diff options
| author | Ryan Steinmetz <zi@FreeBSD.org> | 2022-07-11 09:41:15 -0400 |
|---|---|---|
| committer | Ryan Steinmetz <zi@FreeBSD.org> | 2022-07-11 09:41:15 -0400 |
| commit | 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee (patch) | |
| tree | f8999f282794f23dcc28c3fd08463c779a1f572d | |
| parent | 7b7e7f81d8d44fff28d50b3df44b58044d01648a (diff) | |
| download | freebsd-ports-7b6aed9ac322d8a3820d8f0615eb623bb815f7ee.zip | |
security/stunnel: Drop privs by default, update PID file location
- Document changes in UPDATING
PR: 249151
Reported by: Tatsuki Makino <tatsuki_makino@hotmail.com>
| -rw-r--r-- | UPDATING | 13 | ||||
| -rw-r--r-- | security/stunnel/Makefile | 9 | ||||
| -rw-r--r-- | security/stunnel/files/daemon.conf.in | 3 | ||||
| -rw-r--r-- | security/stunnel/files/pid.conf | 1 | ||||
| -rw-r--r-- | security/stunnel/files/stunnel.in | 18 | ||||
| -rw-r--r-- | security/stunnel/pkg-plist | 2 |
6 files changed, 40 insertions, 6 deletions
@@ -5,6 +5,19 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20220711: + AFFECTS: users of security/stunnel + AUTHOR: zi@FreeBSD.org + + The stunnel port has been updated to drop privileges to the stunnel + user by default. + + As a result of this change, the pid file location has changed. If + you have a running copy of stunnel, you should stop the process + before performing the upgrade. Alternatively, you will need to + # pkill stunnel;service stunnel start + after the upgrade has been completed. + 20220628: AFFECTS: users of Erlang and Elixir AUTHOR: dch@FreeBSD.org diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile index 6db2dad118db..ea08a6fc6780 100644 --- a/security/stunnel/Makefile +++ b/security/stunnel/Makefile @@ -16,7 +16,7 @@ LICENSE= GPLv2 GPLv3 LICENSE_COMB= dual BROKEN_SSL= libressl libressl-devel -BROKEN_SSL_REASON= Missing upstream support +BROKEN_SSL_REASON= missing upstream support USES= cpe libtool perl5 shebangfix ssl USE_PERL5= build @@ -27,6 +27,10 @@ GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var/tmp --enable-static --disable-systemd \ --with-ssl="${OPENSSLBASE}" SHEBANG_FILES= src/stunnel3.in +SUB_FILES= daemon.conf +SUB_LIST= STUNNEL_PIDFILE=${STUNNEL_PIDFILE} \ + STUNNEL_USER=${STUNNEL_USER} \ + STUNNEL_GROUP=${STUNNEL_GROUP} OPTIONS_DEFINE= DOCS EXAMPLES FIPS IPV6 LIBWRAP OPTIONS_SINGLE= THREAD @@ -42,6 +46,7 @@ FORK_DESC= Use the fork(3) threading model PTHREAD_DESC= Use the pthread(3) threading model UCONTEXT_DESC= Use the ucontext(3) threading model +STUNNEL_PIDFILE=/var/run/stunnel/stunnel.pid STUNNEL_USER?= stunnel STUNNEL_GROUP?= stunnel @@ -101,7 +106,7 @@ post-build: post-install: ${MKDIR} ${STAGEDIR}${ETCDIR}/conf.d/ - ${INSTALL_DATA} ${FILESDIR}/pid.conf ${STAGEDIR}${ETCDIR}/conf.d/00-pid.conf + ${INSTALL_DATA} ${WRKDIR}/daemon.conf ${STAGEDIR}${ETCDIR}/conf.d/00-daemon.conf cert: @${ECHO} "" diff --git a/security/stunnel/files/daemon.conf.in b/security/stunnel/files/daemon.conf.in new file mode 100644 index 000000000000..af40302a0927 --- /dev/null +++ b/security/stunnel/files/daemon.conf.in @@ -0,0 +1,3 @@ +pid = %%STUNNEL_PIDFILE%% +setuid = %%STUNNEL_USER%% +setgid = %%STUNNEL_GROUP%% diff --git a/security/stunnel/files/pid.conf b/security/stunnel/files/pid.conf deleted file mode 100644 index f2b23cc181bb..000000000000 --- a/security/stunnel/files/pid.conf +++ /dev/null @@ -1 +0,0 @@ -pid = /var/run/stunnel.pid diff --git a/security/stunnel/files/stunnel.in b/security/stunnel/files/stunnel.in index a36dd7eb01ed..0d90942e1827 100644 --- a/security/stunnel/files/stunnel.in +++ b/security/stunnel/files/stunnel.in @@ -13,9 +13,11 @@ # Set it to the full path to the config file # that stunnel will use during the automated # start-up. -# stunnel_pidfile (str): Default "%%PREFIX%%/var/stunnel/stunnel.pid" +# stunnel_pidfile (str): Default "%%STUNNEL_PIDFILE%%" # Set it to the value of 'pid' in # the stunnel.conf file. +# stunnel_uid (str): Default "%%STUNNEL_USER%%" +# stunnel_gid (str): Default "%%STUNNEL_GROUP%%" # . /etc/rc.subr @@ -27,7 +29,9 @@ load_rc_config $name : ${stunnel_enable="NO"} : ${stunnel_config="%%ETCDIR%%/${name}.conf"} -: ${stunnel_pidfile="/var/run/${name}.pid"} +: ${stunnel_pidfile="%%STUNNEL_PIDFILE%%"} +: ${stunnel_uid="%%STUNNEL_USER%%"} +: ${stunnel_gid="%%STUNNEL_GROUP%%"} command="%%PREFIX%%/bin/stunnel" command_args=${stunnel_config} @@ -35,4 +39,14 @@ pidfile=${stunnel_pidfile} required_files="${stunnel_config}" +start_precmd=stunnel_start_precmd + +stunnel_start_precmd () { + local piddir + piddir=`/usr/bin/dirname "${pidfile}"` + if [ ! -d "${piddir}" ] ; then + /usr/bin/install -d -o "${stunnel_uid}" -g "${stunnel_gid}" "${piddir}" + fi +} + run_rc_command "$1" diff --git a/security/stunnel/pkg-plist b/security/stunnel/pkg-plist index f886b2582c5a..2e74830fd335 100644 --- a/security/stunnel/pkg-plist +++ b/security/stunnel/pkg-plist @@ -1,7 +1,7 @@ bin/stunnel bin/stunnel3 %%ETCDIR%%/stunnel.conf-sample -%%ETCDIR%%/conf.d/00-pid.conf +%%ETCDIR%%/conf.d/00-daemon.conf lib/stunnel/libstunnel.a lib/stunnel/libstunnel.so man/man8/stunnel.8.gz |