Bug 247140 - security/honeytrap: Add option to run service as root
Summary: security/honeytrap: Add option to run service as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Steve Wills
Keywords: buildisok
Depends on:
Reported: 2020-06-10 09:17 UTC by ezri.mudde
Modified: 2020-10-01 23:52 UTC (History)
2 users (show)

See Also:
swills: maintainer-feedback?

patch (1.42 KB, patch)
2020-06-10 09:17 UTC, ezri.mudde
no flags Details | Diff
patch 2 (1.36 KB, patch)
2020-07-21 15:09 UTC, ezri.mudde
no flags Details | Diff
patch 3 (4.05 KB, patch)
2020-07-22 12:32 UTC, ezri.mudde
no flags Details | Diff
proposed patch (9.00 KB, patch)
2020-08-02 16:38 UTC, Steve Wills
no flags Details | Diff
fixed proposed patch (10.77 KB, patch)
2020-08-11 11:12 UTC, ezri.mudde
no flags Details | Diff
slight update (9.00 KB, patch)
2020-08-15 19:13 UTC, Steve Wills
no flags Details | Diff
patch which builds with Go 1.15 (17.45 KB, patch)
2020-08-15 19:21 UTC, Steve Wills
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ezri.mudde 2020-06-10 09:17:13 UTC
Created attachment 215417 [details]

This patch adds the option to run the service as root. This enables the service to bind to system ports.
Comment 1 Bugzilla Automation freebsd_committer 2020-06-10 09:17:13 UTC
Maintainer informed via mail
Comment 2 Steve Wills freebsd_committer 2020-06-11 02:12:45 UTC
Doesn't rc.subr handle this for you? The man page documents ${name}_user and /etc/rc.subr calls "su -m $_user ...".
Comment 3 ezri.mudde 2020-07-20 07:47:52 UTC
I didn't know that, wasn't in the rc.d scripting guide. I'm not sure when I'll be able to change the port to use that instead.
Comment 4 ezri.mudde 2020-07-21 15:09:09 UTC
Created attachment 216631 [details]
patch 2

Removed code in honetrap.in from previous patch and rewrite it
Comment 5 ezri.mudde 2020-07-22 12:32:39 UTC
Created attachment 216661 [details]
patch 3

Update to latest HoneyTrap version, add go build flags and patch for build constants.
Comment 6 Steve Wills freebsd_committer 2020-08-02 16:38:14 UTC
Created attachment 216962 [details]
proposed patch

(In reply to ezri.mudde from comment #5)
Thanks for the patch!

FWIW, the Porters Handbook:


and the Scripting Guide:


do reference the rc.subr(8) man page:


which documents ${name}_user.

Also, I've made some improvements to the Makefile and the rc script, please take a look and test if you can. Seems to work OK for me. Still waiting on maintainer (remco.verhoef@dutchsec.com) feedback, but maybe that will time out.
Comment 7 Steve Wills freebsd_committer 2020-08-02 16:40:54 UTC
(In reply to Steve Wills from comment #6)
Or perhaps remco.verhoef@dutchsec.com is you? It's not clear to me why the maintainer line in the port doesn't match here.
Comment 8 ezri.mudde 2020-08-04 07:17:05 UTC
He's my boss and usually pretty busy, I'll see if I can get him to approve the patch.
Comment 9 ezri.mudde 2020-08-04 11:01:14 UTC
(In reply to Steve Wills from comment #7)
I talked with my boss and said I could change the maintainer to me. I'll test your patch and change the maintainer after.
Comment 10 ezri.mudde 2020-08-11 11:12:19 UTC
Created attachment 217154 [details]
fixed proposed patch

Because of load order honeytrap_syslog_output_flags was never added to command_args, fixed that by redefining command_arg when honeytrap_syslog_output_flags is defined. I also changed the maintainer to me.
Comment 11 Steve Wills freebsd_committer 2020-08-15 19:13:09 UTC
Created attachment 217238 [details]
slight update

Made one small change to the rc script to avoid redundancy. Also, it seems to fail to build with go 1.15:

[00:00:13] vendor/gvisor.dev/gvisor/pkg/linewriter/linewriter.go:28:2: undefined: "gvisor.dev/gvisor/pkg/sync".Mutex
[00:00:14] vendor/gvisor.dev/gvisor/pkg/waiter/waiter.go:178:7: undefined: "gvisor.dev/gvisor/pkg/sync".RWMutex

Can you take a look? Thanks!
Comment 12 Steve Wills freebsd_committer 2020-08-15 19:21:53 UTC
Created attachment 217239 [details]
patch which builds with Go 1.15

Ignore my previous message, found the issue with Go 1.15, see attached.
Comment 13 ezri.mudde 2020-10-01 13:52:06 UTC
(In reply to Steve Wills from comment #12)
Sorry for the long wait but your fix seems okay to me.
Comment 14 commit-hook freebsd_committer 2020-10-01 23:51:23 UTC
A commit references this bug:

Author: swills
Date: Thu Oct  1 23:50:37 UTC 2020
New revision: 550881
URL: https://svnweb.freebsd.org/changeset/ports/550881

  security/honeytrap: multiple changes

  * Improve rc script
  * Clean up
  * Pass maintainership to submitter
  * Fix build with newer Go

  PR:		247140
  PR:		248948
  Submitted by:	ezri.mudde@dutchsec.com
  Approved by:	remco.verhoef@dutchsec.com (maintainer)

Comment 15 Steve Wills freebsd_committer 2020-10-01 23:52:26 UTC
Committed, thanks!