Bug 247140

Summary: security/honeytrap: Add option to run service as root
Product: Ports & Packages Reporter: ezri.mudde
Component: Individual Port(s)Assignee: Steve Wills <swills>
Status: Closed FIXED    
Severity: Affects Only Me CC: swills, tagattie
Priority: --- Keywords: buildisok
Version: LatestFlags: swills: maintainer-feedback?
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch
none
patch 2
none
patch 3
none
proposed patch
none
fixed proposed patch
none
slight update
none
patch which builds with Go 1.15 none

Description ezri.mudde 2020-06-10 09:17:13 UTC 
Created attachment 215417 [details]
patch

This patch adds the option to run the service as root. This enables the service to bind to system ports.
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2020-06-10 09:17:13 UTC 
Maintainer informed via mail
Comment 2 Steve Wills freebsd_committer freebsd_triage 2020-06-11 02:12:45 UTC 
Doesn't rc.subr handle this for you? The man page documents ${name}_user and /etc/rc.subr calls "su -m $_user ...".
Comment 3 ezri.mudde 2020-07-20 07:47:52 UTC 
I didn't know that, wasn't in the rc.d scripting guide. I'm not sure when I'll be able to change the port to use that instead.
Comment 4 ezri.mudde 2020-07-21 15:09:09 UTC 
Created attachment 216631 [details]
patch 2

Removed code in honetrap.in from previous patch and rewrite it
Comment 5 ezri.mudde 2020-07-22 12:32:39 UTC 
Created attachment 216661 [details]
patch 3

Update to latest HoneyTrap version, add go build flags and patch for build constants.
Comment 6 Steve Wills freebsd_committer freebsd_triage 2020-08-02 16:38:14 UTC 
Created attachment 216962 [details]
proposed patch

(In reply to ezri.mudde from comment #5)
Thanks for the patch!

FWIW, the Porters Handbook:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/rc-scripts.html

and the Scripting Guide:

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/rc-scripting/article.html

do reference the rc.subr(8) man page:

https://www.freebsd.org/cgi/man.cgi?query=rc.subr&sektion=8&manpath=freebsd-release-ports

which documents ${name}_user.

Also, I've made some improvements to the Makefile and the rc script, please take a look and test if you can. Seems to work OK for me. Still waiting on maintainer (remco.verhoef@dutchsec.com) feedback, but maybe that will time out.
Comment 7 Steve Wills freebsd_committer freebsd_triage 2020-08-02 16:40:54 UTC 
(In reply to Steve Wills from comment #6)
Or perhaps remco.verhoef@dutchsec.com is you? It's not clear to me why the maintainer line in the port doesn't match here.
Comment 8 ezri.mudde 2020-08-04 07:17:05 UTC 
He's my boss and usually pretty busy, I'll see if I can get him to approve the patch.
Comment 9 ezri.mudde 2020-08-04 11:01:14 UTC 
(In reply to Steve Wills from comment #7)
I talked with my boss and said I could change the maintainer to me. I'll test your patch and change the maintainer after.
Comment 10 ezri.mudde 2020-08-11 11:12:19 UTC 
Created attachment 217154 [details]
fixed proposed patch

Because of load order honeytrap_syslog_output_flags was never added to command_args, fixed that by redefining command_arg when honeytrap_syslog_output_flags is defined. I also changed the maintainer to me.
Comment 11 Steve Wills freebsd_committer freebsd_triage 2020-08-15 19:13:09 UTC 
Created attachment 217238 [details]
slight update

Made one small change to the rc script to avoid redundancy. Also, it seems to fail to build with go 1.15:

[00:00:13] vendor/gvisor.dev/gvisor/pkg/linewriter/linewriter.go:28:2: undefined: "gvisor.dev/gvisor/pkg/sync".Mutex
[00:00:14] vendor/gvisor.dev/gvisor/pkg/waiter/waiter.go:178:7: undefined: "gvisor.dev/gvisor/pkg/sync".RWMutex

Can you take a look? Thanks!
Comment 12 Steve Wills freebsd_committer freebsd_triage 2020-08-15 19:21:53 UTC 
Created attachment 217239 [details]
patch which builds with Go 1.15

Ignore my previous message, found the issue with Go 1.15, see attached.
Comment 13 ezri.mudde 2020-10-01 13:52:06 UTC 
(In reply to Steve Wills from comment #12)
Sorry for the long wait but your fix seems okay to me.
Comment 14 commit-hook freebsd_committer freebsd_triage 2020-10-01 23:51:23 UTC 
A commit references this bug:

Author: swills
Date: Thu Oct  1 23:50:37 UTC 2020
New revision: 550881
URL: https://svnweb.freebsd.org/changeset/ports/550881

Log:
  security/honeytrap: multiple changes

  * Improve rc script
  * Clean up
  * Pass maintainership to submitter
  * Fix build with newer Go

  PR:		247140
  PR:		248948
  Submitted by:	ezri.mudde@dutchsec.com
  Approved by:	remco.verhoef@dutchsec.com (maintainer)

Changes:
  head/security/honeytrap/Makefile
  head/security/honeytrap/distinfo
  head/security/honeytrap/files/etc/
  head/security/honeytrap/files/honeytrap.in
  head/security/honeytrap/files/honeytrap.toml
  head/security/honeytrap/files/patch-cmd_constants.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_kvm_bluepill__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_kvm_machine__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_ptrace_subprocess__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_vfs_mount__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sleep_sleep__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_downgradable__rwmutex__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_memmove__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_tmutex__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_tcpip_link_rawfile_blockingpoll__yield__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_tcpip_time__unsafe.go
Comment 15 Steve Wills freebsd_committer freebsd_triage 2020-10-01 23:52:26 UTC 
Committed, thanks!