unicorn-lockdown 0.9.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e3ce59cddf9d01567fd8a064530c8d1cc54e45a96eecb54fbacfc376ed73c030
-  data.tar.gz: 7e52c5cc4e6ed7673e84fdce2b67516284a49409d1e5a5adcc0a489a401f52e6
+  metadata.gz: 95a450be80782d592a0b960b2855f27332371039ede4ce5459df32a273985240
+  data.tar.gz: 9fb35bc3da1921fb3562bc4f1aa35962e08e628da61c33e14e9beac0b51696e4
 SHA512:
-  metadata.gz: 42147643aa1eb541874fc61ef91152800617b91fb69e57f3765d0ea33f372f787a1fa9074eb9eb74400fe2f4ec4f699213875a0ec9446ac08ae6b8f1baad3e08
-  data.tar.gz: c74fb916793633f0da277b1541cce8d9773a985035b0f36bfef9f545abf28e1c8f38796d0fd18da5525ab49ff2a46e4be428cc25384461e53c8615095b9a1ec9
+  metadata.gz: dc4ca6d927ab239a144cc3b3f4f405c03d0280f2e6a1e148f32a8ac416d48eb7ebc898f7b7a7ff09b67863ea0676d0b2b8660e212347fe4466691c000eca591a
+  data.tar.gz: 3240933f222409c814dac82049c055cfd183c275e1a998cf2aa10f539d36a1c9dbec5abef32b35f8c5729dc32d9cc87e506e9d4bf6b2a602e026314dc7e3bd70

data/CHANGELOG

@@ -0,0 +1,9 @@
+= 0.10.0 (2018-05-21)
+
+* Use Mail.eager_autoload! if using the mail gem (jeremyevans)
+
+* Add bin files to gemspec (jeremyevans)
+
+= 0.9.0 (2018-05-02)
+
+* Initial public release

data/bin/unicorn-lockdown-add

@@ -0,0 +1,217 @@
+#!/usr/bin/env ruby
+
+require 'etc'
+require 'optparse'
+
+def sh(*args)
+  puts "Running: #{args.join(' ')}"
+  system(*args) || raise("Error while running: #{args.join(' ')}")
+end
+
+unicorn = ''
+rackup = ''
+unicorn_file = 'unicorn.conf'
+dir = nil
+user = nil
+new_user_uid = nil
+owner = nil
+owner_uid = nil
+owner_gid = nil
+
+options = OptionParser.new do |opts|
+  opts.banner = "Usage: unicorn-lockdown-add [options] app_name"
+  opts.separator "Options:"
+
+  opts.on_tail("-h", "-?", "--help", "Show this message") do
+    puts opts
+    exit
+  end
+
+  opts.on("-c rackup_file", "rackup configuration file") do |v|
+    rackup = "rackup_file=#{v}\n"
+  end
+
+  opts.on("-d dir", "application directory name") do |v|
+    dir = v
+  end
+
+  opts.on("-f unicorn_file", "unicorn configuration file relative to application directory") do |v|
+    unicorn_file = v
+    unicorn = "unicorn_conf=#{v}\n"
+  end
+
+  opts.on("-o owner", "operating system application owner") do |v|
+    owner = v
+    ent = Etc.getpwnam(v)
+    owner_uid = ent.uid
+    owner_gid = ent.gid
+  end
+
+  opts.on("-u user", "operating system user to run application") do |v|
+    user = v
+  end
+
+  opts.on("--uid uid", "user id to use if creating the user when -U is specified") do |v|
+    new_user_uid = Integer(v, 10)
+  end
+end
+options.parse!
+
+app = ARGV.shift
+dir ||= app
+base_dir = dir
+
+root_id = 0
+bin_id = 7
+www_id = 67
+
+www_root = '/var/www'
+dir = "#{www_root}/#{dir}"
+etc_dir = "#{dir}/etc"
+hosts_file = "#{etc_dir}/hosts"
+resolv_file = "#{etc_dir}/resolv.conf"
+rc_file = "/etc/rc.d/unicorn_#{app.tr('-', '_')}"
+nginx_file = "/etc/nginx/#{app}.conf"
+unicorn_conf_file = "#{dir}/#{unicorn_file}"
+unicorn_log_file = "/var/log/unicorn/#{app}.log"
+nginx_access_log_file = "/var/log/nginx/#{app}.access.log"
+nginx_error_log_file = "/var/log/nginx/#{app}.error.log"
+
+# Add application user if it doesn't exist
+if user
+  passwd = begin
+    Etc.getpwnam(user)
+  rescue ArgumentError
+    args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
+    if new_user_uid
+      args << '-u' << new_user_uid.to_s
+    end
+    args << user
+    sh(*args)
+    Etc.getpwnam(user)
+  end
+  app_uid = passwd.uid
+end
+
+# Create application directory and chroot directories if they doesn't exist
+[dir, "#{dir}/var", "#{dir}/var/www", "#{dir}/etc", "#{dir}/public"].each do |d|
+  unless File.directory?(d)
+    puts "Creating #{d}"
+    Dir.mkdir(d)
+    File.chmod(0755, d)
+    File.chown(owner_uid, owner_gid, d) if owner
+  end
+end
+
+# DRY up file ownership code
+setup_file_owner = lambda do |file|
+  File.chmod(0644, file)
+  File.chown(owner_uid, owner_gid, file) if owner
+end
+
+# Setup symlink to root so that the same paths work both when
+# chrooted and when not chrooted.
+chroot_link = "#{dir}#{dir}"
+unless File.symlink?(chroot_link)
+  puts "Creating #{chroot_link}"
+  File.symlink('/', chroot_link)
+end
+
+# Add /etc/hosts files to chroot
+unless File.file?(hosts_file)
+  puts "Creating #{hosts_file}"
+  File.binwrite(hosts_file, <<END)
+127.0.0.1 localhost
+END
+  setup_file_owner.call(hosts_file)
+end
+
+# Add /etc/resolv.conf files to chroot
+unless File.file?(resolv_file)
+  puts "Creating #{resolv_file}"
+  File.binwrite(resolv_file, <<END)
+lookup file
+END
+  setup_file_owner.call(resolv_file)
+end
+
+# Setup unicorn configuration file
+unless File.file?(unicorn_conf_file)
+  puts "Creating #{unicorn_conf_file}"
+  File.binwrite(unicorn_conf_file, <<END)
+require 'unicorn-lockdown'
+
+Unicorn.lockdown(self,
+  :app=>#{app.inspect},
+  :user=>#{user.inspect}, # Set application user here
+  :pledge=>'rpath prot_exec inet unix', # More may be needed
+  :email=>'root' # update this with correct email
+)
+END
+  setup_file_owner.call(unicorn_conf_file)
+end
+
+# Setup /etc/nginx/* file for nginx configuration
+unless File.file?(nginx_file)
+  puts "Creating #{nginx_file}"
+  File.binwrite(nginx_file, <<END)
+upstream #{app}_unicorn {
+    server unix:/sockets/#{app}.sock fail_timeout=0;
+}
+server {
+    server_name #{app};
+    access_log #{nginx_access_log_file} main;
+    error_log #{nginx_error_log_file} warn;
+    root #{dir}/public;
+    error_page   500 503 /500.html;
+    error_page   502 504 /502.html;
+    proxy_set_header  X-Real-IP  $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header  Host $http_host;
+    proxy_redirect    off;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options deny;
+    add_header X-XSS-Protection "1; mode=block";
+    try_files $uri @#{app}_unicorn;
+    location @#{app}_unicorn {
+        proxy_pass http://#{app}_unicorn;
+    }
+}
+END
+
+  setup_file_owner.call(nginx_file)
+end
+
+# Setup nginx log file
+[nginx_access_log_file, nginx_error_log_file].each do |f|
+  unless File.file?(f)
+    puts "Creating #{f}"
+    File.binwrite(f, '')
+    File.chmod(0644, f)
+    File.chown(www_id, root_id, f)
+  end
+end
+
+# Setup unicorn log file
+unless File.file?(unicorn_log_file)
+  puts "Creating #{unicorn_log_file}"
+  File.binwrite(unicorn_log_file, '')
+  File.chmod(0640, unicorn_log_file)
+  File.chown(app_uid, app_uid, unicorn_log_file) if app_uid
+end
+
+# Setup /etc/rc.d/unicorn_* file for daemon management
+unless File.file?(rc_file)
+  puts "Creating #{rc_file}"
+  File.binwrite(rc_file, <<END)
+#!/bin/ksh
+
+unicorn_app=#{app}
+unicorn_dir=#{dir}
+#{unicorn}#{rackup} 
+. /etc/rc.d/rc.unicorn
+END
+
+  File.chmod(0755, rc_file)
+  File.chown(root_id, bin_id, rc_file)
+end

data/bin/unicorn-lockdown-setup

@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+
+require 'etc'
+
+def sh(*args)
+  puts "Running: #{args.join(' ')}"
+  system(*args) || raise("Error while running: #{args.join(' ')}")
+end
+
+request_dir = '/var/www/requests'
+socket_dir = '/var/www/sockets'
+unicorn_log_dir = '/var/log/unicorn'
+nginx_log_dir = "/var/log/nginx"
+rc_unicorn_file = '/etc/rc.d/rc.unicorn'
+
+unicorn_group = '_unicorn'
+root_id = 0
+daemon_id = 1
+www_id = 67
+
+# Add _unicorn group if it doesn't exist
+group = begin
+  Etc.getgrnam(unicorn_group)
+rescue ArgumentError
+  sh('groupadd', unicorn_group)
+  Etc.getgrnam(unicorn_group)
+end
+unicorn_group_id = group.gid
+
+# Setup requests directory to hold per-request information for crash notifications
+unless File.directory?(request_dir)
+  puts "Creating #{request_dir}"
+  Dir.mkdir(request_dir)
+  File.chmod(0700, request_dir)
+  File.chown(root_id, daemon_id, request_dir)
+end
+
+# Setup sockets directory to hold PostgreSQL database connection sockets
+unless File.directory?(socket_dir)
+  puts "Creating #{socket_dir}"
+  Dir.mkdir(socket_dir)
+  File.chmod(0770, socket_dir)
+  File.chown(www_id, unicorn_group_id, socket_dir)
+end
+
+# Setup log directory to hold unicorn application logs
+unless File.directory?(unicorn_log_dir)
+  puts "Creating #{unicorn_log_dir}"
+  Dir.mkdir(unicorn_log_dir)
+  File.chmod(0755, unicorn_log_dir)
+  File.chown(root_id, daemon_id, unicorn_log_dir)
+end
+
+# Setup log directory to hold nginx logs
+unless File.directory?(nginx_log_dir)
+  puts "Creating #{nginx_log_dir}"
+  Dir.mkdir(nginx_log_dir)
+  File.chmod(0775, nginx_log_dir)
+  File.chown(www_id, root_id, nginx_log_dir)
+end
+
+# Setup rc.unicorn file
+unless File.file?(rc_unicorn_file)
+  puts "Creating #{rc_unicorn_file}"
+  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  File.chmod(0644, rc_unicorn_file)
+  File.chown(root_id, root_id, rc_unicorn_file)
+end

data/lib/unicorn-lockdown.rb

@@ -133,12 +133,10 @@ class << Unicorn
         # that are probably needed at runtime.  This must be done
         # before chrooting as attempting to load the constants after
         # chrooting will break things.
-        #
-        # This part is the most prone to breakage, as new versions
-        # of the rack or mail libraries (or new libraries that
-        # use autoload) could break things, as well as existing
-        # applications using new features at runtime that were
-        # not loaded at load time.
+        
+        # Start with rack, which uses autoload for all constants.
+        # Most of rack's constants are not used at runtime, this
+        # lists the ones most commonly needed.
         Rack::Multipart
         Rack::Multipart::Parser
         Rack::Multipart::Generator
@@ -150,17 +148,13 @@ class << Unicorn
           Rack::Lint
           Rack::ShowExceptions
         end
+
+        # If using the mail library, eagerly autoload all constants.
+        # This costs about 9MB of memory, but the mail gem changes
+        # their autoloaded constants on a regular basis, so it's
+        # better to be safe than sorry.
         if defined?(Mail)
-          Mail::Address
-          Mail::AddressList
-          Mail::Parsers::AddressListsParser
-          Mail::ContentTransferEncodingElement
-          Mail::ContentDispositionElement
-          Mail::MessageIdsElement
-          Mail::MimeVersionElement
-          Mail::OptionalField
-          Mail::ContentTypeElement
-          Mail::SMTP
+          Mail.eager_autoload!
         end
 
         # Strip path prefixes from the reloader.  This is only

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-02 00:00:00.000000000 Z
+date: 2018-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -40,12 +40,17 @@ dependencies:
         version: '0'
 description: 
 email: code@jeremyevans.net
-executables: []
+executables:
+- unicorn-lockdown-add
+- unicorn-lockdown-setup
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG
 - MIT-LICENSE
 - README.rdoc
+- bin/unicorn-lockdown-add
+- bin/unicorn-lockdown-setup
 - files/rc.unicorn
 - lib/chrooter.rb
 - lib/rack/email_exceptions.rb