From owner-svn-ports-head@freebsd.org Thu Feb 2 17:45:29 2017 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 832BCCCDA57; Thu, 2 Feb 2017 17:45:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 43E6C1382; Thu, 2 Feb 2017 17:45:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v12HjSjG003564; Thu, 2 Feb 2017 17:45:28 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v12HjStK003560; Thu, 2 Feb 2017 17:45:28 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201702021745.v12HjStK003560@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Thu, 2 Feb 2017 17:45:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r433172 - in head: . www/uwsgi www/uwsgi/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 17:45:29 -0000 Author: feld Date: Thu Feb 2 17:45:27 2017 New Revision: 433172 URL: https://svnweb.freebsd.org/changeset/ports/433172 Log: www/uwsgi: Further rc script security improvements This update introduces a dedicated user for uwsgi and introduces the uwsgi_socket_owner setting which by default is set to www:www. The previous change to socket mode of 600 has been modified to 660 as well. This change further increases security while restoring compatibility. MFH: 2017Q1 Differential Revision: https://reviews.freebsd.org/D9398 Modified: head/GIDs head/UIDs head/www/uwsgi/Makefile head/www/uwsgi/files/uwsgi.in Modified: head/GIDs ============================================================================== --- head/GIDs Thu Feb 2 16:44:41 2017 (r433171) +++ head/GIDs Thu Feb 2 17:45:27 2017 (r433172) @@ -106,7 +106,7 @@ solr:*:161: octoprint:*:162: _iked:*:163: lightdm:*:164: -# free: 165 +uwsgi:*:165: # free: 166 # free: 167 # free: 168 Modified: head/UIDs ============================================================================== --- head/UIDs Thu Feb 2 16:44:41 2017 (r433171) +++ head/UIDs Thu Feb 2 17:45:27 2017 (r433172) @@ -111,7 +111,7 @@ solr:*:161:161::0:0:Apache Solr System:/ octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin _iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin lightdm:*:164:164::0:0:Light Display Manager:/var/lib/lightdm-data:/usr/sbin/nologin -# free: 165 +uwsgi:*:165:165::0:0:uwsgi Daemon:/nonexistent:/usr/sbin/nologin # free: 166 # free: 167 # free: 168 Modified: head/www/uwsgi/Makefile ============================================================================== --- head/www/uwsgi/Makefile Thu Feb 2 16:44:41 2017 (r433171) +++ head/www/uwsgi/Makefile Thu Feb 2 17:45:27 2017 (r433172) @@ -3,7 +3,7 @@ PORTNAME= uwsgi PORTVERSION= 2.0.14 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www python MASTER_SITES= http://projects.unbit.it/downloads/ @@ -17,6 +17,9 @@ USES= python ssl USE_PYTHON= distutils USE_RC_SUBR= uwsgi +USERS= uwsgi +GROUPS= uwsgi + OPTIONS_DEFINE= DEBUG JSON PCRE XML DEBUG_VARS= PYDISTUTILS_BUILDARGS+=--debug Modified: head/www/uwsgi/files/uwsgi.in ============================================================================== --- head/www/uwsgi/files/uwsgi.in Thu Feb 2 16:44:41 2017 (r433171) +++ head/www/uwsgi/files/uwsgi.in Thu Feb 2 17:45:27 2017 (r433172) @@ -14,14 +14,16 @@ # Default is /tmp/uwsgi.sock. # uwsgi_socket_mode (int): Set the mode of the socket. # Default is 600. +# uwsgi_socket_owner (str): Set the owner of the socket. +# Default is www:www. # uwsgi_logfile (path): Set the path to the uwsgi log file # Default is /var/log/uwsgi.log. # uwsgi_pidfile (path): Set the path to the uwsgi pid file # Default is /var/run/uwsgi.pid. # uwsgi_uid (int): Set the UID of the process to run with -# Default is 80. +# Default is 165 (uwsgi). # uwsgi_gid (int): Set the GID of the process to run with -# Default is 80. +# Default is 165 (uwsgi). # uwsgi_flags (str): Set the uwsgi command line arguments # Default is "-M -L". # uwsgi_procname (str): Define to "uWSGI" if you start uwsgi with @@ -47,11 +49,12 @@ command=%%PREFIX%%/bin/uwsgi : ${uwsgi_enable="NO"} : ${uwsgi_profiles=""} : ${uwsgi_socket="/tmp/${name}.sock"} -: ${uwsgi_socket_mode="600"} +: ${uwsgi_socket_mode="660"} +: ${uwsgi_socket_owner="www:www"} : ${uwsgi_logfile="/var/log/${name}.log"} : ${uwsgi_pidfile="/var/run/${name}.pid"} -: ${uwsgi_uid="80"} -: ${uwsgi_gid="80"} +: ${uwsgi_uid="165"} +: ${uwsgi_gid="165"} : ${uwsgi_flags="-M -L"} : ${uwsgi_procname="${command}"} @@ -75,7 +78,8 @@ if [ -n "${uwsgi_profiles}" ]; then exit 1 fi eval uwsgi_socket=\${uwsgi_${profile}_socket:-"/tmp/${name}-${profile}.sock"} - eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"600"} + eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"660"} + eval uwsgi_socket_owner=\${uwsgi_${profile}_socket_owner:-"www:www"} eval uwsgi_logfile=\${uwsgi_${profile}_logfile:-"/var/log/${name}-${profile}.log"} eval uwsgi_pidfile=\${uwsgi_${profile}_pidfile:-"/var/run/${name}-${profile}.pid"} eval uwsgi_uid=\${uwsgi_${profile}_uid:-"${uwsgi_uid}"} @@ -92,7 +96,7 @@ if [ -n "${uwsgi_profiles}" ]; then fi command=%%PREFIX%%/bin/uwsgi -command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}" +command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} --chown-socket=${uwsgi_socket_owner} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}" pidfile=${uwsgi_pidfile} stop_postcmd=stop_postcmd reload_precmd=reload_precmd