From nobody Tue Jan 31 08:52:59 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P5f2g5k1pz3bsJC; Tue, 31 Jan 2023 08:52:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P5f2g50Ygz46Fg; Tue, 31 Jan 2023 08:52:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675155179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZZ4TeXW04rQYnq/hv8UsqPail8olEZQiWaUxp5ATD3M=; b=cGwfnWIMktrxpgzac00Dhs5h1ldWX+A1BXtNVWlU1WnKbrT0AwcAwZK6d3T/9et3idpUWb Icijb1SSPtIbHdxPMdvIh6YeA1RvUg6q2xW8A/1XTAYRD8AuntCxO+Hxa0JI+wQe1XH8f9 Z6AuWkb1evNtvA9Z4JXuH3lw5esJLoAAo4DcMnhfcA8MF3i9G1vnSqC+VSSKR7Ah70VYVK 2GblhzTtQK59vFzO2Zj6u43toJXCmw3/RccEY0PDzEDWSuW/sm07+r72Gww77oc6PZhPx7 +nAuUa8fCoTnxx9F+/k79l3lz18404hkLRuGOIN1nfSh4jL1mhfbIQeQC0R9SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675155179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZZ4TeXW04rQYnq/hv8UsqPail8olEZQiWaUxp5ATD3M=; b=KODVzZZEHc8OcbfOcGY8mIDjcD7BlDFVbf33JQ68Vtkb2nAJWcGXSD7MCiBAG2BziztGkk sz97f+k5TkwzxR0Lv+ZmYrCqxOt9n8EMlIZzkZrJvabM1jwtw39DvxHIng9234fIckXZOu hZjZZxdXqnn7GQK72LGgOZIj5vjVDUyy/uL1wcymknqolCuV2V1RYEuNinQ5MAj6SPKc1z ARcnP4tSmy2ExvzePbQMLPirLB7+oPoIqUsGjx1M9gd0MNGuvofmzL07wDJsZgqFTiOpT0 ERG8quVv8pBoVYzhm7kqCP8sapCswTCTznjdSI0Ql7ZJfiJNok0hV5531HUE5A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675155179; a=rsa-sha256; cv=none; b=nSqxyIcbQekxEWw7LcQ1qOSegV5utsms4Xeof9ik284thwgHJFqVpTfybc2KPwj6wOzjIL qIbG/WDsl82CMiyPNcE0jmEGQYrvQwf/Qa/YDLbCGv2fzEXxvjPcDmhKYeT6g629Fovis+ 95hsmw8rt2anhEV3PQDCR2EJofe2ZA7UKotFbggXAsYAAJn+GVFTiIy27QC3ZXtwR0fAmR Znx89SuyWPYUoBA06DYkn16croCNgNnH0Kqaprik4PCF35ieeomehXVfzhWxgPctA2UEfd KnGrLQAsnTfM2dvLJeaS6/5Gd3rDWRn+li4eIzy/oBV5BXsQ34impc0m0Mb7ww== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P5f2g44TJzjbF; Tue, 31 Jan 2023 08:52:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30V8qx5H069062; Tue, 31 Jan 2023 08:52:59 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30V8qxAK069061; Tue, 31 Jan 2023 08:52:59 GMT (envelope-from git) Date: Tue, 31 Jan 2023 08:52:59 GMT Message-Id: <202301310852.30V8qxAK069061@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Nuno Teixeira Subject: git: e183bef6aa47 - 2023Q1 - dns/blocky: Support running daemon as non-root user List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eduardo X-Git-Repository: ports X-Git-Refname: refs/heads/2023Q1 X-Git-Reftype: branch X-Git-Commit: e183bef6aa4787e2575e0cbe412ef742b8ca5eaf Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch 2023Q1 has been updated by eduardo: URL: https://cgit.FreeBSD.org/ports/commit/?id=e183bef6aa4787e2575e0cbe412ef742b8ca5eaf commit e183bef6aa4787e2575e0cbe412ef742b8ca5eaf Author: Benjamin Spiegel AuthorDate: 2023-01-31 08:29:30 +0000 Commit: Nuno Teixeira CommitDate: 2023-01-31 08:41:02 +0000 dns/blocky: Support running daemon as non-root user Most rc.d scripts support a standard _user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes) (cherry picked from commit ffd87be94f2c60fb6c8d0434dd9225d7c73b1441) --- dns/blocky/Makefile | 2 +- dns/blocky/files/blocky.in | 36 +++++++++++++++++++++++++++--------- dns/blocky/files/pkg-message.in | 15 +++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/dns/blocky/Makefile b/dns/blocky/Makefile index 81a8c2a548fb..5035aaffca74 100644 --- a/dns/blocky/Makefile +++ b/dns/blocky/Makefile @@ -1,7 +1,7 @@ PORTNAME= blocky DISTVERSIONPREFIX= v DISTVERSION= 0.20 -PORTREVISION= 1 +PORTREVISION= 3 CATEGORIES= dns MASTER_SITES= https://raw.githubusercontent.com/${GH_ACCOUNT}/${GH_PROJECT}/${DISTVERSIONFULL}/:gomod DISTFILES= go.mod:gomod diff --git a/dns/blocky/files/blocky.in b/dns/blocky/files/blocky.in index 24a92028836a..2b625f8be55d 100644 --- a/dns/blocky/files/blocky.in +++ b/dns/blocky/files/blocky.in @@ -7,9 +7,15 @@ # Add the following to /etc/rc.conf[.local] to enable this service # # blocky_enable (bool): Set to NO by default. -# Set it to YES to enable blocky. -# blocky_config (str): Set to /usr/local/etc/blocky/config.yml by default. -# +# Set it to YES to enable blocky. +# blocky_config (str): Set to /usr/local/etc/blocky-config.yml by default. +# Set it to a path to use that config file. +# blocky_user (str): Services run as root by default. Set to a user name +# to run blocky as that user. Note: non-root users +# might need permission to bind to ports. +# blocky_group (str): Set to the user's primary group by default. +# Set it to a group name for daemon file ownership. +# blocky_flags (str): Enter extra flags to append to the blocky command. . /etc/rc.subr @@ -20,17 +26,29 @@ load_rc_config ${name} : ${blocky_enable:=NO} : ${blocky_config:="%%PREFIX%%/etc/blocky-config.yml"} +: ${blocky_group:=} : ${blocky_flags:=} -pidfile=/var/run/blocky.pid -command="%%PREFIX%%/sbin/blocky" +if [ -n "${blocky_user}" ] && [ -z "${blocky_group}" ]; then + # Detect the daemon user's primary group + blocky_group=$(id -gn "${blocky_user}") +fi + +pidfile="/var/run/${name}.pid" +blocky_path="%%PREFIX%%/sbin/blocky" + +command="/usr/sbin/daemon" +procname="/usr/local/sbin/blocky" +command_args="-c -f -p ${pidfile} ${blocky_path} \ + -c ${blocky_config} ${blocky_flags}" -start_cmd="${name}_start" +start_precmd="blocky_precmd" -blocky_start() +# Sets up a pidfile the daemon user can access +blocky_precmd() { - echo -n "Starting ${name}." - /usr/sbin/daemon -p ${pidfile} -f ${command} -c ${blocky_config} ${blocky_flags} + install -o "${blocky_user:-root}" -g "${blocky_group:-wheel}" \ + -m 0600 /dev/null "${pidfile}" } run_rc_command "$1" diff --git a/dns/blocky/files/pkg-message.in b/dns/blocky/files/pkg-message.in index 953a51c3cce8..70f077c66f2a 100644 --- a/dns/blocky/files/pkg-message.in +++ b/dns/blocky/files/pkg-message.in @@ -7,6 +7,21 @@ A sample configuration file is installed at the following location: Default location for configuration file when using rc.d script: %%PREFIX%%/etc/blocky-config.yml +With the default configuration, blocky listens on port 53 (TCP and UDP). +If running as a non-root user, use a different port in blocky configuration, +such as `port: 5053`, or use mac_portacl(4) to allow binding to port 53. + +Example setup for mac_portacl(4): + +In /boot/loader.conf: + + mac_portacl_load="YES" + +In /etc/sysctl.conf (where is the UID of your user): + + net.inet.ip.portrange.reservedhigh=0 + security.mac.portacl.rules=uid::tcp:53,uid::udp:53 + Please refer to the documentation located at https://0xerr0r.github.io/blocky/ for further information. EOM