git: 302b0049a9a0 - main - lang/erlang: enhance epmd security

From: Jimmy Olgeni <olgeni_at_FreeBSD.org>
Date: Tue, 24 Jun 2025 09:56:35 UTC 
The branch main has been updated by olgeni:

URL: https://cgit.FreeBSD.org/ports/commit/?id=302b0049a9a0caaf4d1dc79822964631053ab73a

commit 302b0049a9a0caaf4d1dc79822964631053ab73a
Author:     Jimmy Olgeni <olgeni@FreeBSD.org>
AuthorDate: 2025-06-24 09:55:11 +0000
Commit:     Jimmy Olgeni <olgeni@FreeBSD.org>
CommitDate: 2025-06-24 09:56:22 +0000

    lang/erlang: enhance epmd security
    
    - Add dedicated beam user (UID/GID 372) for non-root execution
    - Use daemon(8) for epmd process supervision and auto-restart
    
    This addresses security concerns with epmd running as root by
    providing privilege separation and automatic restart capability.
    
    PR:             213001
    Reviewed by:    dch
    Differential Revision:  https://reviews.freebsd.org/D50874
---
 GIDs                      |  2 +-
 UIDs                      |  2 +-
 lang/erlang/Makefile      |  5 ++++-
 lang/erlang/files/epmd.in | 24 +++++++++++++++++++-----
 4 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/GIDs b/GIDs
index d5328e3ed06e..676af70a80a4 100644
--- a/GIDs
+++ b/GIDs
@@ -312,7 +312,7 @@ sshesame:*:368:
 neo4j:*:369:
 _wsdd:*:370:
 reposilite:*:371:
-# free: 372
+beam:*:372:
 # free: 373
 # free: 374
 # free: 375
diff --git a/UIDs b/UIDs
index 01361b61e621..ba84ebfec8c4 100644
--- a/UIDs
+++ b/UIDs
@@ -318,7 +318,7 @@ sshesame:*:368:368::0:0:Sshesame Daemon:/nonexistent:/usr/sbin/nologin
 neo4j:*:369:369::0:0:neo4j Database Daemon:/nonexistent:/usr/sbin/nologin
 _wsdd:*:370:370::0:0:Web Service Discovery Daemon:/nonexistent:/usr/sbin/nologin
 reposilite:*:371:371::0:0:Reposilite user:/nonexistent:/usr/sbin/nologin
-# free: 372
+beam:*:372:372::0:0:Erlang BEAM VM user:/nonexistent:/usr/sbin/nologin
 # free: 373
 # free: 374
 # free: 375
diff --git a/lang/erlang/Makefile b/lang/erlang/Makefile
index 0136bd7d1fcc..324e1807ff1c 100644
--- a/lang/erlang/Makefile
+++ b/lang/erlang/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	erlang
 DISTVERSIONPREFIX=	OTP-
 DISTVERSION=	26.2.5.12
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	4
 CATEGORIES=	lang parallel java
 DIST_SUBDIR=	erlang
@@ -38,6 +38,9 @@ SUB_LIST=	_TOOLS_VSN=${_TOOLS_VSN}
 
 WRKSRC=		${WRKSRC_otp}
 
+USERS=		beam
+GROUPS=		beam
+
 _EI_VSN=	5.5.1
 _SNMP_VSN=	5.15
 _TOOLS_VSN=	3.6
diff --git a/lang/erlang/files/epmd.in b/lang/erlang/files/epmd.in
index 15bf2c1bf1ae..1c9dc45c45bc 100644
--- a/lang/erlang/files/epmd.in
+++ b/lang/erlang/files/epmd.in
@@ -8,7 +8,7 @@
 # epmd_enable="YES"
 #
 # Configure optional flags with:
-# epmd_flags="-address 127.0.0.1"
+# epmd_opts="-address 127.0.0.1"
 
 . /etc/rc.subr
 
@@ -18,10 +18,24 @@ rcvar=epmd_enable
 load_rc_config ${name}
 
 : ${epmd_enable="NO"}
-: ${epmd_flags:-""}
+: ${epmd_opts:-""}
+: ${epmd_user="beam"}
 
-procname=%%PREFIX%%/bin/epmd
-start_cmd="%%PREFIX%%/bin/epmd -daemon ${epmd_flags}"
-stop_cmd="%%PREFIX%%/bin/epmd -kill >/dev/null"
+procname="daemon"
+pidfile="/var/run/epmd/epmd.pid"
+command="/usr/sbin/daemon"
+command_args="-f -r -P ${pidfile} %%PREFIX%%/bin/epmd ${epmd_opts}"
+command_user="${epmd_user}"
+
+start_precmd="epmd_precmd"
+
+epmd_precmd()
+{
+	if [ ! -d "/var/run/epmd" ]; then
+		install -d -o ${epmd_user} -g ${epmd_user} /var/run/epmd
+	fi
+	# Ensure beam user can write pidfile
+	install -m 644 -g ${epmd_user} -o ${epmd_user} /dev/null ${pidfile}
+}
 
 run_rc_command "$1"