From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Oct 15 00:00:07 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF70B1065692 for ; Wed, 15 Oct 2008 00:00:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C83A98FC1D for ; Wed, 15 Oct 2008 00:00:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9F007wm072833 for ; Wed, 15 Oct 2008 00:00:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9F007Rg072832; Wed, 15 Oct 2008 00:00:07 GMT (envelope-from gnats) Resent-Date: Wed, 15 Oct 2008 00:00:07 GMT Resent-Message-Id: <200810150000.m9F007Rg072832@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nick Barkas Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 088E51065686 for ; Tue, 14 Oct 2008 23:57:51 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: from smtp.earth.threerings.net (smtp1.earth.threerings.net [64.127.109.108]) by mx1.freebsd.org (Postfix) with ESMTP id EB3AD8FC1C for ; Tue, 14 Oct 2008 23:57:50 +0000 (UTC) (envelope-from snb@smtp.earth.threerings.net) Received: by smtp.earth.threerings.net (Postfix, from userid 10038) id 98C2161E41; Tue, 14 Oct 2008 16:29:43 -0700 (PDT) Message-Id: <20081014232943.98C2161E41@smtp.earth.threerings.net> Date: Tue, 14 Oct 2008 16:29:43 -0700 (PDT) From: Nick Barkas To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: pneumann@gmail.com Subject: ports/128108: [patch] net/rabbitmq runs as root, but can be unprivileged X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nick Barkas List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 00:00:08 -0000 >Number: 128108 >Category: ports >Synopsis: [patch] net/rabbitmq runs as root, but can be unprivileged >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Oct 15 00:00:07 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 6.3-RELEASE-p2 i386 >Organization: Three Rings Design >Environment: System: FreeBSD mail1.earth.threerings.net 6.3-RELEASE-p2 FreeBSD 6.3-RELEASE-p2 #3: Sat May 31 19:44:03 PDT 2008 root@mail1.earth.threerings.net:/usr/obj/usr/src/sys/SMP i386 >Description: The net/rabbitmq port installs RabbitMQ in such a way as it will be run as root unless some post-install tweaks are made. The included patches change the port such that it will run as a dedicated rabbitmq user. This user will be created if it does not exist (see UIDs and GIDs patches for the UID/GID reserved for this user), permissions will be changed as needed on /var/db/rabbitmq and /var/log/rabbitmq, and the start-up script will use this new account as well. Note that rabbitmqctl should be run as the same user as the server runs as. Also, rabbitmqctl must use the same .erlang.cookie file as the server. A good way to run rabbitmqctl is: sudo -H -u rabbitmq rabbitmqctl ... >How-To-Repeat: >Fix: --- rabbitmq.diff begins here --- diff -urN rabbitmq.orig/Makefile rabbitmq/Makefile --- rabbitmq.orig/Makefile 2008-09-03 08:51:10.000000000 -0700 +++ rabbitmq/Makefile 2008-10-14 16:14:44.000000000 -0700 @@ -7,7 +7,7 @@ PORTNAME= rabbitmq PORTVERSION= 1.4.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net MASTER_SITES= http://www.rabbitmq.com/releases/rabbitmq-server/v${PORTVERSION}/ DISTNAME= ${PORTNAME}-server-${PORTVERSION} @@ -24,6 +24,9 @@ SCRIPTS_DIR= ${WRKSRC}/scripts/ USE_RC_SUBR= rabbitmq PLIST_SUB= "VERSION=${PORTVERSION}" +SUB_FILES= pkg-install +RABBITMQ_USER= rabbitmq +RABBITMQ_GROUP= ${RABBITMQ_USER} post-patch: @${REINPLACE_CMD} -e 's|/etc/default|${PREFIX}/etc/rabbitmq|g ; s|/var/lib|/var/db|g ; s|erl|${PREFIX}/bin/erl|g' \ @@ -31,7 +34,10 @@ @${FIND} ${WRKSRC} -name "*.bak" | ${XARGS} ${RM} -post-install: - @${MKDIR} /var/log/rabbitmq /var/db/rabbitmq/mnesia ${PREFIX}/etc/rabbitmq +pre-install: + @${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL +post-install: + @${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL + .include diff -urN rabbitmq.orig/files/pkg-install.in rabbitmq/files/pkg-install.in --- rabbitmq.orig/files/pkg-install.in 1969-12-31 16:00:00.000000000 -0800 +++ rabbitmq/files/pkg-install.in 2008-10-14 16:18:16.000000000 -0700 @@ -0,0 +1,41 @@ +#!/bin/sh + +RABBITMQ_USER=rabbitmq +RABBITMQ_GROUP=${RABBITMQ_USER} +RABBITMQ_UID=135 +RABBITMQ_GID=${RABBITMQ_UID} + +case $2 in +PRE-INSTALL) + + if ! pw group show "${RABBITMQ_GROUP}" > /dev/null; then + if pw groupadd ${RABBITMQ_GROUP} -g ${RABBITMQ_GID}; then + echo "Added group \"${RABBITMQ_GROUP}\"." + else + echo "Adding group \"${RABBITMQ_GROUP}\" failed..." + exit 1 + fi + fi + + if ! pw user show "${RABBITMQ_USER}" > /dev/null; then + if pw useradd ${RABBITMQ_USER} -u ${RABBITMQ_UID} \ + -g ${RABBITMQ_GROUP} -h - -d /var/db/rabbitmq \ + -s /usr/sbin/nologin -c "RabbitMQ" + then + echo "Added user \"${RABBITMQ_USER}\"." + else + echo "Adding user \"${RABBITMQ_USER}\" failed..." + exit 1 + fi + fi +;; + +POST-INSTALL) + mkdir -p %%PREFIX%%/etc/rabbitmq + mkdir -p /var/db/rabbitmq/mnesia + mkdir -p /var/log/rabbitmq + chown -R ${RABBITMQ_USER}:${RABBITMQ_GROUP} /var/db/rabbitmq + chown -R ${RABBITMQ_USER}:${RABBITMQ_GROUP} /var/log/rabbitmq +;; + +esac diff -urN rabbitmq.orig/files/rabbitmq.in rabbitmq/files/rabbitmq.in --- rabbitmq.orig/files/rabbitmq.in 2008-09-03 08:51:10.000000000 -0700 +++ rabbitmq/files/rabbitmq.in 2008-10-07 15:28:21.000000000 -0700 @@ -14,28 +14,17 @@ . "%%RC_SUBR%%" +name=rabbitmq +rcvar=`set_rcvar` + # Set some defaults rabbitmq_enable=${rabbitmq_enable:-"NO"} +rabbitmq_user=${rabbitmq_user:-"rabbitmq"} prefix=%%PREFIX%% -name=rabbitmq -start_cmd="${name}_start" -stop_cmd="${name}_stop" +start_cmd="env HOME=/var/db/rabbitmq su -m ${rabbitmq_user} -c 'sh -c \"${prefix}/sbin/rabbitmq-server -detached\"'" +stop_cmd="env HOME=/var/db/rabbitmq su -m ${rabbitmq_user} -c 'sh -c \"${prefix}/sbin/rabbitmqctl stop\"'" -rabbitmq_start() -{ - ${prefix}/sbin/rabbitmq-server -detached - echo "RabbitMQ started" -} - -rabbitmq_stop() -{ - ${prefix}/sbin/rabbitmqctl stop -} - -rcvar=`set_rcvar` load_rc_config $name - - run_rc_command "$1" --- rabbitmq.diff ends here --- --- UIDs.diff begins here --- --- UIDs.orig 2008-10-15 01:21:26.000000000 +0200 +++ UIDs 2008-10-15 01:21:56.000000000 +0200 @@ -74,6 +74,7 @@ _spamd:*:132:132::0:0:Spam Daemon:/var/empty:/usr/sbin/nologin freeradius:*:133:133::0:0:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin undernet:*:134:134::0:0:Undernet ircu Daemon:/nonexistant:/usr/sbin/nologin +rabbitmq:*:135:135::0:0:RabbitMQ:/var/db/rabbitmq:/usr/sbin/nologin cricket:*:141:80::0:0:Cricket Monitoring User:/usr/local/cricket:/usr/sbin/nologin dovecot:*:143:143::0:0:Dovecot User:/var/empty:/usr/sbin/nologin rbldns:*:153:153::0:0:rbldnsd pseudo-user:/nonexistent:/usr/sbin/nologin --- UIDs.diff ends here --- --- GIDs.diff begins here --- --- GIDs.orig 2008-10-15 01:21:32.000000000 +0200 +++ GIDs 2008-10-15 01:22:07.000000000 +0200 @@ -66,6 +66,7 @@ _spamd:*:132: freeradius:*:133: undernet:*:134: +rabbitmq:*:135: dovecot:*:143: rbldns:*:153: sfs:*:171: --- GIDs.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: