249151 – security/stunnel: cannot create pid file when setuid set

Bug 249151 - security/stunnel: cannot create pid file when setuid set

Summary: security/stunnel: cannot create pid file when setuid set

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Ryan Steinmetz

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-09-06 16:40 UTC by Matthew Horan
Modified:	2022-07-11 13:42 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (zi)

Attachments
patch for security/stunnel (2.80 KB, patch) 2021-02-10 04:07 UTC, Tatsuki Makino	no flags	Details \| Diff
patch for security/stunnel (2.79 KB, patch) 2021-08-24 00:03 UTC, Tatsuki Makino	tatsuki_makino: maintainer-approval?	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Horan 2020-09-06 16:40:44 UTC

By default the port will run as root and is therefore able to write a pid file in /var/run. However, when setting setuid in the config file as recommended, this is not possible. It seems the pid file is not written by stunnel before dropping privileges. I'm not sure what the best fix for this would be, but it'd be great if I could run stunnel as non-root.

Comment 1 Tatsuki Makino 2021-02-10 04:07:25 UTC

Created attachment 222319 [details]
patch for security/stunnel

Define the default PID file and make substitutions.
Create a one-level directory where PID files can be written.

Comment 2 Tatsuki Makino 2021-05-12 05:49:57 UTC

Not that it matters, but the following command will give you the port of the stunnel that root started.

sockstat -l | grep \^root\ \*stunnel

Comment 3 Tatsuki Makino 2021-08-24 00:03:50 UTC

Created attachment 227394 [details]
patch for security/stunnel

It was regenerated in git.

Comment 4 Player701 2022-07-11 10:42:31 UTC

Yeah, looks a bit weird: port installation creates the stunnel user and group, but they're not used by default, and adding the configuration to run stunnel under them results in this permission error. I've fixed it on my end by creating a subfolder in /var/run and changing the path in the rc.d script (just like in the proposed patch). Would be great if this gets fixed on the port side too. Preferably, it should also not run as root by default.

Comment 5 Ryan Steinmetz freebsd_committer

2022-07-11 13:42:35 UTC

Committed + implemented dropping privs by default.

Comment 6 commit-hook freebsd_committer

2022-07-11 13:42:46 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7b6aed9ac322d8a3820d8f0615eb623bb815f7ee

commit 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee
Author:     Ryan Steinmetz <zi@FreeBSD.org>
AuthorDate: 2022-07-11 13:41:15 +0000
Commit:     Ryan Steinmetz <zi@FreeBSD.org>
CommitDate: 2022-07-11 13:41:15 +0000

    security/stunnel: Drop privs by default, update PID file location

    - Document changes in UPDATING

    PR:             249151
    Reported by:     Tatsuki Makino <tatsuki_makino@hotmail.com>

 UPDATING                                    | 13 +++++++++++++
 security/stunnel/Makefile                   |  9 +++++++--
 security/stunnel/files/daemon.conf.in (new) |  3 +++
 security/stunnel/files/pid.conf (gone)      |  1 -
 security/stunnel/files/stunnel.in           | 18 ++++++++++++++++--
 security/stunnel/pkg-plist                  |  2 +-
 6 files changed, 40 insertions(+), 6 deletions(-)