unicorn-lockdown 0.12.0 → 1.1.0

data/bin/unicorn-lockdown-setup

@@ -1,68 +1,2 @@
 #!/usr/bin/env ruby
-
-require 'etc'
-
-def sh(*args)
-  puts "Running: #{args.join(' ')}"
-  system(*args) || raise("Error while running: #{args.join(' ')}")
-end
-
-request_dir = '/var/www/requests'
-socket_dir = '/var/www/sockets'
-unicorn_log_dir = '/var/log/unicorn'
-nginx_log_dir = "/var/log/nginx"
-rc_unicorn_file = '/etc/rc.d/rc.unicorn'
-
-unicorn_group = '_unicorn'
-root_id = 0
-daemon_id = 1
-www_id = 67
-
-# Add _unicorn group if it doesn't exist
-group = begin
-  Etc.getgrnam(unicorn_group)
-rescue ArgumentError
-  sh('groupadd', unicorn_group)
-  Etc.getgrnam(unicorn_group)
-end
-unicorn_group_id = group.gid
-
-# Setup requests directory to hold per-request information for crash notifications
-unless File.directory?(request_dir)
-  puts "Creating #{request_dir}"
-  Dir.mkdir(request_dir)
-  File.chmod(0700, request_dir)
-  File.chown(root_id, daemon_id, request_dir)
-end
-
-# Setup sockets directory to hold PostgreSQL database connection sockets
-unless File.directory?(socket_dir)
-  puts "Creating #{socket_dir}"
-  Dir.mkdir(socket_dir)
-  File.chmod(0770, socket_dir)
-  File.chown(www_id, unicorn_group_id, socket_dir)
-end
-
-# Setup log directory to hold unicorn application logs
-unless File.directory?(unicorn_log_dir)
-  puts "Creating #{unicorn_log_dir}"
-  Dir.mkdir(unicorn_log_dir)
-  File.chmod(0755, unicorn_log_dir)
-  File.chown(root_id, daemon_id, unicorn_log_dir)
-end
-
-# Setup log directory to hold nginx logs
-unless File.directory?(nginx_log_dir)
-  puts "Creating #{nginx_log_dir}"
-  Dir.mkdir(nginx_log_dir)
-  File.chmod(0775, nginx_log_dir)
-  File.chown(www_id, root_id, nginx_log_dir)
-end
-
-# Setup rc.unicorn file
-unless File.file?(rc_unicorn_file)
-  puts "Creating #{rc_unicorn_file}"
-  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
-  File.chmod(0644, rc_unicorn_file)
-  File.chown(root_id, root_id, rc_unicorn_file)
-end
+require_relative '../files/unicorn_lockdown_setup'

data/files/unicorn_lockdown_add.rb

@@ -0,0 +1,227 @@
+require 'etc'
+require 'optparse'
+
+unicorn = ''
+rackup = ''
+unicorn_file = 'unicorn.conf'
+dir = nil
+user = nil
+new_user_uid = nil
+owner = nil
+owner_uid = nil
+owner_gid = nil
+
+options = OptionParser.new do |opts|
+  opts.banner = "Usage: unicorn-lockdown-add -o owner -u user [options] app_name"
+  opts.separator "Options:"
+
+  opts.on_tail("-h", "-?", "--help", "Show this message") do
+    puts opts
+    exit
+  end
+
+  opts.on("-c RACKUP_FILE", "rackup configuration file") do |v|
+    rackup = "rackup_file=#{v}\n"
+  end
+
+  opts.on("-d DIR", "application directory name") do |v|
+    dir = v
+  end
+
+  opts.on("-f UNICORN_FILE", "unicorn configuration file relative to application directory") do |v|
+    unicorn_file = v
+    unicorn = "unicorn_conf=#{v}\n"
+  end
+
+  opts.on("-o OWNER", "operating system application owner") do |v|
+    owner = v
+    ent = Etc.getpwnam(v)
+    owner_uid = ent.uid
+    owner_gid = ent.gid
+  end
+
+  opts.on("-u USER", "operating system user to run application") do |v|
+    user = v
+  end
+
+  opts.on("--uid UID", "user id to use if creating the user when -U is specified") do |v|
+    new_user_uid = Integer(v, 10)
+  end
+end
+options.parse!
+
+unless user && owner
+  $stderr.puts "Must pass -o and -u options when calling unicorn_lockdown_add"
+  puts options
+  exit(1)
+end
+
+app = ARGV.shift
+dir ||= app
+
+root_id = 0
+bin_id = 7
+www_id = 67
+
+prefix = ENV['UNICORN_LOCKDOWN_BIN_PREFIX']
+www_root = "#{prefix}/var/www"
+dir = "#{www_root}/#{dir}"
+rc_file = "#{prefix}/etc/rc.d/unicorn_#{app.tr('-', '_')}"
+nginx_file = "#{prefix}/etc/nginx/#{app}.conf"
+unicorn_conf_file = "#{dir}/#{unicorn_file}"
+nonroot_dir = "#{prefix}/var/www/request-error-data/#{app}"
+unicorn_log_file = "#{prefix}/var/log/unicorn/#{app}.log"
+nginx_access_log_file = "#{prefix}/var/log/nginx/#{app}.access.log"
+nginx_error_log_file = "#{prefix}/var/log/nginx/#{app}.error.log"
+
+if Process.uid == 0
+  # :nocov:
+  chown = lambda{|*a| File.chown(*a)}
+  # :nocov:
+else
+  chown = lambda{|*a| }
+end
+
+# Add application user if it doesn't exist
+passwd = begin
+  Etc.getpwnam(user)
+rescue ArgumentError
+  # :nocov:
+  args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
+  if new_user_uid
+    args << '-u' << new_user_uid.to_s
+  end
+  args << user
+  puts "Running: #{args.join(' ')}"
+  system(*args) || raise("Error while running: #{args.join(' ')}")
+  Etc.getpwnam(user)
+  # :nocov:
+end
+app_uid = passwd.uid
+
+# Create the subdirectory used for request error info when not running as root
+unless File.directory?(nonroot_dir)
+  puts "Creating #{nonroot_dir}"
+  Dir.mkdir(nonroot_dir)
+  File.chmod(0700, nonroot_dir)
+  chown.(app_uid, app_uid, nonroot_dir)
+end
+
+# Create application public directory if it doesn't exist (needed by nginx)
+dirs = [dir, "#{dir}/public"]
+dirs.each do |d|
+  unless File.directory?(d)
+    puts "Creating #{d}"
+    Dir.mkdir(d)
+    File.chmod(0755, d)
+    chown.(owner_uid, owner_gid, d)
+  end
+end
+
+# DRY up file ownership code
+setup_file_owner = lambda do |file|
+  File.chmod(0644, file)
+  chown.(owner_uid, owner_gid, file)
+end
+
+# Setup unicorn configuration file
+unless File.file?(unicorn_conf_file)
+  unicorn_conf_dir = File.dirname(unicorn_conf_file)
+  unless File.directory?(unicorn_conf_dir)
+    puts "Creating #{unicorn_conf_dir}"
+    Dir.mkdir(unicorn_conf_dir)
+    File.chmod(0755, unicorn_conf_dir)
+    chown.(owner_uid, owner_gid, unicorn_conf_dir)
+  end
+  puts "Creating #{unicorn_conf_file}"
+  File.binwrite(unicorn_conf_file, <<END)
+require 'unicorn-lockdown'
+
+Unicorn.lockdown(self,
+  :app=>#{app.inspect},
+
+  # Update this with correct email
+  :email=>'root',
+
+  # More pledges may be needed depending on application
+  :pledge=>'rpath prot_exec inet unix flock',
+  :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+
+  # More unveils may be needed depending on application
+  :unveil=>{
+    'views'=>'r'
+  },
+  :dev_unveil=>{
+    'models'=>'r'
+  },
+)
+END
+  setup_file_owner.call(unicorn_conf_file)
+end
+
+# Setup /etc/nginx/* file for nginx configuration
+unless File.file?(nginx_file)
+  puts "Creating #{nginx_file}"
+  File.binwrite(nginx_file, <<END)
+upstream #{app}_unicorn {
+    server unix:/sockets/#{app}.sock fail_timeout=0;
+}
+server {
+    server_name #{app};
+    access_log #{nginx_access_log_file} main;
+    error_log #{nginx_error_log_file} warn;
+    root #{dir}/public;
+    error_page   500 503 /500.html;
+    error_page   502 504 /502.html;
+    proxy_set_header  X-Real-IP  $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header  Host $http_host;
+    proxy_redirect    off;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options deny;
+    add_header X-XSS-Protection "1; mode=block";
+    try_files $uri @#{app}_unicorn;
+    location @#{app}_unicorn {
+        proxy_pass http://#{app}_unicorn;
+    }
+}
+END
+
+  setup_file_owner.call(nginx_file)
+end
+
+# Setup nginx log file
+[nginx_access_log_file, nginx_error_log_file].each do |f|
+  unless File.file?(f)
+    puts "Creating #{f}"
+    File.binwrite(f, '')
+    File.chmod(0644, f)
+    chown.(www_id, root_id, f)
+  end
+end
+
+# Setup unicorn log file
+unless File.file?(unicorn_log_file)
+  puts "Creating #{unicorn_log_file}"
+  File.binwrite(unicorn_log_file, '')
+  File.chmod(0640, unicorn_log_file)
+  chown.(app_uid, Etc.getgrnam('_unicorn').gid, unicorn_log_file)
+end
+
+# Setup /etc/rc.d/unicorn_* file for daemon management
+unless File.file?(rc_file)
+  puts "Creating #{rc_file}"
+  File.binwrite(rc_file, <<END)
+#!/bin/ksh
+
+daemon_user=#{user}
+unicorn_app=#{app}
+unicorn_dir=#{dir}
+#{unicorn}#{rackup}
+. /etc/rc.d/rc.unicorn
+END
+
+  File.chmod(0755, rc_file)
+  chown.(root_id, bin_id, rc_file)
+end

data/files/unicorn_lockdown_setup.rb

@@ -0,0 +1,74 @@
+require 'etc'
+
+prefix = ENV['UNICORN_LOCKDOWN_BIN_PREFIX']
+request_dir = "#{prefix}/var/www/request-error-data"
+socket_dir = "#{prefix}/var/www/sockets"
+unicorn_log_dir = "#{prefix}/var/log/unicorn"
+nginx_log_dir = "#{prefix}/var/log/nginx"
+rc_unicorn_file = "#{prefix}/etc/rc.d/rc.unicorn"
+
+unicorn_group = '_unicorn'
+root_id = 0
+daemon_id = 1
+www_id = 67
+
+if Process.uid == 0
+  # :nocov:
+  chown = lambda{|*a| File.chown(*a)}
+  # :nocov:
+else
+  chown = lambda{|*a| }
+end
+
+# Add _unicorn group if it doesn't exist
+group = begin
+  Etc.getgrnam(unicorn_group)
+rescue ArgumentError
+  # :nocov:
+  args = ['groupadd', unicorn_group]
+  puts "Running: #{args.join(' ')}"
+  system(*args) || raise("Error while running: #{args.join(' ')}")
+  Etc.getgrnam(unicorn_group)
+  # :nocov:
+end
+unicorn_group_id = group.gid
+
+# Setup requests directory to hold per-request information for crash notifications
+unless File.directory?(request_dir)
+  puts "Creating #{request_dir}"
+  Dir.mkdir(request_dir)
+  File.chmod(0710, request_dir)
+  chown.(root_id, unicorn_group_id, request_dir)
+end
+
+# Setup sockets directory to hold nginx connection sockets
+unless File.directory?(socket_dir)
+  puts "Creating #{socket_dir}"
+  Dir.mkdir(socket_dir)
+  File.chmod(0770, socket_dir)
+  chown.(www_id, unicorn_group_id, socket_dir)
+end
+
+# Setup log directory to hold unicorn application logs
+unless File.directory?(unicorn_log_dir)
+  puts "Creating #{unicorn_log_dir}"
+  Dir.mkdir(unicorn_log_dir)
+  File.chmod(0755, unicorn_log_dir)
+  chown.(root_id, daemon_id, unicorn_log_dir)
+end
+
+# Setup log directory to hold nginx logs
+unless File.directory?(nginx_log_dir)
+  puts "Creating #{nginx_log_dir}"
+  Dir.mkdir(nginx_log_dir)
+  File.chmod(0775, nginx_log_dir)
+  chown.(www_id, root_id, nginx_log_dir)
+end
+
+# Setup rc.unicorn file
+unless File.file?(rc_unicorn_file)
+  puts "Creating #{rc_unicorn_file}"
+  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  File.chmod(0644, rc_unicorn_file)
+  chown.(root_id, root_id, rc_unicorn_file)
+end

data/lib/rack/email_exceptions.rb

@@ -36,7 +36,12 @@ ENV:
 #{env.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
 END
 
-      Net::SMTP.start('127.0.0.1'){|s| s.send_message(body, @email, @email)}
+      # :nocov:
+      # Don't verify localhost hostname, to avoid SSL errors raised in newer versions of net/smtp
+      smtp_params = Net::SMTP.method(:start).parameters.include?([:key, :tls_verify]) ? {tls_verify: false, tls_hostname: 'localhost'} : {}
+      # :nocov:
+
+      Net::SMTP.start('127.0.0.1', **smtp_params){|s| s.send_message(body, @email, @email)}
 
       raise
     end

data/lib/roda/plugins/pg_disconnect.rb

@@ -8,32 +8,31 @@ class Roda
     # the QUIT signal, allowing Unicorn to finish handling the current request before exiting.
     #
     # This is designed to be used with applications that cannot connect to the database
-    # after application initialization, either because they are using chroot and the database
-    # connection socket is outside the chroot, or because they are using a firewall and access
-    # to the database server is not allowed from the application the process is running as after
-    # privileges are dropped.
+    # after application initialization, either because they are restricting access to the database
+    # socket using unveil, or because they are using a firewall and access to the database server is
+    # not allowed from the application the process is running as after privileges are dropped.
     # 
     # This plugin must be loaded before the roda error_handler plugin, and it assumes usage of the
     # Sequel database library with the postgres adapter and pg driver.
     module PgDisconnect
       def self.load_dependencies(app)
-        raise RodaError, "error_handler plugin already loaded" if app.method_defined?(:handle_error)
+        raise RodaError, "error_handler plugin already loaded" if app.method_defined?(:handle_error) || app.private_method_defined?(:handle_error)
       end
 
       module InstanceMethods
-        # When database connection is lost, kill the worker process, so a new one will be generated.
-        # This is necessary because the unix socket used by the database connection is no longer available
-        # once the application is chrooted.
+        # :nocov:
+        # Handle old Roda dispatch API
         def call
           super
         rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad
           Process.kill(:QUIT, $$)
           raise
         end
+        # :nocov:
 
         # When database connection is lost, kill the worker process, so a new one will be generated.
         # This is necessary because the unix socket used by the database connection is no longer available
-        # once the application is chrooted.
+        # once the application is unveiled or pledged.
         def _roda_handle_main_route
           super
         rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad