digital-freak
/
freebsd-ports
1
1
Fork 0
Code Issues Pull Requests Projects Releases Activity
Browse Source

lang/erlang: enhance epmd security 

- Add dedicated beam user (UID/GID 372) for non-root execution
- Use daemon(8) for epmd process supervision and auto-restart

This addresses security concerns with epmd running as root by
providing privilege separation and automatic restart capability.

PR:		213001
Reviewed by:	dch
Differential Revision:	https://reviews.freebsd.org/D50874
overlay
Jimmy Olgeni 3 days ago
parent
2910ed9788
commit
302b0049a9
4 changed files with 25 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      GIDs
  2. 2
      UIDs
  3. 5
      lang/erlang/Makefile
  4. 24
      lang/erlang/files/epmd.in

2
GIDs
View File

@ -312,7 +312,7 @@ sshesame:*:368:
neo4j:*:369:
_wsdd:*:370:
reposilite:*:371:
# free: 372
beam:*:372:
# free: 373
# free: 374
# free: 375

2
UIDs
View File

@ -318,7 +318,7 @@ sshesame:*:368:368::0:0:Sshesame Daemon:/nonexistent:/usr/sbin/nologin
neo4j:*:369:369::0:0:neo4j Database Daemon:/nonexistent:/usr/sbin/nologin
_wsdd:*:370:370::0:0:Web Service Discovery Daemon:/nonexistent:/usr/sbin/nologin
reposilite:*:371:371::0:0:Reposilite user:/nonexistent:/usr/sbin/nologin
# free: 372
beam:*:372:372::0:0:Erlang BEAM VM user:/nonexistent:/usr/sbin/nologin
# free: 373
# free: 374
# free: 375

5
lang/erlang/Makefile
View File

@ -1,7 +1,7 @@
PORTNAME= erlang
DISTVERSIONPREFIX= OTP-
DISTVERSION= 26.2.5.12
PORTREVISION= 1
PORTREVISION= 2
PORTEPOCH= 4
CATEGORIES= lang parallel java
DIST_SUBDIR= erlang
@ -38,6 +38,9 @@ SUB_LIST= _TOOLS_VSN=${_TOOLS_VSN}
WRKSRC= ${WRKSRC_otp}
USERS= beam
GROUPS= beam
_EI_VSN= 5.5.1
_SNMP_VSN= 5.15
_TOOLS_VSN= 3.6

24
lang/erlang/files/epmd.in
View File

@ -8,7 +8,7 @@
# epmd_enable="YES"
#
# Configure optional flags with:
# epmd_flags="-address 127.0.0.1"
# epmd_opts="-address 127.0.0.1"
. /etc/rc.subr
@ -18,10 +18,24 @@ rcvar=epmd_enable
load_rc_config ${name}
: ${epmd_enable="NO"}
: ${epmd_flags:-""}
: ${epmd_opts:-""}
: ${epmd_user="beam"}
procname=%%PREFIX%%/bin/epmd
start_cmd="%%PREFIX%%/bin/epmd -daemon ${epmd_flags}"
stop_cmd="%%PREFIX%%/bin/epmd -kill >/dev/null"
procname="daemon"
pidfile="/var/run/epmd/epmd.pid"
command="/usr/sbin/daemon"
command_args="-f -r -P ${pidfile} %%PREFIX%%/bin/epmd ${epmd_opts}"
command_user="${epmd_user}"
start_precmd="epmd_precmd"
epmd_precmd()
{
if [ ! -d "/var/run/epmd" ]; then
install -d -o ${epmd_user} -g ${epmd_user} /var/run/epmd
fi
# Ensure beam user can write pidfile
install -m 644 -g ${epmd_user} -o ${epmd_user} /dev/null ${pidfile}
}
run_rc_command "$1"

Write Preview
Loading…
Cancel
Save