Bug 249151 - security/stunnel: cannot create pid file when setuid set
Summary: security/stunnel: cannot create pid file when setuid set
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ryan Steinmetz
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-06 16:40 UTC by Matthew Horan
Modified: 2022-07-11 13:42 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (zi)


Attachments
patch for security/stunnel (2.80 KB, patch)
2021-02-10 04:07 UTC, Tatsuki Makino
no flags Details | Diff
patch for security/stunnel (2.79 KB, patch)
2021-08-24 00:03 UTC, Tatsuki Makino
tatsuki_makino: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Horan 2020-09-06 16:40:44 UTC
By default the port will run as root and is therefore able to write a pid file in /var/run. However, when setting setuid in the config file as recommended, this is not possible. It seems the pid file is not written by stunnel before dropping privileges. I'm not sure what the best fix for this would be, but it'd be great if I could run stunnel as non-root.
Comment 1 Tatsuki Makino 2021-02-10 04:07:25 UTC
Created attachment 222319 [details]
patch for security/stunnel

Define the default PID file and make substitutions.
Create a one-level directory where PID files can be written.
Comment 2 Tatsuki Makino 2021-05-12 05:49:57 UTC
Not that it matters, but the following command will give you the port of the stunnel that root started.

sockstat -l | grep \^root\ \*stunnel
Comment 3 Tatsuki Makino 2021-08-24 00:03:50 UTC
Created attachment 227394 [details]
patch for security/stunnel

It was regenerated in git.
Comment 4 Player701 2022-07-11 10:42:31 UTC
Yeah, looks a bit weird: port installation creates the stunnel user and group, but they're not used by default, and adding the configuration to run stunnel under them results in this permission error. I've fixed it on my end by creating a subfolder in /var/run and changing the path in the rc.d script (just like in the proposed patch). Would be great if this gets fixed on the port side too. Preferably, it should also not run as root by default.
Comment 5 Ryan Steinmetz freebsd_committer freebsd_triage 2022-07-11 13:42:35 UTC
Committed + implemented dropping privs by default.
Comment 6 commit-hook freebsd_committer 2022-07-11 13:42:46 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7b6aed9ac322d8a3820d8f0615eb623bb815f7ee

commit 7b6aed9ac322d8a3820d8f0615eb623bb815f7ee
Author:     Ryan Steinmetz <zi@FreeBSD.org>
AuthorDate: 2022-07-11 13:41:15 +0000
Commit:     Ryan Steinmetz <zi@FreeBSD.org>
CommitDate: 2022-07-11 13:41:15 +0000

    security/stunnel: Drop privs by default, update PID file location

    - Document changes in UPDATING

    PR:             249151
    Reported by:     Tatsuki Makino <tatsuki_makino@hotmail.com>

 UPDATING                                    | 13 +++++++++++++
 security/stunnel/Makefile                   |  9 +++++++--
 security/stunnel/files/daemon.conf.in (new) |  3 +++
 security/stunnel/files/pid.conf (gone)      |  1 -
 security/stunnel/files/stunnel.in           | 18 ++++++++++++++++--
 security/stunnel/pkg-plist                  |  2 +-
 6 files changed, 40 insertions(+), 6 deletions(-)