Bug 247140 - security/honeytrap: Add option to run service as root
Summary: security/honeytrap: Add option to run service as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Steve Wills
URL:
Keywords: buildisok
Depends on:
Blocks:
 
Reported: 2020-06-10 09:17 UTC by ezri.mudde
Modified: 2020-10-01 23:52 UTC (History)
2 users (show)

See Also:
swills: maintainer-feedback?


Attachments
patch (1.42 KB, patch)
2020-06-10 09:17 UTC, ezri.mudde
no flags Details | Diff
patch 2 (1.36 KB, patch)
2020-07-21 15:09 UTC, ezri.mudde
no flags Details | Diff
patch 3 (4.05 KB, patch)
2020-07-22 12:32 UTC, ezri.mudde
no flags Details | Diff
proposed patch (9.00 KB, patch)
2020-08-02 16:38 UTC, Steve Wills
no flags Details | Diff
fixed proposed patch (10.77 KB, patch)
2020-08-11 11:12 UTC, ezri.mudde
no flags Details | Diff
slight update (9.00 KB, patch)
2020-08-15 19:13 UTC, Steve Wills
no flags Details | Diff
patch which builds with Go 1.15 (17.45 KB, patch)
2020-08-15 19:21 UTC, Steve Wills
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ezri.mudde 2020-06-10 09:17:13 UTC
Created attachment 215417 [details]
patch

This patch adds the option to run the service as root. This enables the service to bind to system ports.
Comment 1 Bugzilla Automation freebsd_committer 2020-06-10 09:17:13 UTC
Maintainer informed via mail
Comment 2 Steve Wills freebsd_committer 2020-06-11 02:12:45 UTC
Doesn't rc.subr handle this for you? The man page documents ${name}_user and /etc/rc.subr calls "su -m $_user ...".
Comment 3 ezri.mudde 2020-07-20 07:47:52 UTC
I didn't know that, wasn't in the rc.d scripting guide. I'm not sure when I'll be able to change the port to use that instead.
Comment 4 ezri.mudde 2020-07-21 15:09:09 UTC
Created attachment 216631 [details]
patch 2

Removed code in honetrap.in from previous patch and rewrite it
Comment 5 ezri.mudde 2020-07-22 12:32:39 UTC
Created attachment 216661 [details]
patch 3

Update to latest HoneyTrap version, add go build flags and patch for build constants.
Comment 6 Steve Wills freebsd_committer 2020-08-02 16:38:14 UTC
Created attachment 216962 [details]
proposed patch

(In reply to ezri.mudde from comment #5)
Thanks for the patch!

FWIW, the Porters Handbook:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/rc-scripts.html

and the Scripting Guide:

https://www.freebsd.org/doc/en_US.ISO8859-1/articles/rc-scripting/article.html

do reference the rc.subr(8) man page:

https://www.freebsd.org/cgi/man.cgi?query=rc.subr&sektion=8&manpath=freebsd-release-ports

which documents ${name}_user.

Also, I've made some improvements to the Makefile and the rc script, please take a look and test if you can. Seems to work OK for me. Still waiting on maintainer (remco.verhoef@dutchsec.com) feedback, but maybe that will time out.
Comment 7 Steve Wills freebsd_committer 2020-08-02 16:40:54 UTC
(In reply to Steve Wills from comment #6)
Or perhaps remco.verhoef@dutchsec.com is you? It's not clear to me why the maintainer line in the port doesn't match here.
Comment 8 ezri.mudde 2020-08-04 07:17:05 UTC
He's my boss and usually pretty busy, I'll see if I can get him to approve the patch.
Comment 9 ezri.mudde 2020-08-04 11:01:14 UTC
(In reply to Steve Wills from comment #7)
I talked with my boss and said I could change the maintainer to me. I'll test your patch and change the maintainer after.
Comment 10 ezri.mudde 2020-08-11 11:12:19 UTC
Created attachment 217154 [details]
fixed proposed patch

Because of load order honeytrap_syslog_output_flags was never added to command_args, fixed that by redefining command_arg when honeytrap_syslog_output_flags is defined. I also changed the maintainer to me.
Comment 11 Steve Wills freebsd_committer 2020-08-15 19:13:09 UTC
Created attachment 217238 [details]
slight update

Made one small change to the rc script to avoid redundancy. Also, it seems to fail to build with go 1.15:

[00:00:13] vendor/gvisor.dev/gvisor/pkg/linewriter/linewriter.go:28:2: undefined: "gvisor.dev/gvisor/pkg/sync".Mutex
[00:00:14] vendor/gvisor.dev/gvisor/pkg/waiter/waiter.go:178:7: undefined: "gvisor.dev/gvisor/pkg/sync".RWMutex

Can you take a look? Thanks!
Comment 12 Steve Wills freebsd_committer 2020-08-15 19:21:53 UTC
Created attachment 217239 [details]
patch which builds with Go 1.15

Ignore my previous message, found the issue with Go 1.15, see attached.
Comment 13 ezri.mudde 2020-10-01 13:52:06 UTC
(In reply to Steve Wills from comment #12)
Sorry for the long wait but your fix seems okay to me.
Comment 14 commit-hook freebsd_committer 2020-10-01 23:51:23 UTC
A commit references this bug:

Author: swills
Date: Thu Oct  1 23:50:37 UTC 2020
New revision: 550881
URL: https://svnweb.freebsd.org/changeset/ports/550881

Log:
  security/honeytrap: multiple changes

  * Improve rc script
  * Clean up
  * Pass maintainership to submitter
  * Fix build with newer Go

  PR:		247140
  PR:		248948
  Submitted by:	ezri.mudde@dutchsec.com
  Approved by:	remco.verhoef@dutchsec.com (maintainer)

Changes:
  head/security/honeytrap/Makefile
  head/security/honeytrap/distinfo
  head/security/honeytrap/files/etc/
  head/security/honeytrap/files/honeytrap.in
  head/security/honeytrap/files/honeytrap.toml
  head/security/honeytrap/files/patch-cmd_constants.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_kvm_bluepill__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_kvm_machine__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_platform_ptrace_subprocess__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sentry_vfs_mount__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sleep_sleep__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_downgradable__rwmutex__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_memmove__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_sync_tmutex__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_tcpip_link_rawfile_blockingpoll__yield__unsafe.go
  head/security/honeytrap/files/patch-vendor_gvisor.dev_gvisor_pkg_tcpip_time__unsafe.go
Comment 15 Steve Wills freebsd_committer 2020-10-01 23:52:26 UTC
Committed, thanks!