 @@ bin/stunnel bin/stunnel3 %%ETCDIR%%/stunnel.conf-sample -%%ETCDIR%%/conf.d/00-pid.conf +%%ETCDIR%%/conf.d/00-daemon.conf lib/stunnel/libstunnel.a lib/stunnel/libstunnel.so man/man8/stunnel.8.gz