From nobody Tue Jan 31 08:52:04 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P5f1d0gH7z3bs8b; Tue, 31 Jan 2023 08:52:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P5f1d0FcLz452N; Tue, 31 Jan 2023 08:52:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675155125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W2wqK7QQyXAGi180uzDS861zRxvVpx9cR1GqgWbLMc0=; b=l6hgPv0Hhu3MmrwlEboqB7NRajUtlrHnmQcxlIuEz8d4DSMqr5Wi35uo7TPwQhnmH4f5ua uO6bGY4jX3pUX6IW80se6eC4mgKgLXZ7a9eecEpGl8d6l1gmwteVZ1yr/ULAAacP4asYUE 9VZBhoSNmYTWY9jPMa7om7B/55LougYwrbPIj/GuO5fmSCmvPQr3ZZfsp3FyeS2UoFZf2b uI8QIw9P2T7e3kv+bGdxEFVc1Ka4k+2HPbbXImRwBCYewkEzYHpishx2NHRPX7hWOX0vCZ AUmzjbF78zynispF9TEII41KvNS2tXFMetkS/3E/QWBVga8K/I1y+H0WXwbhZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675155125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W2wqK7QQyXAGi180uzDS861zRxvVpx9cR1GqgWbLMc0=; b=W8d7DdQ1a4uuqoOOSVHLfP69WLp8MoVQOP7qwwHFaXNt2N8MqoRtVKppoG4/CX0VgDQhnk GZuuQehX46F7XgKrhuLlhdglYHjEJShq7dEV0m9e9uwaB7zKfit97weBab6NNs2oZ1r5Z3 0hNBmKoThOppnOXWszAVLZYlm4tP2NeQuskyugpI7BWTgzBeDfOvTIHMDl9NGSlsREnmSO LJqzZt/phiUYnx4Bv3uFiPz1n0+HvClzGFR4oh6GH34KsCNPHR3ANg799IhblyI77FsqkS FCC8B5BdG7XtHIJEYbg2F/bTmz2jX6FgaVzMDJm0+XT4XHj6KO+Rhc/iFM5u/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675155125; a=rsa-sha256; cv=none; b=GHEN0MFiVepZuzBZGWJDhuXnSX4uc00bLLqLQ2jzvPUH6PyGKRsEGwrWBdDSnaVkesk1rs WDoP7LwjwCficWe+zuGFOtb62V6IQ8gzzGjt18891GpUZ7WcRP9ubZb9toGlEqkCdC8is1 L6IFMGQ3xOv4aUu1RJyF/XLqz+8kXeUDKHTlMMagAAwlPzWpSjTQQy/NLPmCilZqeUxITr 22cE+1a37khkpZ6dzOi6QGoxtLV/j3b2YP5k66xaa1mOWxkLmmxhc7JO2K+uvtKHVH6ePm d4uYXE7NyVGM8AupWWlzeGlyjH9s4muXJcnApegBluCk+5PbU4PQww8LYXOUCw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P5f1c6QGczjGL; Tue, 31 Jan 2023 08:52:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30V8q4wU068822; Tue, 31 Jan 2023 08:52:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30V8q47J068821; Tue, 31 Jan 2023 08:52:04 GMT (envelope-from git) Date: Tue, 31 Jan 2023 08:52:04 GMT Message-Id: <202301310852.30V8q47J068821@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Nuno Teixeira Subject: git: ffd87be94f2c - main - dns/blocky: Support running daemon as non-root user List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eduardo X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by eduardo: URL: https://cgit.FreeBSD.org/ports/commit/?id=ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 commit ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 Author: Benjamin Spiegel AuthorDate: 2023-01-31 08:29:30 +0000 Commit: Nuno Teixeira CommitDate: 2023-01-31 08:38:01 +0000 dns/blocky: Support running daemon as non-root user Most rc.d scripts support a standard _user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes) --- dns/blocky/Makefile | 2 +- dns/blocky/files/blocky.in | 36 +++++++++++++++++++++++++++--------- dns/blocky/files/pkg-message.in | 15 +++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/dns/blocky/Makefile b/dns/blocky/Makefile index d17daad65956..5035aaffca74 100644 --- a/dns/blocky/Makefile +++ b/dns/blocky/Makefile @@ -1,7 +1,7 @@ PORTNAME= blocky DISTVERSIONPREFIX= v DISTVERSION= 0.20 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= dns MASTER_SITES= https://raw.githubusercontent.com/${GH_ACCOUNT}/${GH_PROJECT}/${DISTVERSIONFULL}/:gomod DISTFILES= go.mod:gomod diff --git a/dns/blocky/files/blocky.in b/dns/blocky/files/blocky.in index 24a92028836a..2b625f8be55d 100644 --- a/dns/blocky/files/blocky.in +++ b/dns/blocky/files/blocky.in @@ -7,9 +7,15 @@ # Add the following to /etc/rc.conf[.local] to enable this service # # blocky_enable (bool): Set to NO by default. -# Set it to YES to enable blocky. -# blocky_config (str): Set to /usr/local/etc/blocky/config.yml by default. -# +# Set it to YES to enable blocky. +# blocky_config (str): Set to /usr/local/etc/blocky-config.yml by default. +# Set it to a path to use that config file. +# blocky_user (str): Services run as root by default. Set to a user name +# to run blocky as that user. Note: non-root users +# might need permission to bind to ports. +# blocky_group (str): Set to the user's primary group by default. +# Set it to a group name for daemon file ownership. +# blocky_flags (str): Enter extra flags to append to the blocky command. . /etc/rc.subr @@ -20,17 +26,29 @@ load_rc_config ${name} : ${blocky_enable:=NO} : ${blocky_config:="%%PREFIX%%/etc/blocky-config.yml"} +: ${blocky_group:=} : ${blocky_flags:=} -pidfile=/var/run/blocky.pid -command="%%PREFIX%%/sbin/blocky" +if [ -n "${blocky_user}" ] && [ -z "${blocky_group}" ]; then + # Detect the daemon user's primary group + blocky_group=$(id -gn "${blocky_user}") +fi + +pidfile="/var/run/${name}.pid" +blocky_path="%%PREFIX%%/sbin/blocky" + +command="/usr/sbin/daemon" +procname="/usr/local/sbin/blocky" +command_args="-c -f -p ${pidfile} ${blocky_path} \ + -c ${blocky_config} ${blocky_flags}" -start_cmd="${name}_start" +start_precmd="blocky_precmd" -blocky_start() +# Sets up a pidfile the daemon user can access +blocky_precmd() { - echo -n "Starting ${name}." - /usr/sbin/daemon -p ${pidfile} -f ${command} -c ${blocky_config} ${blocky_flags} + install -o "${blocky_user:-root}" -g "${blocky_group:-wheel}" \ + -m 0600 /dev/null "${pidfile}" } run_rc_command "$1" diff --git a/dns/blocky/files/pkg-message.in b/dns/blocky/files/pkg-message.in index 953a51c3cce8..70f077c66f2a 100644 --- a/dns/blocky/files/pkg-message.in +++ b/dns/blocky/files/pkg-message.in @@ -7,6 +7,21 @@ A sample configuration file is installed at the following location: Default location for configuration file when using rc.d script: %%PREFIX%%/etc/blocky-config.yml +With the default configuration, blocky listens on port 53 (TCP and UDP). +If running as a non-root user, use a different port in blocky configuration, +such as `port: 5053`, or use mac_portacl(4) to allow binding to port 53. + +Example setup for mac_portacl(4): + +In /boot/loader.conf: + + mac_portacl_load="YES" + +In /etc/sysctl.conf (where is the UID of your user): + + net.inet.ip.portrange.reservedhigh=0 + security.mac.portacl.rules=uid::tcp:53,uid::udp:53 + Please refer to the documentation located at https://0xerr0r.github.io/blocky/ for further information. EOM