Bug 247140 - security/honeytrap: Add option to run service as root
Summary: security/honeytrap: Add option to run service as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Steve Wills
URL:
Keywords: buildisok
Depends on:
Blocks:
 
Reported: 2020-06-10 09:17 UTC by ezri.mudde
Modified: 2020-10-01 23:52 UTC (History)
2 users (show)

See Also:
swills: maintainer-feedback?

Attachments
patch (1.42 KB, patch)
2020-06-10 09:17 UTC, ezri.mudde 		no flags Details | Diff
patch 2 (1.36 KB, patch)
2020-07-21 15:09 UTC, ezri.mudde 		no flags Details | Diff
patch 3 (4.05 KB, patch)
2020-07-22 12:32 UTC, ezri.mudde 		no flags Details | Diff
proposed patch (9.00 KB, patch)
2020-08-02 16:38 UTC, Steve Wills 		no flags Details | Diff
fixed proposed patch (10.77 KB, patch)
2020-08-11 11:12 UTC, ezri.mudde 		no flags Details | Diff
slight update (9.00 KB, patch)
2020-08-15 19:13 UTC, Steve Wills 		no flags Details | Diff
patch which builds with Go 1.15 (17.45 KB, patch)
2020-08-15 19:21 UTC, Steve Wills 		no flags Details | Diff
Show Obsolete (6) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ezri.mudde 2020-06-10 09:17:13 UTC 
Created attachment 215417 [details]
patch

This patch adds the option to run the service as root. This enables the service to bind to system ports.
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2020-06-10 09:17:13 UTC 
Maintainer informed via mail
Comment 2 Steve Wills freebsd_committer freebsd_triage 2020-06-11 02:12:45 UTC 
Doesn't rc.subr handle this for you? The man page documents ${name}_user and /etc/rc.subr calls "su -m $_user ...".
Comment 3 ezri.mudde 2020-07-20 07:47:52 UTC 
I didn't know that, wasn't in the rc.d scripting guide. I'm not sure when I'll be able to change the port to use that instead.
Comment 4 ezri.mudde 2020-07-21 15:09:09 UTC 
Created attachment 216631 [details]
patch 2

Removed code in honetrap.in from previous patch and rewrite it
Comment 5 ezri.mudde 2020-07-22 12:32:39 UTC 
Created attachment 216661 [details]
patch 3

Update to latest HoneyTrap version, add go build flags and patch for build constants.
Comment 6 Steve Wills freebsd_committer freebsd_triage 2020-08-02 16:38:14 UTC 
Created attachment 216962 [details]
proposed patch

(In reply to ezri.mudde from comment #5)
Thanks for the patch!

FWIW, the Porters Handbook:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/rc-scripts.html

and the Scripting Guide:

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/rc-scripting/article.html

do reference the rc.subr(8) man page:

https://www.freebsd.org/cgi/man.cgi?query=rc.subr&sektion=8&manpath=freebsd-release-ports

which documents ${name}_user.

Also, I've made some improvements to the Makefile and the rc script, please take a look and test if you can. Seems to work OK for me. Still waiting on maintainer (remco.verhoef@dutchsec.com) feedback, but maybe that will time out.
Comment 7 Steve Wills freebsd_committer freebsd_triage 2020-08-02 16:40:54 UTC 
(In reply to Steve Wills from comment #6)
Or perhaps remco.verhoef@dutchsec.com is you? It's not clear to me why the maintainer line in the port doesn't match here.
Comment 8 ezri.mudde 2020-08-04 07:17:05 UTC 
He's my boss and usually pretty busy, I'll see if I can get him to approve the patch.
Comment 9 ezri.mudde 2020-08-04 11:01:14 UTC 
(In reply to Steve Wills from comment #7)
I talked with my boss and said I could change the maintainer to me. I'll test your patch and change the maintainer after.
Comment 10 ezri.mudde 2020-08-11 11:12:19 UTC 
Created attachment 217154 [details]
fixed proposed patch

Because of load order honeytrap_syslog_output_flags was never added to command_args, fixed that by redefining command_arg when honeytrap_syslog_output_flags is defined. I also changed the maintainer to me.
Comment 11 Steve Wills freebsd_committer freebsd_triage 2020-08-15 19:13:09 UTC 
Created attachment 217238 [details]
slight update

Made one small change to the rc script to avoid redundancy. Also, it seems to fail to build with go 1.15:

[00:00:13] vendor/gvisor.dev/gvisor/pkg/linewriter/linewriter.go:28:2: undefined: "gvisor.dev/gvisor/pkg/sync".Mutex
[00:00:14] vendor/gvisor.dev/gvisor/pkg/waiter/waiter.go:178:7: undefined: "gvisor.dev/gvisor/pkg/sync".RWMutex

Can you take a look? Thanks!
Comment 12 Steve Wills freebsd_committer freebsd_triage 2020-08-15 19:21:53 UTC 
Created attachment 217239 [details]
patch which builds with Go 1.15

Ignore my previous message, found the issue with Go 1.15, see attached.
Comment 13 ezri.mudde 2020-10-01 13:52:06 UTC 
(In reply to Steve Wills from comment #12)
Sorry for the long wait but your fix seems okay to me.
Comment 14 commit-hook freebsd_committer freebsd_triage 2020-10-01 23:51:23 UTC 
A commit references this bug:

Author: swills
Date: Thu Oct  1 23:50:37 UTC 2020
New revision: 550881
URL: https://svnweb.freebsd.org/changeset/ports/550881

Log:
  security/honeytrap: multiple changes

  * Improve rc script
  * Clean up
  * Pass maintainership to submitter
  * Fix build with newer Go

  PR:		247140
  PR:		248948
  Submitted by:	ezri.mudde@dutchsec.com
  Approved by:	remco.verhoef@dutchsec.com (maintainer)

Changes:
  head/security/honeytrap/Makefile
  head/security/honeytrap/distinfo
  head/security/honeytrap/files/etc/
  head/security/honeytrap/files/honeytrap.in
  head/security/honeytrap/files/honeytrap.toml
  head/security/honeytrap/files/patch-cmd_constants.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_kvm_bluepill__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_kvm_machine__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_ptrace_subprocess__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_vfs_mount__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sleep_sleep__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_downgradable__rwmutex__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_memmove__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_tmutex__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_tcpip_link_rawfile_blockingpoll__yield__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_tcpip_time__unsafe.go
Comment 15 Steve Wills freebsd_committer freebsd_triage 2020-10-01 23:52:26 UTC 
Committed, thanks!