summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJimmy Olgeni <olgeni@FreeBSD.org>2025-06-24 11:55:11 +0200
committerJimmy Olgeni <olgeni@FreeBSD.org>2025-06-24 11:56:22 +0200
commit302b0049a9a0caaf4d1dc79822964631053ab73a (patch)
treea3581470ba65deabd003ae60509a556636185275
parentdevel/terraform-ls: Update to 0.36.5 (diff)
lang/erlang: enhance epmd security
- Add dedicated beam user (UID/GID 372) for non-root execution - Use daemon(8) for epmd process supervision and auto-restart This addresses security concerns with epmd running as root by providing privilege separation and automatic restart capability. PR: 213001 Reviewed by: dch Differential Revision: https://reviews.freebsd.org/D50874
-rw-r--r--GIDs2
-rw-r--r--UIDs2
-rw-r--r--lang/erlang/Makefile5
-rw-r--r--lang/erlang/files/epmd.in24
4 files changed, 25 insertions, 8 deletions
diff --git a/GIDs b/GIDs
index d5328e3ed06e..676af70a80a4 100644
--- a/GIDs
+++ b/GIDs
@@ -312,7 +312,7 @@ sshesame:*:368:
neo4j:*:369:
_wsdd:*:370:
reposilite:*:371:
-# free: 372
+beam:*:372:
# free: 373
# free: 374
# free: 375
diff --git a/UIDs b/UIDs
index 01361b61e621..ba84ebfec8c4 100644
--- a/UIDs
+++ b/UIDs
@@ -318,7 +318,7 @@ sshesame:*:368:368::0:0:Sshesame Daemon:/nonexistent:/usr/sbin/nologin
neo4j:*:369:369::0:0:neo4j Database Daemon:/nonexistent:/usr/sbin/nologin
_wsdd:*:370:370::0:0:Web Service Discovery Daemon:/nonexistent:/usr/sbin/nologin
reposilite:*:371:371::0:0:Reposilite user:/nonexistent:/usr/sbin/nologin
-# free: 372
+beam:*:372:372::0:0:Erlang BEAM VM user:/nonexistent:/usr/sbin/nologin
# free: 373
# free: 374
# free: 375
diff --git a/lang/erlang/Makefile b/lang/erlang/Makefile
index 0136bd7d1fcc..324e1807ff1c 100644
--- a/lang/erlang/Makefile
+++ b/lang/erlang/Makefile
@@ -1,7 +1,7 @@
PORTNAME= erlang
DISTVERSIONPREFIX= OTP-
DISTVERSION= 26.2.5.12
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 4
CATEGORIES= lang parallel java
DIST_SUBDIR= erlang
@@ -38,6 +38,9 @@ SUB_LIST= _TOOLS_VSN=${_TOOLS_VSN}
WRKSRC= ${WRKSRC_otp}
+USERS= beam
+GROUPS= beam
+
_EI_VSN= 5.5.1
_SNMP_VSN= 5.15
_TOOLS_VSN= 3.6
diff --git a/lang/erlang/files/epmd.in b/lang/erlang/files/epmd.in
index 15bf2c1bf1ae..1c9dc45c45bc 100644
--- a/lang/erlang/files/epmd.in
+++ b/lang/erlang/files/epmd.in
@@ -8,7 +8,7 @@
# epmd_enable="YES"
#
# Configure optional flags with:
-# epmd_flags="-address 127.0.0.1"
+# epmd_opts="-address 127.0.0.1"
. /etc/rc.subr
@@ -18,10 +18,24 @@ rcvar=epmd_enable
load_rc_config ${name}
: ${epmd_enable="NO"}
-: ${epmd_flags:-""}
+: ${epmd_opts:-""}
+: ${epmd_user="beam"}
-procname=%%PREFIX%%/bin/epmd
-start_cmd="%%PREFIX%%/bin/epmd -daemon ${epmd_flags}"
-stop_cmd="%%PREFIX%%/bin/epmd -kill >/dev/null"
+procname="daemon"
+pidfile="/var/run/epmd/epmd.pid"
+command="/usr/sbin/daemon"
+command_args="-f -r -P ${pidfile} %%PREFIX%%/bin/epmd ${epmd_opts}"
+command_user="${epmd_user}"
+
+start_precmd="epmd_precmd"
+
+epmd_precmd()
+{
+ if [ ! -d "/var/run/epmd" ]; then
+ install -d -o ${epmd_user} -g ${epmd_user} /var/run/epmd
+ fi
+ # Ensure beam user can write pidfile
+ install -m 644 -g ${epmd_user} -o ${epmd_user} /dev/null ${pidfile}
+}
run_rc_command "$1"