ports/128108: [patch] net/rabbitmq runs as root, but can be unprivileged
Nick Barkas
snb at threerings.net
Wed Oct 15 00:00:08 UTC 2008
>Number: 128108
>Category: ports
>Synopsis: [patch] net/rabbitmq runs as root, but can be unprivileged
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 15 00:00:07 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Nick Barkas
>Release: FreeBSD 6.3-RELEASE-p2 i386
>Organization:
Three Rings Design
>Environment:
System: FreeBSD mail1.earth.threerings.net 6.3-RELEASE-p2 FreeBSD 6.3-RELEASE-p2 #3: Sat May 31 19:44:03 PDT 2008 root at mail1.earth.threerings.net:/usr/obj/usr/src/sys/SMP i386
>Description:
The net/rabbitmq port installs RabbitMQ in such a way as it will be run as root
unless some post-install tweaks are made. The included patches change the port
such that it will run as a dedicated rabbitmq user. This user will be created if
it does not exist (see UIDs and GIDs patches for the UID/GID reserved for this
user), permissions will be changed as needed on /var/db/rabbitmq and
/var/log/rabbitmq, and the start-up script will use this new account as well.
Note that rabbitmqctl should be run as the same user as the server runs as.
Also, rabbitmqctl must use the same .erlang.cookie file as the server. A good
way to run rabbitmqctl is: sudo -H -u rabbitmq rabbitmqctl ...
>How-To-Repeat:
>Fix:
--- rabbitmq.diff begins here ---
diff -urN rabbitmq.orig/Makefile rabbitmq/Makefile
--- rabbitmq.orig/Makefile 2008-09-03 08:51:10.000000000 -0700
+++ rabbitmq/Makefile 2008-10-14 16:14:44.000000000 -0700
@@ -7,7 +7,7 @@
PORTNAME= rabbitmq
PORTVERSION= 1.4.0
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net
MASTER_SITES= http://www.rabbitmq.com/releases/rabbitmq-server/v${PORTVERSION}/
DISTNAME= ${PORTNAME}-server-${PORTVERSION}
@@ -24,6 +24,9 @@
SCRIPTS_DIR= ${WRKSRC}/scripts/
USE_RC_SUBR= rabbitmq
PLIST_SUB= "VERSION=${PORTVERSION}"
+SUB_FILES= pkg-install
+RABBITMQ_USER= rabbitmq
+RABBITMQ_GROUP= ${RABBITMQ_USER}
post-patch:
@${REINPLACE_CMD} -e 's|/etc/default|${PREFIX}/etc/rabbitmq|g ; s|/var/lib|/var/db|g ; s|erl|${PREFIX}/bin/erl|g' \
@@ -31,7 +34,10 @@
@${FIND} ${WRKSRC} -name "*.bak" | ${XARGS} ${RM}
-post-install:
- @${MKDIR} /var/log/rabbitmq /var/db/rabbitmq/mnesia ${PREFIX}/etc/rabbitmq
+pre-install:
+ @${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
+post-install:
+ @${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+
.include <bsd.port.mk>
diff -urN rabbitmq.orig/files/pkg-install.in rabbitmq/files/pkg-install.in
--- rabbitmq.orig/files/pkg-install.in 1969-12-31 16:00:00.000000000 -0800
+++ rabbitmq/files/pkg-install.in 2008-10-14 16:18:16.000000000 -0700
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+RABBITMQ_USER=rabbitmq
+RABBITMQ_GROUP=${RABBITMQ_USER}
+RABBITMQ_UID=135
+RABBITMQ_GID=${RABBITMQ_UID}
+
+case $2 in
+PRE-INSTALL)
+
+ if ! pw group show "${RABBITMQ_GROUP}" > /dev/null; then
+ if pw groupadd ${RABBITMQ_GROUP} -g ${RABBITMQ_GID}; then
+ echo "Added group \"${RABBITMQ_GROUP}\"."
+ else
+ echo "Adding group \"${RABBITMQ_GROUP}\" failed..."
+ exit 1
+ fi
+ fi
+
+ if ! pw user show "${RABBITMQ_USER}" > /dev/null; then
+ if pw useradd ${RABBITMQ_USER} -u ${RABBITMQ_UID} \
+ -g ${RABBITMQ_GROUP} -h - -d /var/db/rabbitmq \
+ -s /usr/sbin/nologin -c "RabbitMQ"
+ then
+ echo "Added user \"${RABBITMQ_USER}\"."
+ else
+ echo "Adding user \"${RABBITMQ_USER}\" failed..."
+ exit 1
+ fi
+ fi
+;;
+
+POST-INSTALL)
+ mkdir -p %%PREFIX%%/etc/rabbitmq
+ mkdir -p /var/db/rabbitmq/mnesia
+ mkdir -p /var/log/rabbitmq
+ chown -R ${RABBITMQ_USER}:${RABBITMQ_GROUP} /var/db/rabbitmq
+ chown -R ${RABBITMQ_USER}:${RABBITMQ_GROUP} /var/log/rabbitmq
+;;
+
+esac
diff -urN rabbitmq.orig/files/rabbitmq.in rabbitmq/files/rabbitmq.in
--- rabbitmq.orig/files/rabbitmq.in 2008-09-03 08:51:10.000000000 -0700
+++ rabbitmq/files/rabbitmq.in 2008-10-07 15:28:21.000000000 -0700
@@ -14,28 +14,17 @@
. "%%RC_SUBR%%"
+name=rabbitmq
+rcvar=`set_rcvar`
+
# Set some defaults
rabbitmq_enable=${rabbitmq_enable:-"NO"}
+rabbitmq_user=${rabbitmq_user:-"rabbitmq"}
prefix=%%PREFIX%%
-name=rabbitmq
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
+start_cmd="env HOME=/var/db/rabbitmq su -m ${rabbitmq_user} -c 'sh -c \"${prefix}/sbin/rabbitmq-server -detached\"'"
+stop_cmd="env HOME=/var/db/rabbitmq su -m ${rabbitmq_user} -c 'sh -c \"${prefix}/sbin/rabbitmqctl stop\"'"
-rabbitmq_start()
-{
- ${prefix}/sbin/rabbitmq-server -detached
- echo "RabbitMQ started"
-}
-
-rabbitmq_stop()
-{
- ${prefix}/sbin/rabbitmqctl stop
-}
-
-rcvar=`set_rcvar`
load_rc_config $name
-
-
run_rc_command "$1"
--- rabbitmq.diff ends here ---
--- UIDs.diff begins here ---
--- UIDs.orig 2008-10-15 01:21:26.000000000 +0200
+++ UIDs 2008-10-15 01:21:56.000000000 +0200
@@ -74,6 +74,7 @@
_spamd:*:132:132::0:0:Spam Daemon:/var/empty:/usr/sbin/nologin
freeradius:*:133:133::0:0:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin
undernet:*:134:134::0:0:Undernet ircu Daemon:/nonexistant:/usr/sbin/nologin
+rabbitmq:*:135:135::0:0:RabbitMQ:/var/db/rabbitmq:/usr/sbin/nologin
cricket:*:141:80::0:0:Cricket Monitoring User:/usr/local/cricket:/usr/sbin/nologin
dovecot:*:143:143::0:0:Dovecot User:/var/empty:/usr/sbin/nologin
rbldns:*:153:153::0:0:rbldnsd pseudo-user:/nonexistent:/usr/sbin/nologin
--- UIDs.diff ends here ---
--- GIDs.diff begins here ---
--- GIDs.orig 2008-10-15 01:21:32.000000000 +0200
+++ GIDs 2008-10-15 01:22:07.000000000 +0200
@@ -66,6 +66,7 @@
_spamd:*:132:
freeradius:*:133:
undernet:*:134:
+rabbitmq:*:135:
dovecot:*:143:
rbldns:*:153:
sfs:*:171:
--- GIDs.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list