svn commit: r433173 - in branches/2017Q1: . www/uwsgi www/uwsgi/files
Mark Felder
feld at FreeBSD.org
Thu Feb 2 17:46:10 UTC 2017
Author: feld
Date: Thu Feb 2 17:46:08 2017
New Revision: 433173
URL: https://svnweb.freebsd.org/changeset/ports/433173
Log:
MFH: r433172
www/uwsgi: Further rc script security improvements
This update introduces a dedicated user for uwsgi and introduces the
uwsgi_socket_owner setting which by default is set to www:www. The
previous change to socket mode of 600 has been modified to 660 as well.
This change further increases security while restoring compatibility.
Differential Revision: https://reviews.freebsd.org/D9398
Approved by: ports-secteam (with hat)
Modified:
branches/2017Q1/GIDs
branches/2017Q1/UIDs
branches/2017Q1/www/uwsgi/Makefile
branches/2017Q1/www/uwsgi/files/uwsgi.in
Directory Properties:
branches/2017Q1/ (props changed)
Modified: branches/2017Q1/GIDs
==============================================================================
--- branches/2017Q1/GIDs Thu Feb 2 17:45:27 2017 (r433172)
+++ branches/2017Q1/GIDs Thu Feb 2 17:46:08 2017 (r433173)
@@ -106,7 +106,7 @@ solr:*:161:
octoprint:*:162:
_iked:*:163:
lightdm:*:164:
-# free: 165
+uwsgi:*:165:
# free: 166
# free: 167
# free: 168
Modified: branches/2017Q1/UIDs
==============================================================================
--- branches/2017Q1/UIDs Thu Feb 2 17:45:27 2017 (r433172)
+++ branches/2017Q1/UIDs Thu Feb 2 17:46:08 2017 (r433173)
@@ -111,7 +111,7 @@ solr:*:161:161::0:0:Apache Solr System:/
octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin
_iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin
lightdm:*:164:164::0:0:Light Display Manager:/var/lib/lightdm-data:/usr/sbin/nologin
-# free: 165
+uwsgi:*:165:165::0:0:uwsgi Daemon:/nonexistent:/usr/sbin/nologin
# free: 166
# free: 167
# free: 168
Modified: branches/2017Q1/www/uwsgi/Makefile
==============================================================================
--- branches/2017Q1/www/uwsgi/Makefile Thu Feb 2 17:45:27 2017 (r433172)
+++ branches/2017Q1/www/uwsgi/Makefile Thu Feb 2 17:46:08 2017 (r433173)
@@ -3,7 +3,7 @@
PORTNAME= uwsgi
PORTVERSION= 2.0.14
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www python
MASTER_SITES= http://projects.unbit.it/downloads/
@@ -17,6 +17,9 @@ USES= python ssl
USE_PYTHON= distutils
USE_RC_SUBR= uwsgi
+USERS= uwsgi
+GROUPS= uwsgi
+
OPTIONS_DEFINE= DEBUG JSON PCRE XML
DEBUG_VARS= PYDISTUTILS_BUILDARGS+=--debug
Modified: branches/2017Q1/www/uwsgi/files/uwsgi.in
==============================================================================
--- branches/2017Q1/www/uwsgi/files/uwsgi.in Thu Feb 2 17:45:27 2017 (r433172)
+++ branches/2017Q1/www/uwsgi/files/uwsgi.in Thu Feb 2 17:46:08 2017 (r433173)
@@ -14,14 +14,16 @@
# Default is /tmp/uwsgi.sock.
# uwsgi_socket_mode (int): Set the mode of the socket.
# Default is 600.
+# uwsgi_socket_owner (str): Set the owner of the socket.
+# Default is www:www.
# uwsgi_logfile (path): Set the path to the uwsgi log file
# Default is /var/log/uwsgi.log.
# uwsgi_pidfile (path): Set the path to the uwsgi pid file
# Default is /var/run/uwsgi.pid.
# uwsgi_uid (int): Set the UID of the process to run with
-# Default is 80.
+# Default is 165 (uwsgi).
# uwsgi_gid (int): Set the GID of the process to run with
-# Default is 80.
+# Default is 165 (uwsgi).
# uwsgi_flags (str): Set the uwsgi command line arguments
# Default is "-M -L".
# uwsgi_procname (str): Define to "uWSGI" if you start uwsgi with
@@ -47,11 +49,12 @@ command=%%PREFIX%%/bin/uwsgi
: ${uwsgi_enable="NO"}
: ${uwsgi_profiles=""}
: ${uwsgi_socket="/tmp/${name}.sock"}
-: ${uwsgi_socket_mode="600"}
+: ${uwsgi_socket_mode="660"}
+: ${uwsgi_socket_owner="www:www"}
: ${uwsgi_logfile="/var/log/${name}.log"}
: ${uwsgi_pidfile="/var/run/${name}.pid"}
-: ${uwsgi_uid="80"}
-: ${uwsgi_gid="80"}
+: ${uwsgi_uid="165"}
+: ${uwsgi_gid="165"}
: ${uwsgi_flags="-M -L"}
: ${uwsgi_procname="${command}"}
@@ -75,7 +78,8 @@ if [ -n "${uwsgi_profiles}" ]; then
exit 1
fi
eval uwsgi_socket=\${uwsgi_${profile}_socket:-"/tmp/${name}-${profile}.sock"}
- eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"600"}
+ eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"660"}
+ eval uwsgi_socket_owner=\${uwsgi_${profile}_socket_owner:-"www:www"}
eval uwsgi_logfile=\${uwsgi_${profile}_logfile:-"/var/log/${name}-${profile}.log"}
eval uwsgi_pidfile=\${uwsgi_${profile}_pidfile:-"/var/run/${name}-${profile}.pid"}
eval uwsgi_uid=\${uwsgi_${profile}_uid:-"${uwsgi_uid}"}
@@ -92,7 +96,7 @@ if [ -n "${uwsgi_profiles}" ]; then
fi
command=%%PREFIX%%/bin/uwsgi
-command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}"
+command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} --chown-socket=${uwsgi_socket_owner} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}"
pidfile=${uwsgi_pidfile}
stop_postcmd=stop_postcmd
reload_precmd=reload_precmd
More information about the svn-ports-all
mailing list