ports/128108: [patch] net/rabbitmq runs as root, but can be unprivileged

Wed Oct 15 00:00:08 UTC 2008

>Number:         128108
>Category:       ports
>Synopsis:       [patch] net/rabbitmq runs as root, but can be unprivileged
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 15 00:00:07 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Nick Barkas
>Release:        FreeBSD 6.3-RELEASE-p2 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD mail1.earth.threerings.net 6.3-RELEASE-p2 FreeBSD 6.3-RELEASE-p2 #3: Sat May 31 19:44:03 PDT 2008 root at mail1.earth.threerings.net:/usr/obj/usr/src/sys/SMP i386
>Description:
The net/rabbitmq port installs RabbitMQ in such a way as it will be run as root
unless some post-install tweaks are made. The included patches change the port
such that it will run as a dedicated rabbitmq user. This user will be created if
it does not exist (see UIDs and GIDs patches for the UID/GID reserved for this
user), permissions will be changed as needed on /var/db/rabbitmq and
/var/log/rabbitmq, and the start-up script will use this new account as well. 

Note that rabbitmqctl should be run as the same user as the server runs as.
Also, rabbitmqctl must use the same .erlang.cookie file as the server. A good
way to run rabbitmqctl is: sudo -H -u rabbitmq rabbitmqctl ...
>How-To-Repeat:
>Fix:

--- rabbitmq.diff begins here ---
diff -urN rabbitmq.orig/Makefile rabbitmq/Makefile
--- rabbitmq.orig/Makefile	2008-09-03 08:51:10.000000000 -0700
+++ rabbitmq/Makefile	2008-10-14 16:14:44.000000000 -0700
@@ -7,7 +7,7 @@
 
 PORTNAME=	rabbitmq
 PORTVERSION=	1.4.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net
 MASTER_SITES=	http://www.rabbitmq.com/releases/rabbitmq-server/v${PORTVERSION}/
 DISTNAME=	${PORTNAME}-server-${PORTVERSION}
@@ -24,6 +24,9 @@
 SCRIPTS_DIR=	${WRKSRC}/scripts/
 USE_RC_SUBR=	rabbitmq
 PLIST_SUB=	"VERSION=${PORTVERSION}"
+SUB_FILES=	pkg-install
+RABBITMQ_USER=	rabbitmq
+RABBITMQ_GROUP=	${RABBITMQ_USER}
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|/etc/default|${PREFIX}/etc/rabbitmq|g ; s|/var/lib|/var/db|g ; s|erl|${PREFIX}/bin/erl|g' \
@@ -31,7 +34,10 @@
 
 	@${FIND} ${WRKSRC} -name "*.bak" | ${XARGS} ${RM}
 
-post-install:
-	@${MKDIR} /var/log/rabbitmq /var/db/rabbitmq/mnesia ${PREFIX}/etc/rabbitmq
+pre-install:
+	@${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
 
+post-install:
+	@${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+	
 .include <bsd.port.mk>
diff -urN rabbitmq.orig/files/pkg-install.in rabbitmq/files/pkg-install.in
--- rabbitmq.orig/files/pkg-install.in	1969-12-31 16:00:00.000000000 -0800
+++ rabbitmq/files/pkg-install.in	2008-10-14 16:18:16.000000000 -0700
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+RABBITMQ_USER=rabbitmq
+RABBITMQ_GROUP=${RABBITMQ_USER}
+RABBITMQ_UID=135
+RABBITMQ_GID=${RABBITMQ_UID}
+
+case $2 in
+PRE-INSTALL)
+
+	if ! pw group show "${RABBITMQ_GROUP}" > /dev/null; then
+		if pw groupadd ${RABBITMQ_GROUP} -g ${RABBITMQ_GID}; then
+			echo "Added group \"${RABBITMQ_GROUP}\"."
+		else
+			echo "Adding group \"${RABBITMQ_GROUP}\" failed..."
+			exit 1
+		fi
+	fi
+
+	if ! pw user show "${RABBITMQ_USER}" > /dev/null; then
+		if pw useradd ${RABBITMQ_USER} -u ${RABBITMQ_UID} \
+			-g ${RABBITMQ_GROUP} -h - -d /var/db/rabbitmq \
+			-s /usr/sbin/nologin -c "RabbitMQ"
+		then
+			echo "Added user \"${RABBITMQ_USER}\"."
+		else
+			echo "Adding user \"${RABBITMQ_USER}\" failed..."
+			exit 1
+		fi
+	fi
+;;
+
+POST-INSTALL)
+	mkdir -p %%PREFIX%%/etc/rabbitmq
+	mkdir -p /var/db/rabbitmq/mnesia
+	mkdir -p /var/log/rabbitmq 
+	chown -R ${RABBITMQ_USER}:${RABBITMQ_GROUP} /var/db/rabbitmq
+	chown -R ${RABBITMQ_USER}:${RABBITMQ_GROUP} /var/log/rabbitmq
+;;
+
+esac
diff -urN rabbitmq.orig/files/rabbitmq.in rabbitmq/files/rabbitmq.in
--- rabbitmq.orig/files/rabbitmq.in	2008-09-03 08:51:10.000000000 -0700
+++ rabbitmq/files/rabbitmq.in	2008-10-07 15:28:21.000000000 -0700
@@ -14,28 +14,17 @@
 
 . "%%RC_SUBR%%"
 
+name=rabbitmq
+rcvar=`set_rcvar`
+
 # Set some defaults
 rabbitmq_enable=${rabbitmq_enable:-"NO"}
+rabbitmq_user=${rabbitmq_user:-"rabbitmq"}
 
 prefix=%%PREFIX%%
-name=rabbitmq
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
+start_cmd="env HOME=/var/db/rabbitmq su -m ${rabbitmq_user} -c 'sh -c \"${prefix}/sbin/rabbitmq-server -detached\"'"
+stop_cmd="env HOME=/var/db/rabbitmq su -m ${rabbitmq_user} -c 'sh -c \"${prefix}/sbin/rabbitmqctl stop\"'"
 
-rabbitmq_start()
-{
-	${prefix}/sbin/rabbitmq-server -detached
-	echo "RabbitMQ started"
-}
-
-rabbitmq_stop()
-{
-	${prefix}/sbin/rabbitmqctl stop
-}
-
-rcvar=`set_rcvar`
 load_rc_config $name
 
-
-
 run_rc_command "$1"
--- rabbitmq.diff ends here ---

--- UIDs.diff begins here ---
--- UIDs.orig	2008-10-15 01:21:26.000000000 +0200
+++ UIDs	2008-10-15 01:21:56.000000000 +0200
@@ -74,6 +74,7 @@
 _spamd:*:132:132::0:0:Spam Daemon:/var/empty:/usr/sbin/nologin
 freeradius:*:133:133::0:0:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin
 undernet:*:134:134::0:0:Undernet ircu Daemon:/nonexistant:/usr/sbin/nologin
+rabbitmq:*:135:135::0:0:RabbitMQ:/var/db/rabbitmq:/usr/sbin/nologin
 cricket:*:141:80::0:0:Cricket Monitoring User:/usr/local/cricket:/usr/sbin/nologin
 dovecot:*:143:143::0:0:Dovecot User:/var/empty:/usr/sbin/nologin
 rbldns:*:153:153::0:0:rbldnsd pseudo-user:/nonexistent:/usr/sbin/nologin
--- UIDs.diff ends here ---

--- GIDs.diff begins here ---
--- GIDs.orig	2008-10-15 01:21:32.000000000 +0200
+++ GIDs	2008-10-15 01:22:07.000000000 +0200
@@ -66,6 +66,7 @@
 _spamd:*:132:
 freeradius:*:133:
 undernet:*:134:
+rabbitmq:*:135:
 dovecot:*:143:
 rbldns:*:153:
 sfs:*:171:
--- GIDs.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

