Date: Thu, 2 Feb 2017 17:45:28 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r433172 - in head: . www/uwsgi www/uwsgi/files Message-ID: <201702021745.v12HjStK003560@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Thu Feb 2 17:45:27 2017 New Revision: 433172 URL: https://svnweb.freebsd.org/changeset/ports/433172 Log: www/uwsgi: Further rc script security improvements This update introduces a dedicated user for uwsgi and introduces the uwsgi_socket_owner setting which by default is set to www:www. The previous change to socket mode of 600 has been modified to 660 as well. This change further increases security while restoring compatibility. MFH: 2017Q1 Differential Revision: https://reviews.freebsd.org/D9398 Modified: head/GIDs head/UIDs head/www/uwsgi/Makefile head/www/uwsgi/files/uwsgi.in Modified: head/GIDs ============================================================================== --- head/GIDs Thu Feb 2 16:44:41 2017 (r433171) +++ head/GIDs Thu Feb 2 17:45:27 2017 (r433172) @@ -106,7 +106,7 @@ solr:*:161: octoprint:*:162: _iked:*:163: lightdm:*:164: -# free: 165 +uwsgi:*:165: # free: 166 # free: 167 # free: 168 Modified: head/UIDs ============================================================================== --- head/UIDs Thu Feb 2 16:44:41 2017 (r433171) +++ head/UIDs Thu Feb 2 17:45:27 2017 (r433172) @@ -111,7 +111,7 @@ solr:*:161:161::0:0:Apache Solr System:/ octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin _iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin lightdm:*:164:164::0:0:Light Display Manager:/var/lib/lightdm-data:/usr/sbin/nologin -# free: 165 +uwsgi:*:165:165::0:0:uwsgi Daemon:/nonexistent:/usr/sbin/nologin # free: 166 # free: 167 # free: 168 Modified: head/www/uwsgi/Makefile ============================================================================== --- head/www/uwsgi/Makefile Thu Feb 2 16:44:41 2017 (r433171) +++ head/www/uwsgi/Makefile Thu Feb 2 17:45:27 2017 (r433172) @@ -3,7 +3,7 @@ PORTNAME= uwsgi PORTVERSION= 2.0.14 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www python MASTER_SITES= http://projects.unbit.it/downloads/ @@ -17,6 +17,9 @@ USES= python ssl USE_PYTHON= distutils USE_RC_SUBR= uwsgi +USERS= uwsgi +GROUPS= uwsgi + OPTIONS_DEFINE= DEBUG JSON PCRE XML DEBUG_VARS= PYDISTUTILS_BUILDARGS+=--debug Modified: head/www/uwsgi/files/uwsgi.in ============================================================================== --- head/www/uwsgi/files/uwsgi.in Thu Feb 2 16:44:41 2017 (r433171) +++ head/www/uwsgi/files/uwsgi.in Thu Feb 2 17:45:27 2017 (r433172) @@ -14,14 +14,16 @@ # Default is /tmp/uwsgi.sock. # uwsgi_socket_mode (int): Set the mode of the socket. # Default is 600. +# uwsgi_socket_owner (str): Set the owner of the socket. +# Default is www:www. # uwsgi_logfile (path): Set the path to the uwsgi log file # Default is /var/log/uwsgi.log. # uwsgi_pidfile (path): Set the path to the uwsgi pid file # Default is /var/run/uwsgi.pid. # uwsgi_uid (int): Set the UID of the process to run with -# Default is 80. +# Default is 165 (uwsgi). # uwsgi_gid (int): Set the GID of the process to run with -# Default is 80. +# Default is 165 (uwsgi). # uwsgi_flags (str): Set the uwsgi command line arguments # Default is "-M -L". # uwsgi_procname (str): Define to "uWSGI" if you start uwsgi with @@ -47,11 +49,12 @@ command=%%PREFIX%%/bin/uwsgi : ${uwsgi_enable="NO"} : ${uwsgi_profiles=""} : ${uwsgi_socket="/tmp/${name}.sock"} -: ${uwsgi_socket_mode="600"} +: ${uwsgi_socket_mode="660"} +: ${uwsgi_socket_owner="www:www"} : ${uwsgi_logfile="/var/log/${name}.log"} : ${uwsgi_pidfile="/var/run/${name}.pid"} -: ${uwsgi_uid="80"} -: ${uwsgi_gid="80"} +: ${uwsgi_uid="165"} +: ${uwsgi_gid="165"} : ${uwsgi_flags="-M -L"} : ${uwsgi_procname="${command}"} @@ -75,7 +78,8 @@ if [ -n "${uwsgi_profiles}" ]; then exit 1 fi eval uwsgi_socket=\${uwsgi_${profile}_socket:-"/tmp/${name}-${profile}.sock"} - eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"600"} + eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"660"} + eval uwsgi_socket_owner=\${uwsgi_${profile}_socket_owner:-"www:www"} eval uwsgi_logfile=\${uwsgi_${profile}_logfile:-"/var/log/${name}-${profile}.log"} eval uwsgi_pidfile=\${uwsgi_${profile}_pidfile:-"/var/run/${name}-${profile}.pid"} eval uwsgi_uid=\${uwsgi_${profile}_uid:-"${uwsgi_uid}"} @@ -92,7 +96,7 @@ if [ -n "${uwsgi_profiles}" ]; then fi command=%%PREFIX%%/bin/uwsgi -command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}" +command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} --chown-socket=${uwsgi_socket_owner} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}" pidfile=${uwsgi_pidfile} stop_postcmd=stop_postcmd reload_precmd=reload_precmd
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702021745.v12HjStK003560>