unicorn-lockdown 0.12.0 → 1.1.0

data/lib/unicorn-lockdown.rb

@@ -1,25 +1,38 @@
-# unicorn-lockdown is designed to be used with Unicorn's chroot support, and
-# handles:
+# unicorn-lockdown is designed to handle fork+exec, unveil, and pledge support
+# when using Unicorn, including:
+# * restricting file system access using unveil
 # * pledging the app to restrict allowed syscalls at the appropriate point
-# * handling notifications of worker crashes
-# * forcing loading of some common autoloaded constants
-# * stripping path prefixes from the reloader in development mode
+# * handling notifications of worker crashes (which are likely due to pledge
+#   violations)
 
 require 'pledge'
+require 'unveil'
 
-# Loading single_byte encoding
+# Load common encodings
 "\255".force_encoding('ISO8859-1').encode('UTF-8')
-
-# Load encodings
 ''.force_encoding('UTF-16LE')
 ''.force_encoding('UTF-16BE')
 
 class Unicorn::HttpServer
-  # The file name in which to store request information. The
-  # /var/www/requests folder is currently accessable only
-  # to root.
+  # The file name in which to store request information.
+  # The /var/www/request-error-data/$app_name folder is accessable
+  # only to the user of the application.
   def request_filename(pid)
-    "/var/www/requests/#{Unicorn.app_name}.#{pid}.txt"
+    "#{Unicorn.unicorn_lockdown_prefix}/www/request-error-data/#{Unicorn.app_name}/#{pid}.txt"
+  end
+
+  unless ENV['UNICORN_WORKER']
+    alias _original_spawn_missing_workers spawn_missing_workers
+
+    # This is the master process, set the master pledge before spawning
+    # workers, because spawning workers will also need to be done at runtime.
+    def spawn_missing_workers
+      if pledge = Unicorn.master_pledge
+        Unicorn.master_pledge = nil
+        Pledge.pledge(pledge, Unicorn.master_execpledge)
+      end
+      _original_spawn_missing_workers
+    end
   end
 
   # Override the process name for the unicorn processes, both master and
@@ -49,23 +62,32 @@ class << Unicorn
   # to enable programmers to debug and fix the issue.
   attr_accessor :request_logger
 
-  # The user to run as. Also specifies the group to run as if group_name is not set.
-  attr_accessor :user_name
+  # The pledge string to use for the master process's spawned processes by default.
+  attr_accessor :master_execpledge
 
-  # The group name to run as.  Can be an array of two strings, where the first string
-  # is the primary group, and the second string is the group used for the log files.
-  attr_accessor :group_name
+  # The pledge string to use for the master process.
+  attr_accessor :master_pledge
 
-  # The pledge string to use.
+  # The pledge string to use for worker processes.
   attr_accessor :pledge
 
-  # The address to email for crash and unhandled exception notifications
+  # The hash of unveil paths to use.
+  attr_accessor :unveil
+
+  # The hash of additional unveil paths to use if in the development environment.
+  attr_accessor :dev_unveil
+
+  # The address to email for crash and unhandled exception notifications.
   attr_accessor :email
 
+  # The prefix for unicorn lockdown files
+  attr_reader :unicorn_lockdown_prefix
+  Unicorn.instance_variable_set(:@unicorn_lockdown_prefix, ENV['UNICORN_LOCKDOWN_PREFIX'] || '/var')
+
   # Helper method to write request information to the request logger.
   # +email_message+ should be an email message including headers and body.
   # This should be called at the top of the Roda route block for the
-  # application.
+  # application (or at some early point before processing in other web frameworks).
   def write_request(email_message)
     request_logger.seek(0, IO::SEEK_SET)
     request_logger.truncate(0)
@@ -73,28 +95,33 @@ class << Unicorn
     request_logger.fsync
   end
 
-  # Helper method that sets up all necessary code for chroot/pledge support.
+  # Helper method that sets up all necessary code for unveil/pledge support.
   # This should be called inside the appropriate unicorn.conf file.
   # The configurator should be self in the top level scope of the
   # unicorn.conf file, and this takes options:
   #
   # Options:
-  # :app :: The name of the application (required)
+  # :app (required) :: The name of the application
   # :email : The email to notify for worker crashes
-  # :user :: The user to run as (required)
-  # :group :: The group to run as (if not set, uses :user as the group).
-  #           Can be an array of two strings, where the first string is the primary
-  #           group, and the second string is the group used for the log files.
-  # :pledge :: The string to use when pledging
+  # :pledge :: The string to use when pledging worker processes after loading the app
+  # :master_pledge :: The string to use when pledging the master process before
+  #                   spawning worker processes
+  # :master_execpledge :: The pledge string for processes spawned by the master
+  #                       process (i.e. worker processes before loading the app)
+  # :unveil :: A hash of unveil paths, passed to Pledge.unveil.
+  # :dev_unveil :: A hash of unveil paths to use in development, in addition
+  #                to the ones in :unveil.
   def lockdown(configurator, opts)
     Unicorn.app_name = opts.fetch(:app)
-    Unicorn.user_name = opts.fetch(:user)
-    Unicorn.group_name = opts[:group] || opts[:user]
     Unicorn.email = opts[:email]
+    Unicorn.master_pledge = opts[:master_pledge]
+    Unicorn.master_execpledge = opts[:master_execpledge]
     Unicorn.pledge = opts[:pledge]
+    Unicorn.unveil = opts[:unveil]
+    Unicorn.dev_unveil = opts[:dev_unveil]
 
     configurator.instance_exec do
-      listen "/var/www/sockets/#{Unicorn.app_name}.sock"
+      listen "#{Unicorn.unicorn_lockdown_prefix}/www/sockets/#{Unicorn.app_name}.sock"
 
       # Buffer all client bodies in memory.  This assumes an Nginx limit of 10MB,
       # by using 11MB this ensures that client bodies are always buffered in
@@ -105,23 +132,25 @@ class << Unicorn
       # Run all worker processes with unique memory layouts
       worker_exec true
 
+      # :nocov:
       # Only change the log path if daemonizing.
       # Otherwise, continue to log to stdout/stderr.
       if Unicorn::Configurator::RACKUP[:daemonize]
-        stdout_path "/var/log/unicorn/#{Unicorn.app_name}.log"
-        stderr_path "/var/log/unicorn/#{Unicorn.app_name}.log"
+        log_path = "#{Unicorn.unicorn_lockdown_prefix}/log/unicorn/#{Unicorn.app_name}.log"
+        stdout_path log_path
+        stderr_path log_path
       end
+      # :nocov:
 
       after_fork do |server, worker|
         server.logger.info("worker=#{worker.nr} spawned pid=#{$$}")
 
-        # Set the request logger for the worker process after forking. The
-        # process is still root here, so it can open the file in write mode.
+        # Set the request logger for the worker process after forking.
         Unicorn.request_logger = File.open(server.request_filename($$), "wb")
         Unicorn.request_logger.sync = true
       end
 
-      if wrap_app = Unicorn.email && ENV['RACK_ENV'] == 'production'
+      if wrap_app = Unicorn.email
         require 'rack/email_exceptions'
       end
 
@@ -137,55 +166,31 @@ class << Unicorn
           end
         end
 
-        # Before chrooting, reference all constants that use autoload
-        # that are probably needed at runtime.  This must be done
-        # before chrooting as attempting to load the constants after
-        # chrooting will break things.
-        
-        # Start with rack, which uses autoload for all constants.
-        # Most of rack's constants are not used at runtime, this
-        # lists the ones most commonly needed.
-        Rack::Multipart
-        Rack::Multipart::Parser
-        Rack::Multipart::Generator
-        Rack::Multipart::UploadedFile
-        Rack::Mime
-        Rack::Auth::Digest::Params
-
-        # In the development environment, reference all middleware
-        # the unicorn will load by default, unless unicorn is
-        # set to not load middleware by default.
-        if ENV['RACK_ENV'] == 'development' && (!respond_to?(:set) || set[:default_middleware] != false)
-          Rack::ContentLength
-          Rack::CommonLogger
-          Rack::Chunked
-          Rack::Lint
-          Rack::ShowExceptions
-          Rack::TempfileReaper
+        unveil = if Unicorn.dev_unveil && ENV['RACK_ENV'] == 'development'
+          Unicorn.unveil.merge(Unicorn.dev_unveil)
+        else
+          Hash[Unicorn.unveil]
         end
 
-        # If using the mail library, eagerly autoload all constants.
-        # This costs about 9MB of memory, but the mail gem changes
-        # their autoloaded constants on a regular basis, so it's
-        # better to be safe than sorry.
-        if defined?(Mail)
-          Mail.eager_autoload!
-        end
+        # Don't allow loading files in rack and mail gems if not using rubygems
+        if defined?(Gem) && Gem.respond_to?(:loaded_specs)
+          # Allow read access to the rack gem directory, as rack autoloads constants.
+          if defined?(Rack) && Gem.loaded_specs['rack']
+            unveil['rack'] = :gem
+          end
 
-        # Strip path prefixes from the reloader.  This is only
-        # really need in development mode for code reloading to work.
-        pwd = Dir.pwd
-        Unreloader.strip_path_prefix(pwd) if defined?(Unreloader)
+          # If using the mail library, allow read access to the mail gem directory,
+          # as mail autoloads constants.
+          if defined?(Mail) && Gem.loaded_specs['mail']
+            unveil['mail'] = :gem
+          end
+        end
 
-        # Drop privileges.  This must be done after chrooting as
-        # chrooting requires root privileges.
-        worker.user(Unicorn.user_name, Unicorn.group_name, pwd)
+        # Restrict access to the file system based on the specified unveil.
+        Pledge.unveil(unveil)
 
-        if Unicorn.pledge
-          # Pledge after dropping privileges, because dropping
-          # privileges requires a separate pledge.
-          Pledge.pledge(Unicorn.pledge)
-        end
+        # Pledge after unveiling, because unveiling requires a separate pledge.
+        Pledge.pledge(Unicorn.pledge)
       end
 
       # the last time there was a worker crash and the request information
@@ -227,33 +232,16 @@ class << Unicorn
             unless skip_email
               # If the request filename exists and the worker process crashed,
               # send a notification email.
-              Process.waitpid(fork do
-                # Load net/smtp early, before chrooting. 
+              Process.waitpid(Process.fork do
+                # Load net/smtp early
                 require 'net/smtp'
 
                 # When setting the email, first get the contents of the email
                 # from the request file.
                 body = File.read(file)
 
-                # Then get information from /etc and drop group privileges
-                uid = Etc.getpwnam(Unicorn.user_name).uid
-                group = Unicorn.group_name
-                group = group.first if group.is_a?(Array)
-                gid = Etc.getgrnam(group).gid
-                if gid && Process.egid != gid
-                  Process.initgroups(Unicorn.user_name, gid)
-                  Process::GID.change_privilege(gid)
-                end
-
-                # Then chroot
-                Dir.chroot(Dir.pwd)
-                Dir.chdir('/')
-
-                # Then drop user privileges
-                Process.euid != uid and Process::UID.change_privilege(uid)
-
                 # Then use a restrictive pledge
-                Pledge.pledge('inet prot_exec')
+                Pledge.pledge(ENV['UNICORN_LOCKDOWN_WORKER_CRASH_PLEDGE'] || 'inet prot_exec')
 
                 # If body empty, crash happened before a request was received,
                 # try to at least provide the application name in this case.
@@ -261,8 +249,13 @@ class << Unicorn
                   body = "Subject: [#{Unicorn.app_name}] Unicorn Worker Process Crash\r\n\r\nNo email content provided for app: #{Unicorn.app_name}"
                 end
 
+                # :nocov:
+                # Don't verify localhost hostname, to avoid SSL errors raised in newer versions of net/smtp
+                smtp_params = Net::SMTP.method(:start).parameters.include?([:key, :tls_verify]) ? {tls_verify: false, tls_hostname: 'localhost'} : {}
+                # :nocov:
+
                 # Finally send an email to localhost via SMTP.
-                Net::SMTP.start('127.0.0.1'){|s| s.send_message(body, Unicorn.email, Unicorn.email)}
+                Net::SMTP.start('127.0.0.1', **smtp_params){|s| s.send_message(body, Unicorn.email, Unicorn.email)}
               end)
             end
           end
@@ -274,4 +267,3 @@ class << Unicorn
     end
   end
 end
-

data/lib/unveiler.rb

@@ -0,0 +1,42 @@
+require 'pledge'
+require 'unveil'
+
+# Load encodings
+"\255".force_encoding('ISO8859-1').encode('UTF-8')
+''.force_encoding('UTF-16LE')
+''.force_encoding('UTF-16BE')
+
+# Don't run external diff program for failures
+Minitest::Assertions.diff = false if defined?(Minitest::Assertions)
+
+# Unveiler allows for testing programs using pledge and unveil.
+module Unveiler
+  # Use Pledge.unveil to limit access to the file system based on the
+  # +unveil+ argument.  Then pledge the process with the given +pledge+
+  # permissions.  This will automatically unveil the rack and mail gems
+  # if they are loaded.
+  def self.pledge_and_unveil(pledge, unveil)
+    unveil = Hash[unveil]
+
+    if defined?(Gem) && Gem.respond_to?(:loaded_specs)
+      if defined?(Rack) && Gem.loaded_specs['rack']
+        unveil['rack'] = :gem
+      end
+      if defined?(Mail) && Gem.loaded_specs['mail']
+        unveil['mail'] = :gem
+      end
+    end
+
+    Pledge.unveil(unveil)
+
+    # :nocov:
+    if defined?(SimpleCov)
+    # :nocov:
+      # If running coverage tests, add necessary pledges for
+      # coverage testing to work.
+      pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
+    end
+
+    Pledge.pledge(pledge)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-29 00:00:00.000000000 Z
+date: 2022-07-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -38,6 +38,62 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mail
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: roda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-global_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email: code@jeremyevans.net
 executables:
@@ -52,14 +108,20 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
-- lib/chrooter.rb
+- files/unicorn_lockdown_add.rb
+- files/unicorn_lockdown_setup.rb
 - lib/rack/email_exceptions.rb
 - lib/roda/plugins/pg_disconnect.rb
 - lib/unicorn-lockdown.rb
+- lib/unveiler.rb
 homepage: https://github.com/jeremyevans/unicorn-lockdown
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/jeremyevans/unicorn-lockdown/issues
+  changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
+  mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
+  source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -68,16 +130,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
-summary: Helper library for running Unicorn with chroot/privdrop/fork+exec/pledge
-  on OpenBSD
+summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
 test_files: []

data/lib/chrooter.rb

@@ -1,110 +0,0 @@
-require 'etc'
-require 'pledge'
-
-# Loading single_byte encoding
-"\255".force_encoding('ISO8859-1').encode('UTF-8')
-
-# Load encodings
-''.force_encoding('UTF-16LE')
-''.force_encoding('UTF-16BE')
-
-# Don't run external diff program for failures
-Minitest::Assertions.diff = false
-
-if defined?(SimpleCov) && Process.euid == 0
-  # Prevent coverage testing in chroot mode. Chroot vs
-  # non-chroot should not matter in terms of lines covered,
-  # and running coverage tests in chroot mode will probable fail
-  # when it comes time to write the coverage files.
-  SimpleCov.at_exit{}
-  raise "cannot run coverage testing in chroot mode"
-end
-
-# Chrooter allows for testing programs in both chroot and non
-# chroot modes.
-module Chrooter
-  # If the current user is the super user, change to the given
-  # user/group, chroot to the given directory, and pledge
-  # the process with the given permissions (if given).
-  #
-  # If the current user is not the super user, freeze
-  # $LOADED_FEATURES to more easily detect problems with
-  # autoloaded constants, and just pledge the process with the
-  # given permissions (if given).
-  #
-  # This will reference common autoloaded constants in the
-  # rack and mail libraries if they are defined.  Other
-  # autoloaded constants should be referenced before calling
-  # this method.
-  #
-  # In general this should be called inside an at_exit block
-  # after loading minitest/autorun, so it will run after all
-  # specs are loaded, but before running specs.
-  def self.chroot(user, pledge=nil, group=user, dir=Dir.pwd)
-    # Work around autoload issues in libraries.
-    # autoload is problematic when chrooting because if the
-    # constant is not referenced before chrooting, an
-    # exception is raised if the constant is raised
-    # after chrooting.
-    #
-    # The constants listed here are the autoloaded constants
-    # known to be used by any applications.  This list
-    # may need to be updated when libraries are upgraded
-    # and add new constants, or when applications start
-    # using new features.
-    if defined?(Rack)
-      Rack::MockRequest if defined?(Rack::MockRequest)
-      Rack::Auth::Digest::Params if defined?(Rack::Auth::Digest::Params)
-      if defined?(Rack::Multipart)
-        Rack::Multipart
-        Rack::Multipart::Parser
-        Rack::Multipart::Generator
-        Rack::Multipart::UploadedFile
-      end
-    end
-    if defined?(Mail)
-      Mail::Address
-      Mail::AddressList
-      Mail::Parsers::AddressListsParser
-      Mail::ContentTransferEncodingElement
-      Mail::ContentDispositionElement
-      Mail::MessageIdsElement
-      Mail::MimeVersionElement
-      Mail::OptionalField
-      Mail::ContentTypeElement
-    end
-
-    if Process.euid == 0
-      uid = Etc.getpwnam(user).uid
-      gid = Etc.getgrnam(group).gid
-      if Process.egid != gid
-        Process.initgroups(user, gid)
-        Process::GID.change_privilege(gid)
-      end
-      Dir.chroot(dir)
-      Dir.chdir('/')
-      Process.euid != uid and Process::UID.change_privilege(uid)
-      puts "Chrooted to #{dir}, running as user #{user}"
-    else
-      # Load minitest plugins before freezing loaded features,
-      # so they don't break.
-      Minitest.load_plugins
-
-      # Emulate chroot not working by freezing $LOADED_FEATURES
-      # This allows to more easily catch bugs that only occur
-      # when chrooted, such as referencing an autoloaded constant
-      # that wasn't loaded before the chroot.
-      $LOADED_FEATURES.freeze
-    end
-
-    unless defined?(SimpleCov)
-      if pledge
-        # If running coverage tests, don't run pledged as coverage
-        # testing can require many additional permissions.
-        Pledge.pledge(pledge)
-      end
-    end
-
-    nil
-  end
-end