From 302b0049a9a0caaf4d1dc79822964631053ab73a Mon Sep 17 00:00:00 2001 From: Jimmy Olgeni Date: Tue, 24 Jun 2025 11:55:11 +0200 Subject: [PATCH] lang/erlang: enhance epmd security - Add dedicated beam user (UID/GID 372) for non-root execution - Use daemon(8) for epmd process supervision and auto-restart This addresses security concerns with epmd running as root by providing privilege separation and automatic restart capability. PR: 213001 Reviewed by: dch Differential Revision: https://reviews.freebsd.org/D50874 --- GIDs | 2 +- UIDs | 2 +- lang/erlang/Makefile | 5 ++++- lang/erlang/files/epmd.in | 24 +++++++++++++++++++----- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/GIDs b/GIDs index d5328e3ed06e..676af70a80a4 100644 --- a/GIDs +++ b/GIDs @@ -312,7 +312,7 @@ sshesame:*:368: neo4j:*:369: _wsdd:*:370: reposilite:*:371: -# free: 372 +beam:*:372: # free: 373 # free: 374 # free: 375 diff --git a/UIDs b/UIDs index 01361b61e621..ba84ebfec8c4 100644 --- a/UIDs +++ b/UIDs @@ -318,7 +318,7 @@ sshesame:*:368:368::0:0:Sshesame Daemon:/nonexistent:/usr/sbin/nologin neo4j:*:369:369::0:0:neo4j Database Daemon:/nonexistent:/usr/sbin/nologin _wsdd:*:370:370::0:0:Web Service Discovery Daemon:/nonexistent:/usr/sbin/nologin reposilite:*:371:371::0:0:Reposilite user:/nonexistent:/usr/sbin/nologin -# free: 372 +beam:*:372:372::0:0:Erlang BEAM VM user:/nonexistent:/usr/sbin/nologin # free: 373 # free: 374 # free: 375 diff --git a/lang/erlang/Makefile b/lang/erlang/Makefile index 0136bd7d1fcc..324e1807ff1c 100644 --- a/lang/erlang/Makefile +++ b/lang/erlang/Makefile @@ -1,7 +1,7 @@ PORTNAME= erlang DISTVERSIONPREFIX= OTP- DISTVERSION= 26.2.5.12 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 4 CATEGORIES= lang parallel java DIST_SUBDIR= erlang @@ -38,6 +38,9 @@ SUB_LIST= _TOOLS_VSN=${_TOOLS_VSN} WRKSRC= ${WRKSRC_otp} +USERS= beam +GROUPS= beam + _EI_VSN= 5.5.1 _SNMP_VSN= 5.15 _TOOLS_VSN= 3.6 diff --git a/lang/erlang/files/epmd.in b/lang/erlang/files/epmd.in index 15bf2c1bf1ae..1c9dc45c45bc 100644 --- a/lang/erlang/files/epmd.in +++ b/lang/erlang/files/epmd.in @@ -8,7 +8,7 @@ # epmd_enable="YES" # # Configure optional flags with: -# epmd_flags="-address 127.0.0.1" +# epmd_opts="-address 127.0.0.1" . /etc/rc.subr @@ -18,10 +18,24 @@ rcvar=epmd_enable load_rc_config ${name} : ${epmd_enable="NO"} -: ${epmd_flags:-""} +: ${epmd_opts:-""} +: ${epmd_user="beam"} -procname=%%PREFIX%%/bin/epmd -start_cmd="%%PREFIX%%/bin/epmd -daemon ${epmd_flags}" -stop_cmd="%%PREFIX%%/bin/epmd -kill >/dev/null" +procname="daemon" +pidfile="/var/run/epmd/epmd.pid" +command="/usr/sbin/daemon" +command_args="-f -r -P ${pidfile} %%PREFIX%%/bin/epmd ${epmd_opts}" +command_user="${epmd_user}" + +start_precmd="epmd_precmd" + +epmd_precmd() +{ + if [ ! -d "/var/run/epmd" ]; then + install -d -o ${epmd_user} -g ${epmd_user} /var/run/epmd + fi + # Ensure beam user can write pidfile + install -m 644 -g ${epmd_user} -o ${epmd_user} /dev/null ${pidfile} +} run_rc_command "$1"