www/uwsgi: Further rc script security improvements
This update introduces a dedicated user for uwsgi and introduces the uwsgi_socket_owner setting which by default is set to www:www. The previous change to socket mode of 600 has been modified to 660 as well. This change further increases security while restoring compatibility. MFH: 2017Q1 Differential Revision: https://reviews.freebsd.org/D9398
This commit is contained in:
parent
071bb21265
commit
343a84548d
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=433172
2
GIDs
2
GIDs
|
@ -106,7 +106,7 @@ solr:*:161:
|
|||
octoprint:*:162:
|
||||
_iked:*:163:
|
||||
lightdm:*:164:
|
||||
# free: 165
|
||||
uwsgi:*:165:
|
||||
# free: 166
|
||||
# free: 167
|
||||
# free: 168
|
||||
|
|
2
UIDs
2
UIDs
|
@ -111,7 +111,7 @@ solr:*:161:161::0:0:Apache Solr System:/var/db/solr:/usr/sbin/nologin
|
|||
octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin
|
||||
_iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin
|
||||
lightdm:*:164:164::0:0:Light Display Manager:/var/lib/lightdm-data:/usr/sbin/nologin
|
||||
# free: 165
|
||||
uwsgi:*:165:165::0:0:uwsgi Daemon:/nonexistent:/usr/sbin/nologin
|
||||
# free: 166
|
||||
# free: 167
|
||||
# free: 168
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
PORTNAME= uwsgi
|
||||
PORTVERSION= 2.0.14
|
||||
PORTREVISION= 1
|
||||
PORTREVISION= 2
|
||||
CATEGORIES= www python
|
||||
MASTER_SITES= http://projects.unbit.it/downloads/
|
||||
|
||||
|
@ -17,6 +17,9 @@ USES= python ssl
|
|||
USE_PYTHON= distutils
|
||||
USE_RC_SUBR= uwsgi
|
||||
|
||||
USERS= uwsgi
|
||||
GROUPS= uwsgi
|
||||
|
||||
OPTIONS_DEFINE= DEBUG JSON PCRE XML
|
||||
|
||||
DEBUG_VARS= PYDISTUTILS_BUILDARGS+=--debug
|
||||
|
|
|
@ -14,14 +14,16 @@
|
|||
# Default is /tmp/uwsgi.sock.
|
||||
# uwsgi_socket_mode (int): Set the mode of the socket.
|
||||
# Default is 600.
|
||||
# uwsgi_socket_owner (str): Set the owner of the socket.
|
||||
# Default is www:www.
|
||||
# uwsgi_logfile (path): Set the path to the uwsgi log file
|
||||
# Default is /var/log/uwsgi.log.
|
||||
# uwsgi_pidfile (path): Set the path to the uwsgi pid file
|
||||
# Default is /var/run/uwsgi.pid.
|
||||
# uwsgi_uid (int): Set the UID of the process to run with
|
||||
# Default is 80.
|
||||
# Default is 165 (uwsgi).
|
||||
# uwsgi_gid (int): Set the GID of the process to run with
|
||||
# Default is 80.
|
||||
# Default is 165 (uwsgi).
|
||||
# uwsgi_flags (str): Set the uwsgi command line arguments
|
||||
# Default is "-M -L".
|
||||
# uwsgi_procname (str): Define to "uWSGI" if you start uwsgi with
|
||||
|
@ -47,11 +49,12 @@ command=%%PREFIX%%/bin/uwsgi
|
|||
: ${uwsgi_enable="NO"}
|
||||
: ${uwsgi_profiles=""}
|
||||
: ${uwsgi_socket="/tmp/${name}.sock"}
|
||||
: ${uwsgi_socket_mode="600"}
|
||||
: ${uwsgi_socket_mode="660"}
|
||||
: ${uwsgi_socket_owner="www:www"}
|
||||
: ${uwsgi_logfile="/var/log/${name}.log"}
|
||||
: ${uwsgi_pidfile="/var/run/${name}.pid"}
|
||||
: ${uwsgi_uid="80"}
|
||||
: ${uwsgi_gid="80"}
|
||||
: ${uwsgi_uid="165"}
|
||||
: ${uwsgi_gid="165"}
|
||||
: ${uwsgi_flags="-M -L"}
|
||||
: ${uwsgi_procname="${command}"}
|
||||
|
||||
|
@ -75,7 +78,8 @@ if [ -n "${uwsgi_profiles}" ]; then
|
|||
exit 1
|
||||
fi
|
||||
eval uwsgi_socket=\${uwsgi_${profile}_socket:-"/tmp/${name}-${profile}.sock"}
|
||||
eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"600"}
|
||||
eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"660"}
|
||||
eval uwsgi_socket_owner=\${uwsgi_${profile}_socket_owner:-"www:www"}
|
||||
eval uwsgi_logfile=\${uwsgi_${profile}_logfile:-"/var/log/${name}-${profile}.log"}
|
||||
eval uwsgi_pidfile=\${uwsgi_${profile}_pidfile:-"/var/run/${name}-${profile}.pid"}
|
||||
eval uwsgi_uid=\${uwsgi_${profile}_uid:-"${uwsgi_uid}"}
|
||||
|
@ -92,7 +96,7 @@ if [ -n "${uwsgi_profiles}" ]; then
|
|||
fi
|
||||
|
||||
command=%%PREFIX%%/bin/uwsgi
|
||||
command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}"
|
||||
command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} --chown-socket=${uwsgi_socket_owner} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}"
|
||||
pidfile=${uwsgi_pidfile}
|
||||
stop_postcmd=stop_postcmd
|
||||
reload_precmd=reload_precmd
|
||||
|
|
Loading…
Reference in New Issue
Block a user