unicorn-lockdown 0.10.0 → 0.11.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +6 -0
- data/README.rdoc +6 -2
- data/bin/unicorn-lockdown-add +7 -0
- data/lib/roda/plugins/pg_disconnect.rb +10 -0
- data/lib/unicorn-lockdown.rb +14 -4
- metadata +3 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f379b63ba85656d84b40cbad69d4574e94ec19dfbccda67ebb92115b09de1b6b
|
|
4
|
+
data.tar.gz: 762030825817a4d2722b1d9a9019de636839ffb926e8e082e9a0344fe63a9935
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8e7d1b9357f5ef3545b929ab063f1dd31ec4786f8386f0282b6da8a3b92472fcf7f2071839a23dda6f6ea476a62840179c8c2f66cf0bf4866138e98c9c404fd9
|
|
7
|
+
data.tar.gz: 7c3fa555edec5bb533caab2f709c6f51a199528d669897de152aa1c7ac7230a5592f6709c25ada286a162a1078805662bde19779e51cedd8694975ae86a291d9
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
= 0.11.0 (2019-03-18)
|
|
2
|
+
|
|
3
|
+
* Support separate log group and process primary group on Unicorn 5.5.0+ using :group option (jeremyevans)
|
|
4
|
+
|
|
5
|
+
* Make Roda pg_disconnect plugin support new Roda dispatch API (jeremyevans)
|
|
6
|
+
|
|
1
7
|
= 0.10.0 (2018-05-21)
|
|
2
8
|
|
|
3
9
|
* Use Mail.eager_autoload! if using the mail gem (jeremyevans)
|
data/README.rdoc
CHANGED
|
@@ -7,8 +7,8 @@ and pledge.
|
|
|
7
7
|
With the configuration unicorn-lockdown uses, the unicorn process executes as root,
|
|
8
8
|
and the unicorn master process continues to run as root. The master process
|
|
9
9
|
forks worker processes, which re-exec (fork+exec) so that a new memory layout
|
|
10
|
-
is used in each worker process. The
|
|
11
|
-
after which it
|
|
10
|
+
is used in each worker process. The worker process then loads the application,
|
|
11
|
+
after which it chroots to the application's directory, drops root privileges
|
|
12
12
|
and then runs as the application user (privdrop), then runs pledge to limit
|
|
13
13
|
the allowed system calls to the minimum required to run the application.
|
|
14
14
|
|
|
@@ -90,6 +90,10 @@ Unicorn.lockdown options:
|
|
|
90
90
|
:app :: (required) a short string for the name of the application, used
|
|
91
91
|
for socket/log file names and in notifications
|
|
92
92
|
:user :: (required) the user to drop privileges to
|
|
93
|
+
:group :: (optional) the group to use to run the application. On Unicorn
|
|
94
|
+
5.5.0+, can be an array with two entries, the first used as the
|
|
95
|
+
process primary group, the second as the owner of the unicorn
|
|
96
|
+
log files.
|
|
93
97
|
:pledge :: (optional) a pledge string to limit the allowed system calls
|
|
94
98
|
after privileges have been dropped
|
|
95
99
|
:email :: (optional) an email address to use for notifications when the
|
data/bin/unicorn-lockdown-add
CHANGED
|
@@ -137,6 +137,13 @@ end
|
|
|
137
137
|
|
|
138
138
|
# Setup unicorn configuration file
|
|
139
139
|
unless File.file?(unicorn_conf_file)
|
|
140
|
+
unicorn_conf_dir = File.dirname(unicorn_conf_file)
|
|
141
|
+
unless File.directory?(unicorn_conf_dir)
|
|
142
|
+
puts "Creating #{unicorn_conf_dir}"
|
|
143
|
+
Dir.mkdir(unicorn_conf_dir)
|
|
144
|
+
File.chmod(0755, unicorn_conf_dir)
|
|
145
|
+
File.chown(owner_uid, owner_gid, unicorn_conf_dir) if owner
|
|
146
|
+
end
|
|
140
147
|
puts "Creating #{unicorn_conf_file}"
|
|
141
148
|
File.binwrite(unicorn_conf_file, <<END)
|
|
142
149
|
require 'unicorn-lockdown'
|
|
@@ -30,6 +30,16 @@ class Roda
|
|
|
30
30
|
Process.kill(:QUIT, $$)
|
|
31
31
|
raise
|
|
32
32
|
end
|
|
33
|
+
|
|
34
|
+
# When database connection is lost, kill the worker process, so a new one will be generated.
|
|
35
|
+
# This is necessary because the unix socket used by the database connection is no longer available
|
|
36
|
+
# once the application is chrooted.
|
|
37
|
+
def _roda_handle_main_route
|
|
38
|
+
super
|
|
39
|
+
rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad
|
|
40
|
+
Process.kill(:QUIT, $$)
|
|
41
|
+
raise
|
|
42
|
+
end
|
|
33
43
|
end
|
|
34
44
|
end
|
|
35
45
|
|
data/lib/unicorn-lockdown.rb
CHANGED
|
@@ -49,9 +49,13 @@ class << Unicorn
|
|
|
49
49
|
# to enable programmers to debug and fix the issue.
|
|
50
50
|
attr_accessor :request_logger
|
|
51
51
|
|
|
52
|
-
# The user
|
|
52
|
+
# The user to run as. Also specifies the group to run as if group_name is not set.
|
|
53
53
|
attr_accessor :user_name
|
|
54
54
|
|
|
55
|
+
# The group name to run as. Can be an array of two strings, where the first string
|
|
56
|
+
# is the primary group, and the second string is the group used for the log files.
|
|
57
|
+
attr_accessor :group_name
|
|
58
|
+
|
|
55
59
|
# The pledge string to use.
|
|
56
60
|
attr_accessor :pledge
|
|
57
61
|
|
|
@@ -77,11 +81,15 @@ class << Unicorn
|
|
|
77
81
|
# Options:
|
|
78
82
|
# :app :: The name of the application (required)
|
|
79
83
|
# :email : The email to notify for worker crashes
|
|
80
|
-
# :user :: The user
|
|
84
|
+
# :user :: The user to run as (required)
|
|
85
|
+
# :group :: The group to run as (if not set, uses :user as the group).
|
|
86
|
+
# Can be an array of two strings, where the first string is the primary
|
|
87
|
+
# group, and the second string is the group used for the log files.
|
|
81
88
|
# :pledge :: The string to use when pledging
|
|
82
89
|
def lockdown(configurator, opts)
|
|
83
90
|
Unicorn.app_name = opts.fetch(:app)
|
|
84
91
|
Unicorn.user_name = opts.fetch(:user)
|
|
92
|
+
Unicorn.group_name = opts[:group] || opts[:user]
|
|
85
93
|
Unicorn.email = opts[:email]
|
|
86
94
|
Unicorn.pledge = opts[:pledge]
|
|
87
95
|
|
|
@@ -164,7 +172,7 @@ class << Unicorn
|
|
|
164
172
|
|
|
165
173
|
# Drop privileges. This must be done after chrooting as
|
|
166
174
|
# chrooting requires root privileges.
|
|
167
|
-
worker.user(Unicorn.user_name, Unicorn.
|
|
175
|
+
worker.user(Unicorn.user_name, Unicorn.group_name, pwd)
|
|
168
176
|
|
|
169
177
|
if Unicorn.pledge
|
|
170
178
|
# Pledge after dropping privileges, because dropping
|
|
@@ -222,7 +230,9 @@ class << Unicorn
|
|
|
222
230
|
|
|
223
231
|
# Then get information from /etc and drop group privileges
|
|
224
232
|
uid = Etc.getpwnam(Unicorn.user_name).uid
|
|
225
|
-
|
|
233
|
+
group = Unicorn.group_name
|
|
234
|
+
group = group.first if group.is_a?(Array)
|
|
235
|
+
gid = Etc.getgrnam(group).gid
|
|
226
236
|
if gid && Process.egid != gid
|
|
227
237
|
Process.initgroups(Unicorn.user_name, gid)
|
|
228
238
|
Process::GID.change_privilege(gid)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: unicorn-lockdown
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.11.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2019-03-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: pledge
|
|
@@ -75,8 +75,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
75
75
|
- !ruby/object:Gem::Version
|
|
76
76
|
version: '0'
|
|
77
77
|
requirements: []
|
|
78
|
-
|
|
79
|
-
rubygems_version: 2.7.6
|
|
78
|
+
rubygems_version: 3.0.3
|
|
80
79
|
signing_key:
|
|
81
80
|
specification_version: 4
|
|
82
81
|
summary: Helper library for running Unicorn with chroot/privdrop/fork+exec/pledge
|