diff options
| author | Ryan Steinmetz <zi@FreeBSD.org> | 2026-02-28 14:52:34 +0000 |
|---|---|---|
| committer | Ryan Steinmetz <zi@FreeBSD.org> | 2026-02-28 14:52:34 +0000 |
| commit | 5129bd54c165944ae86f4f677e54eb181fc5d446 (patch) | |
| tree | b00d5acebe6835ef22a777aa48ce8ac81207c5f9 | |
| parent | aaf8a4411b2fb5a4ae08e3ebc66e61300a1596ba (diff) | |
net/fiche: Fix dropping privs
PR: 293501
Reported by: Benjamin Takacs <nimaje+fbz@bureaucracy.de>
| -rw-r--r-- | net/fiche/Makefile | 8 | ||||
| -rw-r--r-- | net/fiche/files/fiche.in | 8 | ||||
| -rw-r--r-- | net/fiche/files/pkg-message.in | 9 |
3 files changed, 20 insertions, 5 deletions
diff --git a/net/fiche/Makefile b/net/fiche/Makefile index c5d478378267..73c5d8cc5c3e 100644 --- a/net/fiche/Makefile +++ b/net/fiche/Makefile @@ -1,6 +1,6 @@ PORTNAME= fiche PORTVERSION= 0.9.1 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= net MAINTAINER= zi@FreeBSD.org @@ -9,9 +9,6 @@ WWW= https://github.com/solusipse/fiche LICENSE= MIT -USERS= ${PORTNAME} -GROUPS= ${PORTNAME} - USES= compiler:c++11-lang USE_GITHUB= yes GH_ACCOUNT= solusipse @@ -19,6 +16,9 @@ GH_ACCOUNT= solusipse USE_RC_SUBR= ${PORTNAME} SUB_FILES= pkg-message +USERS= ${PORTNAME} +GROUPS= ${PORTNAME} + do-install: @${MKDIR} ${STAGEDIR}${PREFIX}/sbin ${STAGEDIR}${WWWDIR} ${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/sbin diff --git a/net/fiche/files/fiche.in b/net/fiche/files/fiche.in index d3037a407645..4a6a36914a5d 100644 --- a/net/fiche/files/fiche.in +++ b/net/fiche/files/fiche.in @@ -13,6 +13,8 @@ # fiche_options (str): Additional flags Default "" # fiche_output (str): Default "/usr/local/www/fiche" # fiche_logfile (str): Default "/var/log/fiche/fiche.log" +# fiche_user (str): Default "fiche" +# fiche_group (str): Default "fiche" . /etc/rc.subr @@ -27,6 +29,8 @@ load_rc_config $name : ${fiche_output="%%WWWDIR%%"} : ${fiche_domain="localhost"} : ${fiche_logfile="/var/log/${name}/${name}.log"} +: ${fiche_user="fiche"} +: ${fiche_group="fiche"} start_precmd="${name}_prestart" pidfile="${fiche_pidfile}" @@ -40,7 +44,9 @@ command_args="-fp ${pidfile} %%PREFIX%%/sbin/fiche \ ${fiche_options}" fiche_prestart() { - install -d -o 477 -g 477 -m 755 /var/log/${name} + touch ${fiche_pidfile} + chown ${fiche_user} ${fiche_pidfile} + install -d -o ${fiche_user} -g ${fiche_group} -m 755 /var/log/${name} } run_rc_command "$1" diff --git a/net/fiche/files/pkg-message.in b/net/fiche/files/pkg-message.in index 3276d0c519da..e606e1c10af4 100644 --- a/net/fiche/files/pkg-message.in +++ b/net/fiche/files/pkg-message.in @@ -16,4 +16,13 @@ ensure that fiche hands out URLs prefixed with https://: sysrc fiche_flags="-S" EOM } +{ type: upgrade + maximum_version: "0.9.1_4" + message: <<EOM +The service was updated to drop privileges to the user specified in $fiche_user +(defaults to fiche) as intended, instead of running as root. +You might need to change owner of the log file and $fiche_output, +so that fiche can write those. +EOM +} ] |