dns/blocky: Support running daemon as non-root user

Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes)
freebsd · Jan 31, 2023 · ffd87be · ffd87be
1 parent 8f48595
commit ffd87be
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 10 deletions.
diff --git a/dns/blocky/Makefile b/dns/blocky/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	blocky
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.20
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	dns
 MASTER_SITES=	https://raw.githubusercontent.com/${GH_ACCOUNT}/${GH_PROJECT}/${DISTVERSIONFULL}/:gomod
 DISTFILES=	go.mod:gomod

diff --git a/dns/blocky/files/blocky.in b/dns/blocky/files/blocky.in
@@ -7,9 +7,15 @@
 # Add the following to /etc/rc.conf[.local] to enable this service
 #
 # blocky_enable (bool):	Set to NO by default.
-#				Set it to YES to enable blocky.
-# blocky_config (str): Set to /usr/local/etc/blocky/config.yml by default.
-#
+#			Set it to YES to enable blocky.
+# blocky_config (str):	Set to /usr/local/etc/blocky-config.yml by default.
+#			Set it to a path to use that config file.
+# blocky_user (str):	Services run as root by default. Set to a user name
+#			to run blocky as that user. Note: non-root users
+#			might need permission to bind to ports.
+# blocky_group (str):	Set to the user's primary group by default.
+#			Set it to a group name for daemon file ownership.
+# blocky_flags (str):	Enter extra flags to append to the blocky command.
 
 . /etc/rc.subr
 
@@ -20,17 +26,29 @@ load_rc_config ${name}
 
 : ${blocky_enable:=NO}
 : ${blocky_config:="%%PREFIX%%/etc/blocky-config.yml"}
+: ${blocky_group:=}
 : ${blocky_flags:=}
 
-pidfile=/var/run/blocky.pid
-command="%%PREFIX%%/sbin/blocky"
+if [ -n "${blocky_user}" ] && [ -z "${blocky_group}" ]; then
+	# Detect the daemon user's primary group
+	blocky_group=$(id -gn "${blocky_user}")
+fi
+
+pidfile="/var/run/${name}.pid"
+blocky_path="%%PREFIX%%/sbin/blocky"
+
+command="/usr/sbin/daemon"
+procname="/usr/local/sbin/blocky"
+command_args="-c -f -p ${pidfile} ${blocky_path} \
+	-c ${blocky_config} ${blocky_flags}"
 
-start_cmd="${name}_start"
+start_precmd="blocky_precmd"
 
-blocky_start()
+# Sets up a pidfile the daemon user can access
+blocky_precmd()
 {
-	echo -n "Starting ${name}."
-	/usr/sbin/daemon -p ${pidfile} -f ${command} -c ${blocky_config} ${blocky_flags}
+	install -o "${blocky_user:-root}" -g "${blocky_group:-wheel}" \
+		-m 0600 /dev/null "${pidfile}"
 }
 
 run_rc_command "$1"
diff --git a/dns/blocky/files/pkg-message.in b/dns/blocky/files/pkg-message.in
@@ -7,6 +7,21 @@ A sample configuration file is installed at the following location:
 Default location for configuration file when using rc.d script:
 %%PREFIX%%/etc/blocky-config.yml
 
+With the default configuration, blocky listens on port 53 (TCP and UDP).
+If running as a non-root user, use a different port in blocky configuration,
+such as `port: 5053`, or use mac_portacl(4) to allow binding to port 53.
+
+Example setup for mac_portacl(4):
+
+In /boot/loader.conf:
+
+	mac_portacl_load="YES"
+
+In /etc/sysctl.conf (where <ID> is the UID of your user):
+
+	net.inet.ip.portrange.reservedhigh=0
+	security.mac.portacl.rules=uid:<ID>:tcp:53,uid:<ID>:udp:53
+
 Please refer to the documentation located at
 https://0xerr0r.github.io/blocky/ for further information.
 EOM