unicorn-lockdown 0.12.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24ec67b0fb4c2a47aea2652b30a1b99973226d379492fff1a87c1aef3dba5038
-  data.tar.gz: 84ecb2a8a3a97929e4fc6c960eaee2cab8df0c9f784297e6a3b11ff00c8044f8
+  metadata.gz: 0f0b84f88c8502c942f5b15b50bb7ac6946de87ef31ee14cf96e9d71b569b8a3
+  data.tar.gz: 69d55260a85368464b5dbb0b9b24120eacb3d9f95f07c4be765f8d913b8e7f2d
 SHA512:
-  metadata.gz: 866fcee1a554851025331f856fcb47e3f77f53967a79abda8fc89fd9ead7fd2c390f090338dc3a3047dca22d2b8e7f87595fe5dbc509e5636d825e56c0670544
-  data.tar.gz: bbec6a5aa7159b05ef7995ca56235f3c08cc001c1fbf6593d2ec1f2c99db457b2d998b01d866f1223b14c58e03e68bef348b0c8e0bbcf213ae38021a3d6da18a
+  metadata.gz: 2622fa1ea4b31f117037175273420574269b8f976e905d39a76137aefb4da44e94e13e1ec121db5a9d21fcef901dc3d5fec42434c36d5dd5cc21640d64379131
+  data.tar.gz: 032dbedbb2e5eab750fb10ae6f9ef0cb108fdedac239bf3adead2faa637bddfb8613a1d9a865730d449e2d4d6d334f35bab5b762f5b97bf4e946872ebdbf1d63

data/CHANGELOG

@@ -1,3 +1,33 @@
+= 1.1.0 (2022-07-18)
+
+* Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)
+
+* Fix roda pg_disconnect plugin to correctly error if error_handler is already loaded (jeremyevans)
+
+* Avoid SSL error in newer versions of net/smtp when notifying about worker crashes (jeremyevans)
+
+* Add flock pledge, needed on Ruby 3.1+ (jeremyevans)
+
+= 1.0.0 (2020-11-09)
+
+* Require unicorn-lockdown-add -o and -u options, and require options have arguments (jeremyevans)
+
+* Switch to starting unicorn master process as application user, drop chroot support, require unveil (jeremyevans)
+
+* Remove chrooter library (jeremyevans)
+
+* Add unveiler library for testing pledged/unveiled applications, similar to chrooter but smaller (jeremyevans)
+
+* Add :master_execpledge option to Unicorn.lockdown, for initial pledge of worker processes (jeremyevans)
+
+* Add :master_pledge option to Unicorn.lockdown, for pledging the master process (jeremyevans)
+
+= 0.13.0 (2019-07-09)
+
+* Add Chrooter.unveil for using unveil in tests (jeremyevans)
+
+* Support Unicorn.lockdown :unveil and :dev_unveil options for use of unveil instead of chroot (jeremyevans) 
+
 = 0.12.0 (2019-04-29)
 
 * Do not reference the rack middleware unicorn loads by default if unicorn is set to not load default middleware (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2018 Jeremy Evans
+Copyright (c) 2018-2022 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -1,22 +1,20 @@
 = unicorn-lockdown
 
-unicorn-lockdown is a helper library for running Unicorn on OpenBSD in a way
-that supports security features such as chroot, privdrop, fork+exec,
-and pledge.
-
-With the configuration unicorn-lockdown uses, the unicorn process executes as root,
-and the unicorn master process continues to run as root.  The master process
-forks worker processes, which re-exec (fork+exec) so that a new memory layout
-is used in each worker process.  The worker process then loads the application,
-after which it chroots to the application's directory, drops root privileges
-and then runs as the application user (privdrop), then runs pledge to limit
-the allowed system calls to the minimum required to run the application.
+unicorn-lockdown is a helper library for running Unicorn on OpenBSD with pledge,
+unveil, and fork+exec for increased security.
+
+With unicorn-lockdown, unicorn should be started as the application user, which
+should be different than the user that owns the application's files.  unicorn
+will pledge the master process, then fork worker processes.  The worker
+processes will re-exec (fork+exec), then load the application, then set unveil
+to restrict file system access, then pledge to limit the allowed system calls
+at runtime.
 
 == Assumptions
 
-unicorn-lockdown assumes you are using OpenBSD 6.2+ with the nginx and
-rubyXY-unicorn packages installed, and that you have a unicorn symlink in
-the PATH to the appropriate unicornXY executable.
+unicorn-lockdown assumes you are using OpenBSD 6.6+ with the nginx and
+<tt>rubyXY-unicorn</tt> and <tt>rubyXY-pledge</tt> packages installed, and that
+you have a +unicorn+ symlink in the PATH to the appropriate +unicornXY+ executable.
 
 It also assumes you have a SMTP server listening on localhost port 25 to
 receive notification emails of worker crashes, if you are notifying for those.
@@ -33,14 +31,14 @@ the following as root after reading the file and understanding what it does.
 Briefly, the configuration this uses the following directories:
 
 /var/www/sockets :: Stores unix sockets that Unicorn listens on and Nginx uses.
-/var/www/requests :: Stores temporary files for each request with request info,
-                     used for crash notifications
+/var/www/request-error-info :: Stores temporary files for each request with request info,
+                               used for crash notifications
 /var/log/unicorn :: Stores unicorn log files, one per application
 /var/log/nginx :: Stores nginx log files, two per application, one for access
                   and one for errors
 
-This adds a _unicorn group that all per-application users will use as their
-group, as well as a /etc/rc.d/rc.unicorn file that the per application
+This adds a _unicorn group that all application users will use as one of their
+groups, as well as a /etc/rc.d/rc.unicorn file that the application
 /etc/rc.d/unicorn_* files will use.
 
 === unicorn-lockdown-add
@@ -48,30 +46,38 @@ group, as well as a /etc/rc.d/rc.unicorn file that the per application
 For each application you want to run with unicorn lockdown, run the following
 as root, again after reading the file and understanding what it does:
 
-  unicorn-lockdown-add
+  unicorn-lockdown-add -o $owner -u $user $app_name
 
-Here's an excerpt of the usage:
+Here's the usage:
 
-  Usage: unicorn-lockdown-add [options] app_name
+  Usage: unicorn-lockdown-add -o owner -u user [options] app_name
   Options:
-      -c     rackup_file   rackup configuration file
-      -d     dir           application directory name
-      -f     unicorn_file  unicorn configuration file relative to application directory
-      -o     owner         operating system application owner
-      -u     user          operating system user to run application
-      --uid  uid           user id to use if creating the user when -U is specified
-
-It is a very good idea to specify -o and -u, the other options can be ignored
-if you are OK with the default values.  The owner (-o) and the user (-u) should be
-different.  The user is the user the application runs as, and should have very limited
-access to the application directory.  The owner is the user that owns the application
-directory and can make modifications to the application.
+      -c RACKUP_FILE                   rackup configuration file
+      -d DIR                           application directory name
+      -f UNICORN_FILE                  unicorn configuration file relative to application directory
+      -o OWNER                         operating system application owner
+      -u USER                          operating system user to run application
+          --uid UID                    user id to use if creating the user when -U is specified
+      -h, -?, --help                   Show this message
+
+The <tt>-o</tt> and <tt>-u</tt> options are required.  Default values for other options are:
+
+<tt>-c</tt> :: None, Unicorn will use <tt>config.ru</tt> by default.
+<tt>-d</tt> :: Same as +app_name+.  The value provided should a relative path under <tt>/var/www</tt>.
+<tt>-f</tt> :: <tt>unicorn.conf</tt>.  This file should be relative to +dir+.
+<tt>--uid</tt> :: The uid automatically generated by +useradd+.
+
+The owner <tt>-o</tt> and the user <tt>-u</tt> should be different.  The user is the user the
+application runs as, and should have read-only access to the application directory,
+other than locations where you want the application user to be able to modify files
+at runtime.  The owner is the user that owns the application directory and can make
+modifications to the application.
 
 === unicorn-lockdown
 
 unicorn-lockdown is the library required in your unicorn configuration
 file for the application, to handle configuring unicorn to run the app
-with chroot, privdrop, fork+exec, and pledge.
+with fork+exec, unveil, and pledge.
 
 When you run unicorn-lockdown-add, it will create the unicorn configuration
 file for the app if one does not already exist, looking similar to:
@@ -80,41 +86,76 @@ file for the app if one does not already exist, looking similar to:
 
   Unicorn.lockdown(self,
     :app=>"app_name",
-    :user=>"user_name", # Set application user here
-    :pledge=>'rpath prot_exec inet unix' # More may be needed
-    :email=>'root' # update this with correct email
+
+    # Update this with correct email
+    :email=>'root',
+
+    # More pledges may be needed depending on application
+    :pledge=>'rpath prot_exec inet unix flock',
+    :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
+    :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+
+    # More unveils may be needed depending on application
+    :unveil=>{
+      'views'=>'r'
+    },
+    :dev_unveil=>{
+      'models'=>'r'
+    },
   )
 
 Unicorn.lockdown options:
 
 :app :: (required) a short string for the name of the application, used
         for socket/log file names and in notifications
-:user :: (required) the user to drop privileges to
-:group :: (optional) the group to use to run the application.  On Unicorn
-          5.5.0+, can be an array with two entries, the first used as the
-          process primary group, the second as the owner of the unicorn
-          log files.
-:pledge :: (optional) a pledge string to limit the allowed system calls
-           after privileges have been dropped
 :email :: (optional) an email address to use for notifications when the
           worker process crashes or an unhandled exception is raised by
           the application or middleware.
+:pledge :: (required) a pledge string to limit the allowed system calls
+           after privileges have been dropped
+:master_pledge :: (optional) The string to use when pledging the master process before
+                  spawning worker processes
+:master_execpledge :: (optional) The pledge string for processes spawned by the master
+                      process (i.e. worker processes before loading the app)
+:unveil :: (required) a hash of paths to limit file system access, passed
+           to +Pledge.unveil+.
+:dev_unveil :: (optional) a hash of paths to limit file system, merged into the :unveil
+               option paths if in the development environment.  Useful if you are
+               allowing more access in development, such as access needed
+               for file reloading.
 
 With this example pledge:
 
-* rpath is needed to read files in the chrooted file system
+* rpath is needed to read files
 * prot_exec is needed in most cases
 * unix is needed for the unix socket to nginx
-* inet is not needed in all cases, but in most applications need some form
-  of network access.  pf (OpenBSD's firewall) should be used to limit
-  access for the application's operating system user to the minimum
-  necessary access needed.
-
-unicorn-lockdown has specific support for allowing for emails to be sent
-for Unicorn worker crashes (e.g. pledge violations). It also has support
-for using rack-unreloader to run your application in development mode
-under the chroot while allowing for reloading files if they are modified.
-Additionally, unicorn-lockdown modifies unicorn's process status line in a
+* inet is not needed in all cases, but most applications need some form
+  of network access, and it is needed by default for emailing about
+  exceptions that occur without process crashes.  pf (OpenBSD's firewall)
+  should be used to limit access for the application's operating system
+  user to the minimum necessary access needed.
+* flock is needed in Ruby 3.1+ (not necessarily required in older Ruby versions).
+
+With this example master pledge:
+
+* rpath is needed to read files
+* prot_exec is needed in most cases
+* cpath and wpath are needed to unlink the request error files
+* inet is needed to send emails for worker crashes
+* proc and exec are needed to spawn worker processes
+
+With this examle master exec pledge:
+
+* stdio must be added because ruby-pledge doesn't add it automatically
+  to execpromises, and Ruby requires it
+* rpath, prot_exec, unix, inet are needed for the worker (see above)
+* cpath and wpath are needed to create the request error files
+* unveil is needed to restrict file system access
+
+unicorn-lockdown has specific support for allowing emails to be sent
+for Unicorn worker crashes (e.g. pledge violations) and unhandled
+application exceptions (e.g. pledge violations).  Additionally,
+unicorn-lockdown modifies unicorn's process status line in a
 way that allows it to be controllable via OpenBSD's rcctl program for
 stopping/starting/reloading/restarting daemons.
 
@@ -123,7 +164,12 @@ with the expectation of an Nginx limit of 10MB, such that all client
 requests will be buffered in memory and unicorn will not need to write
 temporary files to disk.  If this limit is not correct for your
 application, please call client_body_buffer_size after calling
-Unicorn.lockdown to set an appropriate limit.
+Unicorn.lockdown to set an appropriate limit.  Note that rack still
+creates temporary files for file uploads by default, you'll need to
+configure rack to disallow file uploads if your application does not
+need to accept uploaded files and you don't want file upload attempts
+to cause pledge violations.  With Roda, you can use the
+disallow_file_uploads plugin to prevent file upload attempts.
 
 When Unicorn.lockdown is used with the :email option, if the worker
 process crashes, it will email the address using the contents specified
@@ -142,6 +188,8 @@ and then at the top of the route block, do:
 
   if defined?(Unicorn) && Unicorn.respond_to?(:write_request)
     Unicorn.write_request(error_email_content("Unicorn Worker Process Crash"))
+    # or
+    Unicorn.write_request(error_mail_content("Unicorn Worker Process Crash"))
   end
 
 If you don't have useful information in the request file, an email will
@@ -153,10 +201,20 @@ underlying problem.
 
 If you are using PostgreSQL as the database for the application, and using
 unix sockets to connect the application to the database, if the database
-is restarted, the application will no longer be able to connect to it.  The
-only way to fix this is to kill the worker process and have the master
-process spawn a new worker.  The roda-pg_disconnect plugin is a plugin
-for the roda web toolkit to kill the worker if it detects the database
+is restarted, the application will no longer be able to connect to it unless
+you unveil the path the database socket (stored in /tmp by default).  It can
+be a better approach security wise not to allow this, to prevent the
+application from being able to establish new database connections with
+potentially different credentials, as a mitigation in case the server is
+compromised.
+
+To allow the application to handle cases where the database is disconnected,
+such as due to a restart of PostgreSQL, you can kill the worker process if
+a disconnect error is detected, and have the master process then spawn a new
+worker.
+
+The roda-pg_disconnect plugin is a plugin for the roda web toolkit to kill the
+worker process after handling the connection if it detects the database
 connection has been lost.  This plugin assumes the use of the Sequel database
 library and postgres adapter with the pg driver.
 
@@ -165,51 +223,63 @@ In your Roda application:
   # Sometime before loading the error_handler plugin
   plugin :pg_disconnect
 
+To specifically restrict access to the database socket even when access to
+/tmp is allowed, you can unveil the database socket path with no permissions:
+
+  '/tmp/.s.PGSQL.5432'=>''
+
+Note that there are potentially other security issues with unveiling access
+to /tmp beyond granting access to the database server, so it is recommended
+you do not unveil it.  If the application needs a directory for temporary
+files (e.g. for handling uploaded files with rack), you can set the +TMPDIR+
+environment variable to an appropriate directory that is writable by the
+application user and not other users, and most web applications will respect
+that (assuming they use the tmpfile/tmpdir libraries in the standard library).
+
 === rack-email_exceptions
 
-rack-email_exceptions is a rack middleware designed to be the first
-middleware loaded into applications.  It rescues unhandled exceptions
+rack-email_exceptions is a rack middleware designed to wrap all other
+middleware and the application.  It rescues unhandled exceptions
 raised by subsequent middleware or the application itself.
-
 Unicorn.lockdown will automatically setup this middleware if the :email
-option is used and the RACK_ENV environment variable is set to production,
-such that it wraps the application and all other middleware.
+option is used.
 
 It is possible to use this middleware manually:
 
   require 'rack/email_exceptions'
   use Rack::EmailExceptions, "app_name", 'foo@example.com'
 
-=== chrooter
+=== unveiler
 
-chrooter is a library designed to help with testing applications both in
-chroot mode and non-chroot mode.  If you are running your application
-chrooted, you must support testing while chrooted otherwise it is very
-difficult to find problems that only occur when chrooted before putting
-the application into production, such as a file being read from outside
-the chroot.
+unveiler is a library designed to help with testing applications that
+use pledge and unveil.  If you are running your application pledged and
+unveiled, you want your tests to run pledged and unveiled to find
+problems.
 
-chrooter assumes you are using minitest for testing.  To use chrooter:
+unveiler assumes you are using minitest for testing.  To use unveiler:
 
   require 'minitest/autorun'
-  require 'chrooter'
-  at_exit{Chrooter.chroot('user_name', 'rpath prot_exec inet unix')}
-
-If you run your specs as a regular user, it will execute them without
-chrooting, but in a way that can still catch some problems that occur
-when chrooted.  If you run your specs as root, it will chroot to
-the current directory after loading the specs, then drop
-privileges to the user given (and optionally pledging using the given
-pledge string), then run the specs.
+  require 'unveiler'
+  at_exit do
+    Unveiler.pledge_and_unveil('rpath prot_exec inet unix', 'views' => 'r')
+  end
 
 == autoload
 
-As you'll find out if you try to run your applications with chroot,
-autoload is the enemy.  Both unicorn-lockdown and chrooter have support
-for handling common autoloaded constants in the rack and mail gems.
-If you use other gems that use autoload, you'll have to add code that
-references the autoloaded constants after the application is loaded but
-before chrooting.
+As you'll find out if you try to run your applications with unveil,
+autoload and other forms of runtime requires are the enemy.  Both
+unicorn-lockdown and unveiler have support for handling common autoloaded
+constants in the rack and mail gems.  If you use other gems that use
+autoload or runtime requires, you'll have to add unveils for the appropriate
+gems:
+
+  Unicorn.lockdown(self,
+    # ...
+    :unveil=>{
+      'views' => 'r',
+      'gem-name' => :gem,
+    }
+  )
 
 == Author
 

data/bin/unicorn-lockdown-add

@@ -1,224 +1,2 @@
 #!/usr/bin/env ruby
-
-require 'etc'
-require 'optparse'
-
-def sh(*args)
-  puts "Running: #{args.join(' ')}"
-  system(*args) || raise("Error while running: #{args.join(' ')}")
-end
-
-unicorn = ''
-rackup = ''
-unicorn_file = 'unicorn.conf'
-dir = nil
-user = nil
-new_user_uid = nil
-owner = nil
-owner_uid = nil
-owner_gid = nil
-
-options = OptionParser.new do |opts|
-  opts.banner = "Usage: unicorn-lockdown-add [options] app_name"
-  opts.separator "Options:"
-
-  opts.on_tail("-h", "-?", "--help", "Show this message") do
-    puts opts
-    exit
-  end
-
-  opts.on("-c rackup_file", "rackup configuration file") do |v|
-    rackup = "rackup_file=#{v}\n"
-  end
-
-  opts.on("-d dir", "application directory name") do |v|
-    dir = v
-  end
-
-  opts.on("-f unicorn_file", "unicorn configuration file relative to application directory") do |v|
-    unicorn_file = v
-    unicorn = "unicorn_conf=#{v}\n"
-  end
-
-  opts.on("-o owner", "operating system application owner") do |v|
-    owner = v
-    ent = Etc.getpwnam(v)
-    owner_uid = ent.uid
-    owner_gid = ent.gid
-  end
-
-  opts.on("-u user", "operating system user to run application") do |v|
-    user = v
-  end
-
-  opts.on("--uid uid", "user id to use if creating the user when -U is specified") do |v|
-    new_user_uid = Integer(v, 10)
-  end
-end
-options.parse!
-
-app = ARGV.shift
-dir ||= app
-base_dir = dir
-
-root_id = 0
-bin_id = 7
-www_id = 67
-
-www_root = '/var/www'
-dir = "#{www_root}/#{dir}"
-etc_dir = "#{dir}/etc"
-hosts_file = "#{etc_dir}/hosts"
-resolv_file = "#{etc_dir}/resolv.conf"
-rc_file = "/etc/rc.d/unicorn_#{app.tr('-', '_')}"
-nginx_file = "/etc/nginx/#{app}.conf"
-unicorn_conf_file = "#{dir}/#{unicorn_file}"
-unicorn_log_file = "/var/log/unicorn/#{app}.log"
-nginx_access_log_file = "/var/log/nginx/#{app}.access.log"
-nginx_error_log_file = "/var/log/nginx/#{app}.error.log"
-
-# Add application user if it doesn't exist
-if user
-  passwd = begin
-    Etc.getpwnam(user)
-  rescue ArgumentError
-    args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
-    if new_user_uid
-      args << '-u' << new_user_uid.to_s
-    end
-    args << user
-    sh(*args)
-    Etc.getpwnam(user)
-  end
-  app_uid = passwd.uid
-end
-
-# Create application directory and chroot directories if they doesn't exist
-[dir, "#{dir}/var", "#{dir}/var/www", "#{dir}/etc", "#{dir}/public"].each do |d|
-  unless File.directory?(d)
-    puts "Creating #{d}"
-    Dir.mkdir(d)
-    File.chmod(0755, d)
-    File.chown(owner_uid, owner_gid, d) if owner
-  end
-end
-
-# DRY up file ownership code
-setup_file_owner = lambda do |file|
-  File.chmod(0644, file)
-  File.chown(owner_uid, owner_gid, file) if owner
-end
-
-# Setup symlink to root so that the same paths work both when
-# chrooted and when not chrooted.
-chroot_link = "#{dir}#{dir}"
-unless File.symlink?(chroot_link)
-  puts "Creating #{chroot_link}"
-  File.symlink('/', chroot_link)
-end
-
-# Add /etc/hosts files to chroot
-unless File.file?(hosts_file)
-  puts "Creating #{hosts_file}"
-  File.binwrite(hosts_file, <<END)
-127.0.0.1 localhost
-END
-  setup_file_owner.call(hosts_file)
-end
-
-# Add /etc/resolv.conf files to chroot
-unless File.file?(resolv_file)
-  puts "Creating #{resolv_file}"
-  File.binwrite(resolv_file, <<END)
-lookup file
-END
-  setup_file_owner.call(resolv_file)
-end
-
-# Setup unicorn configuration file
-unless File.file?(unicorn_conf_file)
-  unicorn_conf_dir = File.dirname(unicorn_conf_file)
-  unless File.directory?(unicorn_conf_dir)
-    puts "Creating #{unicorn_conf_dir}"
-    Dir.mkdir(unicorn_conf_dir)
-    File.chmod(0755, unicorn_conf_dir)
-    File.chown(owner_uid, owner_gid, unicorn_conf_dir) if owner
-  end
-  puts "Creating #{unicorn_conf_file}"
-  File.binwrite(unicorn_conf_file, <<END)
-require 'unicorn-lockdown'
-
-Unicorn.lockdown(self,
-  :app=>#{app.inspect},
-  :user=>#{user.inspect}, # Set application user here
-  :pledge=>'rpath prot_exec inet unix', # More may be needed
-  :email=>'root' # update this with correct email
-)
-END
-  setup_file_owner.call(unicorn_conf_file)
-end
-
-# Setup /etc/nginx/* file for nginx configuration
-unless File.file?(nginx_file)
-  puts "Creating #{nginx_file}"
-  File.binwrite(nginx_file, <<END)
-upstream #{app}_unicorn {
-    server unix:/sockets/#{app}.sock fail_timeout=0;
-}
-server {
-    server_name #{app};
-    access_log #{nginx_access_log_file} main;
-    error_log #{nginx_error_log_file} warn;
-    root #{dir}/public;
-    error_page   500 503 /500.html;
-    error_page   502 504 /502.html;
-    proxy_set_header  X-Real-IP  $remote_addr;
-    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header  Host $http_host;
-    proxy_redirect    off;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options deny;
-    add_header X-XSS-Protection "1; mode=block";
-    try_files $uri @#{app}_unicorn;
-    location @#{app}_unicorn {
-        proxy_pass http://#{app}_unicorn;
-    }
-}
-END
-
-  setup_file_owner.call(nginx_file)
-end
-
-# Setup nginx log file
-[nginx_access_log_file, nginx_error_log_file].each do |f|
-  unless File.file?(f)
-    puts "Creating #{f}"
-    File.binwrite(f, '')
-    File.chmod(0644, f)
-    File.chown(www_id, root_id, f)
-  end
-end
-
-# Setup unicorn log file
-unless File.file?(unicorn_log_file)
-  puts "Creating #{unicorn_log_file}"
-  File.binwrite(unicorn_log_file, '')
-  File.chmod(0640, unicorn_log_file)
-  File.chown(app_uid, app_uid, unicorn_log_file) if app_uid
-end
-
-# Setup /etc/rc.d/unicorn_* file for daemon management
-unless File.file?(rc_file)
-  puts "Creating #{rc_file}"
-  File.binwrite(rc_file, <<END)
-#!/bin/ksh
-
-unicorn_app=#{app}
-unicorn_dir=#{dir}
-#{unicorn}#{rackup} 
-. /etc/rc.d/rc.unicorn
-END
-
-  File.chmod(0755, rc_file)
-  File.chown(root_id, bin_id, rc_file)
-end
+require_relative '../files/unicorn_lockdown_add'