Bug 128108 - [patch] net/rabbitmq runs as root, but can be unprivileged
Summary: [patch] net/rabbitmq runs as root, but can be unprivileged
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Wesley Shields
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-15 01:00 UTC by Nick Barkas
Modified: 2008-10-29 01:10 UTC (History)
1 user (show)

See Also:

Attachments
rabbitmq.diff (3.14 KB, patch)
2008-10-15 01:00 UTC, Nick Barkas 		no flags Details | Diff
GIDs.diff (223 bytes, patch)
2008-10-15 01:00 UTC, Nick Barkas 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Barkas 2008-10-15 01:00:07 UTC 
The net/rabbitmq port installs RabbitMQ in such a way as it will be run as root
unless some post-install tweaks are made. The included patches change the port
such that it will run as a dedicated rabbitmq user. This user will be created if
it does not exist (see UIDs and GIDs patches for the UID/GID reserved for this
user), permissions will be changed as needed on /var/db/rabbitmq and
/var/log/rabbitmq, and the start-up script will use this new account as well. 

Note that rabbitmqctl should be run as the same user as the server runs as.
Also, rabbitmqctl must use the same .erlang.cookie file as the server. A good
way to run rabbitmqctl is: sudo -H -u rabbitmq rabbitmqctl ...

Fix: --- UIDs.orig	2008-10-15 01:21:26.000000000 +0200
+++ UIDs	2008-10-15 01:21:56.000000000 +0200
@@ -74,6 +74,7 @@
 _spamd:*:132:132::0:0:Spam Daemon:/var/empty:/usr/sbin/nologin
 freeradius:*:133:133::0:0:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin
 undernet:*:134:134::0:0:Undernet ircu Daemon:/nonexistant:/usr/sbin/nologin
+rabbitmq:*:135:135::0:0:RabbitMQ:/var/db/rabbitmq:/usr/sbin/nologin
 cricket:*:141:80::0:0:Cricket Monitoring User:/usr/local/cricket:/usr/sbin/nologin
 dovecot:*:143:143::0:0:Dovecot User:/var/empty:/usr/sbin/nologin
 rbldns:*:153:153::0:0:rbldnsd pseudo-user:/nonexistent:/usr/sbin/nologin
--- UIDs.diff ends here ---
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-10-15 01:00:51 UTC 
Maintainer of net/rabbitmq,

Please note that PR ports/128108 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/128108

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2008-10-15 01:00:52 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Phillip N. 2008-10-26 01:05:29 UTC 
Looks greate, thanks!
Comment 4 Wesley Shields freebsd_committer freebsd_triage 2008-10-26 01:07:43 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->wxs

I'll take it.
Comment 5 dfilter service freebsd_committer freebsd_triage 2008-10-29 01:01:45 UTC 
wxs         2008-10-29 01:01:35 UTC

  FreeBSD ports repository

  Modified files:
    .                    UIDs GIDs 
    net/rabbitmq         Makefile 
    net/rabbitmq/files   rabbitmq.in 
  Log:
  - Add UID and GID entries for net/rabbitmq.
  - Convince RC script to use rabbitmq user.
  
  PR:             ports/128108
  Submitted by:   Nick Barkas <snb@threerings.net>
  Approved by:    Phillip N. <pneumann@gmail.com> (maintainer)
  
  Revision  Changes    Path
  1.64      +2 -1      ports/GIDs
  1.76      +2 -1      ports/UIDs
  1.4       +9 -3      ports/net/rabbitmq/Makefile
  1.3       +6 -17     ports/net/rabbitmq/files/rabbitmq.in
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Wesley Shields freebsd_committer freebsd_triage 2008-10-29 01:03:28 UTC 
State Changed
From-To: feedback->closed

Committed. Thanks!