diff options
| author | Jimmy Olgeni <olgeni@FreeBSD.org> | 2025-06-24 11:55:11 +0200 |
|---|---|---|
| committer | Jimmy Olgeni <olgeni@FreeBSD.org> | 2025-06-24 11:56:22 +0200 |
| commit | 302b0049a9a0caaf4d1dc79822964631053ab73a (patch) | |
| tree | a3581470ba65deabd003ae60509a556636185275 | |
| parent | devel/terraform-ls: Update to 0.36.5 (diff) | |
lang/erlang: enhance epmd security
- Add dedicated beam user (UID/GID 372) for non-root execution
- Use daemon(8) for epmd process supervision and auto-restart
This addresses security concerns with epmd running as root by
providing privilege separation and automatic restart capability.
PR: 213001
Reviewed by: dch
Differential Revision: https://reviews.freebsd.org/D50874
| -rw-r--r-- | GIDs | 2 | ||||
| -rw-r--r-- | UIDs | 2 | ||||
| -rw-r--r-- | lang/erlang/Makefile | 5 | ||||
| -rw-r--r-- | lang/erlang/files/epmd.in | 24 |
4 files changed, 25 insertions, 8 deletions
@@ -312,7 +312,7 @@ sshesame:*:368: neo4j:*:369: _wsdd:*:370: reposilite:*:371: -# free: 372 +beam:*:372: # free: 373 # free: 374 # free: 375 @@ -318,7 +318,7 @@ sshesame:*:368:368::0:0:Sshesame Daemon:/nonexistent:/usr/sbin/nologin neo4j:*:369:369::0:0:neo4j Database Daemon:/nonexistent:/usr/sbin/nologin _wsdd:*:370:370::0:0:Web Service Discovery Daemon:/nonexistent:/usr/sbin/nologin reposilite:*:371:371::0:0:Reposilite user:/nonexistent:/usr/sbin/nologin -# free: 372 +beam:*:372:372::0:0:Erlang BEAM VM user:/nonexistent:/usr/sbin/nologin # free: 373 # free: 374 # free: 375 diff --git a/lang/erlang/Makefile b/lang/erlang/Makefile index 0136bd7d1fcc..324e1807ff1c 100644 --- a/lang/erlang/Makefile +++ b/lang/erlang/Makefile @@ -1,7 +1,7 @@ PORTNAME= erlang DISTVERSIONPREFIX= OTP- DISTVERSION= 26.2.5.12 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 4 CATEGORIES= lang parallel java DIST_SUBDIR= erlang @@ -38,6 +38,9 @@ SUB_LIST= _TOOLS_VSN=${_TOOLS_VSN} WRKSRC= ${WRKSRC_otp} +USERS= beam +GROUPS= beam + _EI_VSN= 5.5.1 _SNMP_VSN= 5.15 _TOOLS_VSN= 3.6 diff --git a/lang/erlang/files/epmd.in b/lang/erlang/files/epmd.in index 15bf2c1bf1ae..1c9dc45c45bc 100644 --- a/lang/erlang/files/epmd.in +++ b/lang/erlang/files/epmd.in @@ -8,7 +8,7 @@ # epmd_enable="YES" # # Configure optional flags with: -# epmd_flags="-address 127.0.0.1" +# epmd_opts="-address 127.0.0.1" . /etc/rc.subr @@ -18,10 +18,24 @@ rcvar=epmd_enable load_rc_config ${name} : ${epmd_enable="NO"} -: ${epmd_flags:-""} +: ${epmd_opts:-""} +: ${epmd_user="beam"} -procname=%%PREFIX%%/bin/epmd -start_cmd="%%PREFIX%%/bin/epmd -daemon ${epmd_flags}" -stop_cmd="%%PREFIX%%/bin/epmd -kill >/dev/null" +procname="daemon" +pidfile="/var/run/epmd/epmd.pid" +command="/usr/sbin/daemon" +command_args="-f -r -P ${pidfile} %%PREFIX%%/bin/epmd ${epmd_opts}" +command_user="${epmd_user}" + +start_precmd="epmd_precmd" + +epmd_precmd() +{ + if [ ! -d "/var/run/epmd" ]; then + install -d -o ${epmd_user} -g ${epmd_user} /var/run/epmd + fi + # Ensure beam user can write pidfile + install -m 644 -g ${epmd_user} -o ${epmd_user} /dev/null ${pidfile} +} run_rc_command "$1" |