lang/erlang: enhance epmd security
Needs ReviewPublic
Actions

Authored by olgeni on Mon, Jun 16, 12:17 PM.

Details

Reviewers

dch

Summary

Add dedicated beam user (UID/GID 372) for non-root execution
Use daemon(8) for epmd process supervision and auto-restart

This addresses security concerns with epmd running as root by
providing privilege separation and automatic restart capability.

PR: 213001

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 64942
Build 61825: arc lint + arc unit

Event Timeline

olgeni requested review of this revision.Mon, Jun 16, 12:17 PM

olgeni created this revision.

Harbormaster completed remote builds in B64900: Diff 157095.Mon, Jun 16, 12:17 PM

guest-patmaddox added a subscriber: guest-patmaddox.Mon, Jun 16, 3:23 PM

Daemon fixed!

Harbormaster completed remote builds in B64905: Diff 157106.Mon, Jun 16, 3:32 PM

\o/ a long overdue improvement! thanks!

This revision is now accepted and ready to land.Tue, Jun 17, 10:06 AM

service start|stop epmd fails when flags are provided:

# /etc/rc.conf.d/epmd
epmd_enable=YES
epmd_flags="-address 100.64.0.0"

# service epmd start
/usr/local/etc/rc.d/epmd: DEBUG: run_rc_command: doit:  limits -C daemon  su -m beam -c 'sh -c " /usr/sbin/daemon -address 100.64.0.0 -f -r -P /var/run/epmd/epmd.pid /usr/local/bin/epmd -address 100.64.0.0"'
daemon: invalid option -- a

A solution is to s/flags/opts/ and then the flags are not passed through to daemon itself.

Otherwise LGTM!