From 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee Mon Sep 17 00:00:00 2001 From: Ryan Steinmetz Date: Mon, 11 Jul 2022 09:41:15 -0400 Subject: security/stunnel: Drop privs by default, update PID file location - Document changes in UPDATING PR: 249151 Reported by: Tatsuki Makino --- security/stunnel/Makefile | 9 +++++++-- security/stunnel/files/daemon.conf.in | 3 +++ security/stunnel/files/pid.conf | 1 - security/stunnel/files/stunnel.in | 18 ++++++++++++++++-- security/stunnel/pkg-plist | 2 +- 5 files changed, 27 insertions(+), 6 deletions(-) create mode 100644 security/stunnel/files/daemon.conf.in delete mode 100644 security/stunnel/files/pid.conf (limited to 'security/stunnel') diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile index 6db2dad118db..ea08a6fc6780 100644 --- a/security/stunnel/Makefile +++ b/security/stunnel/Makefile @@ -16,7 +16,7 @@ LICENSE= GPLv2 GPLv3 LICENSE_COMB= dual BROKEN_SSL= libressl libressl-devel -BROKEN_SSL_REASON= Missing upstream support +BROKEN_SSL_REASON= missing upstream support USES= cpe libtool perl5 shebangfix ssl USE_PERL5= build @@ -27,6 +27,10 @@ GNU_CONFIGURE= yes CONFIGURE_ARGS= --localstatedir=/var/tmp --enable-static --disable-systemd \ --with-ssl="${OPENSSLBASE}" SHEBANG_FILES= src/stunnel3.in +SUB_FILES= daemon.conf +SUB_LIST= STUNNEL_PIDFILE=${STUNNEL_PIDFILE} \ + STUNNEL_USER=${STUNNEL_USER} \ + STUNNEL_GROUP=${STUNNEL_GROUP} OPTIONS_DEFINE= DOCS EXAMPLES FIPS IPV6 LIBWRAP OPTIONS_SINGLE= THREAD @@ -42,6 +46,7 @@ FORK_DESC= Use the fork(3) threading model PTHREAD_DESC= Use the pthread(3) threading model UCONTEXT_DESC= Use the ucontext(3) threading model +STUNNEL_PIDFILE=/var/run/stunnel/stunnel.pid STUNNEL_USER?= stunnel STUNNEL_GROUP?= stunnel @@ -101,7 +106,7 @@ post-build: post-install: ${MKDIR} ${STAGEDIR}${ETCDIR}/conf.d/ - ${INSTALL_DATA} ${FILESDIR}/pid.conf ${STAGEDIR}${ETCDIR}/conf.d/00-pid.conf + ${INSTALL_DATA} ${WRKDIR}/daemon.conf ${STAGEDIR}${ETCDIR}/conf.d/00-daemon.conf cert: @${ECHO} "" diff --git a/security/stunnel/files/daemon.conf.in b/security/stunnel/files/daemon.conf.in new file mode 100644 index 000000000000..af40302a0927 --- /dev/null +++ b/security/stunnel/files/daemon.conf.in @@ -0,0 +1,3 @@ +pid = %%STUNNEL_PIDFILE%% +setuid = %%STUNNEL_USER%% +setgid = %%STUNNEL_GROUP%% diff --git a/security/stunnel/files/pid.conf b/security/stunnel/files/pid.conf deleted file mode 100644 index f2b23cc181bb..000000000000 --- a/security/stunnel/files/pid.conf +++ /dev/null @@ -1 +0,0 @@ -pid = /var/run/stunnel.pid diff --git a/security/stunnel/files/stunnel.in b/security/stunnel/files/stunnel.in index a36dd7eb01ed..0d90942e1827 100644 --- a/security/stunnel/files/stunnel.in +++ b/security/stunnel/files/stunnel.in @@ -13,9 +13,11 @@ # Set it to the full path to the config file # that stunnel will use during the automated # start-up. -# stunnel_pidfile (str): Default "%%PREFIX%%/var/stunnel/stunnel.pid" +# stunnel_pidfile (str): Default "%%STUNNEL_PIDFILE%%" # Set it to the value of 'pid' in # the stunnel.conf file. +# stunnel_uid (str): Default "%%STUNNEL_USER%%" +# stunnel_gid (str): Default "%%STUNNEL_GROUP%%" # . /etc/rc.subr @@ -27,7 +29,9 @@ load_rc_config $name : ${stunnel_enable="NO"} : ${stunnel_config="%%ETCDIR%%/${name}.conf"} -: ${stunnel_pidfile="/var/run/${name}.pid"} +: ${stunnel_pidfile="%%STUNNEL_PIDFILE%%"} +: ${stunnel_uid="%%STUNNEL_USER%%"} +: ${stunnel_gid="%%STUNNEL_GROUP%%"} command="%%PREFIX%%/bin/stunnel" command_args=${stunnel_config} @@ -35,4 +39,14 @@ pidfile=${stunnel_pidfile} required_files="${stunnel_config}" +start_precmd=stunnel_start_precmd + +stunnel_start_precmd () { + local piddir + piddir=`/usr/bin/dirname "${pidfile}"` + if [ ! -d "${piddir}" ] ; then + /usr/bin/install -d -o "${stunnel_uid}" -g "${stunnel_gid}" "${piddir}" + fi +} + run_rc_command "$1" diff --git a/security/stunnel/pkg-plist b/security/stunnel/pkg-plist index f886b2582c5a..2e74830fd335 100644 --- a/security/stunnel/pkg-plist +++ b/security/stunnel/pkg-plist @@ -1,7 +1,7 @@ bin/stunnel bin/stunnel3 %%ETCDIR%%/stunnel.conf-sample -%%ETCDIR%%/conf.d/00-pid.conf +%%ETCDIR%%/conf.d/00-daemon.conf lib/stunnel/libstunnel.a lib/stunnel/libstunnel.so man/man8/stunnel.8.gz -- cgit v1.2.3