unicorn-lockdown 0.9.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e3ce59cddf9d01567fd8a064530c8d1cc54e45a96eecb54fbacfc376ed73c030
+  data.tar.gz: 7e52c5cc4e6ed7673e84fdce2b67516284a49409d1e5a5adcc0a489a401f52e6
+SHA512:
+  metadata.gz: 42147643aa1eb541874fc61ef91152800617b91fb69e57f3765d0ea33f372f787a1fa9074eb9eb74400fe2f4ec4f699213875a0ec9446ac08ae6b8f1baad3e08
+  data.tar.gz: c74fb916793633f0da277b1541cce8d9773a985035b0f36bfef9f545abf28e1c8f38796d0fd18da5525ab49ff2a46e4be428cc25384461e53c8615095b9a1ec9

data/MIT-LICENSE

@@ -0,0 +1,18 @@
+Copyright (c) 2018 Jeremy Evans
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+  
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+   
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,212 @@
+= unicorn-lockdown
+
+unicorn-lockdown is a helper library for running Unicorn on OpenBSD in a way
+that supports security features such as chroot, privdrop, fork+exec,
+and pledge.
+
+With the configuration unicorn-lockdown uses, the unicorn process executes as root,
+and the unicorn master process continues to run as root.  The master process
+forks worker processes, which re-exec (fork+exec) so that a new memory layout
+is used in each worker process.  The work process then loads the application,
+after which it chroot's to the application's directory, drops root privileges
+and then runs as the application user (privdrop), then runs pledge to limit
+the allowed system calls to the minimum required to run the application.
+
+== Assumptions
+
+unicorn-lockdown assumes you are using OpenBSD 6.2+ with the nginx and
+rubyXY-unicorn packages installed, and that you have a unicorn symlink in
+the PATH to the appropriate unicornXY executable.
+
+It also assumes you have a SMTP server listening on localhost port 25 to
+receive notification emails of worker crashes, if you are notifying for those.
+
+== Usage
+
+=== unicorn-lockdown-setup
+
+To start the process of setting up your system to use unicorn-lockdown, run
+the following as root after reading the file and understanding what it does.
+
+  unicorn-lockdown-setup
+
+Briefly, the configuration this uses the following directories:
+
+/var/www/sockets :: Stores unix sockets that Unicorn listens on and Nginx uses.
+/var/www/requests :: Stores temporary files for each request with request info,
+                     used for crash notifications
+/var/log/unicorn :: Stores unicorn log files, one per application
+/var/log/nginx :: Stores nginx log files, two per application, one for access
+                  and one for errors
+
+This adds a _unicorn group that all per-application users will use as their
+group, as well as a /etc/rc.d/rc.unicorn file that the per application
+/etc/rc.d/unicorn_* files will use.
+
+=== unicorn-lockdown-add
+
+For each application you want to run with unicorn lockdown, run the following
+as root, again after reading the file and understanding what it does:
+
+  unicorn-lockdown-add
+
+Here's an excerpt of the usage:
+
+  Usage: unicorn-lockdown-add [options] app_name
+  Options:
+      -c     rackup_file   rackup configuration file
+      -d     dir           application directory name
+      -f     unicorn_file  unicorn configuration file relative to application directory
+      -o     owner         operating system application owner
+      -u     user          operating system user to run application
+      --uid  uid           user id to use if creating the user when -U is specified
+
+It is a very good idea to specify -o and -u, the other options can be ignored
+if you are OK with the default values.  The owner (-o) and the user (-u) should be
+different.  The user is the user the application runs as, and should have very limited
+access to the application directory.  The owner is the user that owns the application
+directory and can make modifications to the application.
+
+=== unicorn-lockdown
+
+unicorn-lockdown is the library required in your unicorn configuration
+file for the application, to handle configuring unicorn to run the app
+with chroot, privdrop, fork+exec, and pledge.
+
+When you run unicorn-lockdown-add, it will create the unicorn configuration
+file for the app if one does not already exist, looking similar to:
+
+  require 'unicorn-lockdown'
+
+  Unicorn.lockdown(self,
+    :app=>"app_name",
+    :user=>"user_name", # Set application user here
+    :pledge=>'rpath prot_exec inet unix' # More may be needed
+    :email=>'root' # update this with correct email
+  )
+
+Unicorn.lockdown options:
+
+:app :: (required) a short string for the name of the application, used
+        for socket/log file names and in notifications
+:user :: (required) the user to drop privileges to
+:pledge :: (optional) a pledge string to limit the allowed system calls
+           after privileges have been dropped
+:email :: (optional) an email address to use for notifications when the
+          worker process crashes or an unhandled exception is raised by
+          the application or middleware.
+
+With this example pledge:
+
+* rpath is needed to read files in the chrooted file system
+* prot_exec is needed in most cases
+* unix is needed for the unix socket to nginx
+* inet is not needed in all cases, but in most applications need some form
+  of network access.  pf (OpenBSD's firewall) should be used to limit
+  access for the application's operating system user to the minimum
+  necessary access needed.
+
+unicorn-lockdown has specific support for allowing for emails to be sent
+for Unicorn worker crashes (e.g. pledge violations). It also has support
+for using rack-unreloader to run your application in development mode
+under the chroot while allowing for reloading files if they are modified.
+Additionally, unicorn-lockdown modifies unicorn's process status line in a
+way that allows it to be controllable via OpenBSD's rcctl program for
+stopping/starting/reloading/restarting daemons.
+
+By default, Unicorn.lockdown limits the client_body_buffer_size to 11MB,
+with the expectation of an Nginx limit of 10MB, such that all client
+requests will be buffered in memory and unicorn will not need to write
+temporary files to disk.  If this limit is not correct for your
+application, please call client_body_buffer_size after calling
+Unicorn.lockdown to set an appropriate limit.
+
+When Unicorn.lockdown is used with the :email option, if the worker
+process crashes, it will email the address using the contents specified
+by the request file.  To make sure there is useful information to email
+in the case of a crash, you need to populate the request information for
+all requests.  If you are using Roda, one way to do this is to use the
+error_email or error_mail plugins:
+
+  plugin :error_email, :from=>'foo@example.com', :to=>'foo@example.com',
+    :prefix=>'[app_name]'
+  # or
+  plugin :error_mail, :from=>'foo@example.com', :to=>'foo@example.com',
+    :prefix=>'[app_name]'
+
+and then at the top of the route block, do:
+
+  if defined?(Unicorn) && Unicorn.respond_to?(:write_request)
+    Unicorn.write_request(error_email_content("Unicorn Worker Process Crash"))
+  end
+
+If you don't have useful information in the request file, an email will
+still be sent for notification purposes, but it will not include request
+related information, which could make it difficult to diagnose the
+underlying problem.
+
+=== roda-pg_disconnect
+
+If you are using PostgreSQL as the database for the application, and using
+unix sockets to connect the application to the database, if the database
+is restarted, the application will no longer be able to connect to it.  The
+only way to fix this is to kill the worker process and have the master
+process spawn a new worker.  The roda-pg_disconnect plugin is a plugin
+for the roda web toolkit to kill the worker if it detects the database
+connection has been lost.  This plugin assumes the use of the Sequel database
+library and postgres adapter with the pg driver.
+
+In your Roda application:
+
+  # Sometime before loading the error_handler plugin
+  plugin :pg_disconnect
+
+=== rack-email_exceptions
+
+rack-email_exceptions is a rack middleware designed to be the first
+middleware loaded into applications.  It rescues unhandled exceptions
+raised by subsequent middleware or the application itself.
+
+Unicorn.lockdown will automatically setup this middleware if the :email
+option is used and the RACK_ENV environment variable is set to production,
+such that it wraps the application and all other middleware.
+
+It is possible to use this middleware manually:
+
+  require 'rack/email_exceptions'
+  use Rack::EmailExceptions, "app_name", 'foo@example.com'
+
+=== chrooter
+
+chrooter is a library designed to help with testing applications both in
+chroot mode and non-chroot mode.  If you are running your application
+chrooted, you must support testing while chrooted otherwise it is very
+difficult to find problems that only occur when chrooted before putting
+the application into production, such as a file being read from outside
+the chroot.
+
+chrooter assumes you are using minitest for testing.  To use chrooter:
+
+  require 'minitest/autorun'
+  require 'chrooter'
+  at_exit{Chrooter.chroot('user_name', 'rpath prot_exec inet unix')}
+
+If you run your specs as a regular user, it will execute them without
+chrooting, but in a way that can still catch some problems that occur
+when chrooted.  If you run your specs as root, it will chroot to
+the current directory after loading the specs, then drop
+privileges to the user given (and optionally pledging using the given
+pledge string), then run the specs.
+
+== autoload
+
+As you'll find out if you try to run your applications with chroot,
+autoload is the enemy.  Both unicorn-lockdown and chrooter have support
+for handling common autoloaded constants in the rack and mail gems.
+If you use other gems that use autoload, you'll have to add code that
+references the autoloaded constants after the application is loaded but
+before chrooting.
+
+== Author
+
+Jeremy Evans <code@jeremyevans.net>

data/files/rc.unicorn

@@ -0,0 +1,21 @@
+[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
+
+daemon="/usr/local/bin/unicorn"
+daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
+
+[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
+[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+
+. /etc/rc.d/rc.subr
+
+pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
+
+rc_start() {
+  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
+}
+
+rc_stop() {
+   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}" 
+}
+
+rc_cmd $1

data/lib/chrooter.rb

@@ -0,0 +1,110 @@
+require 'etc'
+require 'pledge'
+
+# Loading single_byte encoding
+"\255".force_encoding('ISO8859-1').encode('UTF-8')
+
+# Load encodings
+''.force_encoding('UTF-16LE')
+''.force_encoding('UTF-16BE')
+
+# Don't run external diff program for failures
+Minitest::Assertions.diff = false
+
+if defined?(SimpleCov) && Process.euid == 0
+  # Prevent coverage testing in chroot mode. Chroot vs
+  # non-chroot should not matter in terms of lines covered,
+  # and running coverage tests in chroot mode will probable fail
+  # when it comes time to write the coverage files.
+  SimpleCov.at_exit{}
+  raise "cannot run coverage testing in chroot mode"
+end
+
+# Chrooter allows for testing programs in both chroot and non
+# chroot modes.
+module Chrooter
+  # If the current user is the super user, change to the given
+  # user/group, chroot to the given directory, and pledge
+  # the process with the given permissions (if given).
+  #
+  # If the current user is not the super user, freeze
+  # $LOADED_FEATURES to more easily detect problems with
+  # autoloaded constants, and just pledge the process with the
+  # given permissions (if given).
+  #
+  # This will reference common autoloaded constants in the
+  # rack and mail libraries if they are defined.  Other
+  # autoloaded constants should be referenced before calling
+  # this method.
+  #
+  # In general this should be called inside an at_exit block
+  # after loading minitest/autorun, so it will run after all
+  # specs are loaded, but before running specs.
+  def self.chroot(user, pledge=nil, group=user, dir=Dir.pwd)
+    # Work around autoload issues in libraries.
+    # autoload is problematic when chrooting because if the
+    # constant is not referenced before chrooting, an
+    # exception is raised if the constant is raised
+    # after chrooting.
+    #
+    # The constants listed here are the autoloaded constants
+    # known to be used by any applications.  This list
+    # may need to be updated when libraries are upgraded
+    # and add new constants, or when applications start
+    # using new features.
+    if defined?(Rack)
+      Rack::MockRequest if defined?(Rack::MockRequest)
+      Rack::Auth::Digest::Params if defined?(Rack::Auth::Digest::Params)
+      if defined?(Rack::Multipart)
+        Rack::Multipart
+        Rack::Multipart::Parser
+        Rack::Multipart::Generator
+        Rack::Multipart::UploadedFile
+      end
+    end
+    if defined?(Mail)
+      Mail::Address
+      Mail::AddressList
+      Mail::Parsers::AddressListsParser
+      Mail::ContentTransferEncodingElement
+      Mail::ContentDispositionElement
+      Mail::MessageIdsElement
+      Mail::MimeVersionElement
+      Mail::OptionalField
+      Mail::ContentTypeElement
+    end
+
+    if Process.euid == 0
+      uid = Etc.getpwnam(user).uid
+      gid = Etc.getgrnam(group).gid
+      if Process.egid != gid
+        Process.initgroups(user, gid)
+        Process::GID.change_privilege(gid)
+      end
+      Dir.chroot(dir)
+      Dir.chdir('/')
+      Process.euid != uid and Process::UID.change_privilege(uid)
+      puts "Chrooted to #{dir}, running as user #{user}"
+    else
+      # Load minitest plugins before freezing loaded features,
+      # so they don't break.
+      Minitest.load_plugins
+
+      # Emulate chroot not working by freezing $LOADED_FEATURES
+      # This allows to more easily catch bugs that only occur
+      # when chrooted, such as referencing an autoloaded constant
+      # that wasn't loaded before the chroot.
+      $LOADED_FEATURES.freeze
+    end
+
+    unless defined?(SimpleCov)
+      if pledge
+        # If running coverage tests, don't run pledged as coverage
+        # testing can require many additional permissions.
+        Pledge.pledge(pledge)
+      end
+    end
+
+    nil
+  end
+end

data/lib/rack/email_exceptions.rb

@@ -0,0 +1,44 @@
+require 'net/smtp'
+
+# Rack::EmailExceptions is designed to be the first middleware loaded in production
+# applications.  It rescues errors and emails about them.  It's very similar to the
+# Roda email_error plugin, except that it catches errors raised outside of the
+# application, such as by other middleware.  There should be very few of these types
+# of errors, but it is important to be notified of them if they occur.
+module Rack
+  class EmailExceptions
+    # Store the prefix to use in the email in addition to the next application.
+    def initialize(app, prefix, email)
+      @app = app
+      @prefix = prefix
+      @email = email
+    end
+
+    # Rescue any errors raised by calling the next application, and if there is an
+    # error, email about it before reraising it.
+    def call(env)
+      @app.call(env)
+    rescue StandardError, ScriptError => e
+      body = <<END
+From: #{@email}\r
+To: #{@email}\r
+Subject: [#{@prefix}] Unhandled Error Raised by Rack App or Middleware\r
+\r
+\r
+Error: #{e.class}: #{e.message}
+
+Backtrace:
+
+#{e.backtrace.join("\n")}
+
+ENV:
+
+#{env.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
+END
+
+      Net::SMTP.start('127.0.0.1'){|s| s.send_message(body, @email, @email)}
+
+      raise
+    end
+  end
+end

data/lib/roda/plugins/pg_disconnect.rb

@@ -0,0 +1,39 @@
+# frozen-string-literal: true
+
+class Roda
+  module RodaPlugins
+    # The pg_disconnect plugin recognizes any disconnection type errors, and kills the process
+    # if those errors are received.  This is designed to be used only when using Unicorn as the
+    # web server, since Unicorn will respawn a new worker process. This kills the process with
+    # the QUIT signal, allowing Unicorn to finish handling the current request before exiting.
+    #
+    # This is designed to be used with applications that cannot connect to the database
+    # after application initialization, either because they are using chroot and the database
+    # connection socket is outside the chroot, or because they are using a firewall and access
+    # to the database server is not allowed from the application the process is running as after
+    # privileges are dropped.
+    # 
+    # This plugin must be loaded before the roda error_handler plugin, and it assumes usage of the
+    # Sequel database library with the postgres adapter and pg driver.
+    module PgDisconnect
+      def self.load_dependencies(app)
+        raise RodaError, "error_handler plugin already loaded" if app.method_defined?(:handle_error)
+      end
+
+      module InstanceMethods
+        # When database connection is lost, kill the worker process, so a new one will be generated.
+        # This is necessary because the unix socket used by the database connection is no longer available
+        # once the application is chrooted.
+        def call
+          super
+        rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad
+          Process.kill(:QUIT, $$)
+          raise
+        end
+      end
+    end
+
+    register_plugin(:pg_disconnect, PgDisconnect)
+  end
+end
+

data/lib/unicorn-lockdown.rb

@@ -0,0 +1,266 @@
+# unicorn-lockdown is designed to be used with Unicorn's chroot support, and
+# handles:
+# * pledging the app to restrict allowed syscalls at the appropriate point
+# * handling notifications of worker crashes
+# * forcing loading of some common autoloaded constants
+# * stripping path prefixes from the reloader in development mode
+
+require 'pledge'
+
+# Loading single_byte encoding
+"\255".force_encoding('ISO8859-1').encode('UTF-8')
+
+# Load encodings
+''.force_encoding('UTF-16LE')
+''.force_encoding('UTF-16BE')
+
+class Unicorn::HttpServer
+  # The file name in which to store request information. The
+  # /var/www/requests folder is currently accessable only
+  # to root.
+  def request_filename(pid)
+    "/var/www/requests/#{Unicorn.app_name}.#{pid}.txt"
+  end
+
+  # Override the process name for the unicorn processes, both master and
+  # worker.  This gives all applications a consistent prefix, which can
+  # be used to pkill processes by name instead of using pidfiles.
+  def proc_name(tag)
+    ctx = self.class::START_CTX
+    $0 = ["unicorn-#{Unicorn.app_name}-#{tag}"].concat(ctx[:argv]).join(' ')
+  end
+end
+
+#
+class << Unicorn
+  # The Unicorn::HttpServer instance in use.  This is only set once when the
+  # unicorn server is started, before forking the first worker.
+  attr_accessor :server
+
+  # The name of the application.  All applications are given unique names.
+  # This name is used to construct the log file, listening socket, and process
+  # name.
+  attr_accessor :app_name
+
+  # A File instance open for writing.  This is unique per worker process.
+  # Workers should write all new requests to this file before handling the
+  # request.  If a worker process crashes, the master process will send an
+  # notification email with the previously logged request information,
+  # to enable programmers to debug and fix the issue.
+  attr_accessor :request_logger
+
+  # The user and group name to run as.
+  attr_accessor :user_name
+
+  # The pledge string to use.
+  attr_accessor :pledge
+
+  # The address to email for crash and unhandled exception notifications
+  attr_accessor :email
+
+  # Helper method to write request information to the request logger.
+  # +email_message+ should be an email message including headers and body.
+  # This should be called at the top of the Roda route block for the
+  # application.
+  def write_request(email_message)
+    request_logger.seek(0, IO::SEEK_SET)
+    request_logger.truncate(0)
+    request_logger.syswrite(email_message)
+    request_logger.fsync
+  end
+
+  # Helper method that sets up all necessary code for chroot/pledge support.
+  # This should be called inside the appropriate unicorn.conf file.
+  # The configurator should be self in the top level scope of the
+  # unicorn.conf file, and this takes options:
+  #
+  # Options:
+  # :app :: The name of the application (required)
+  # :email : The email to notify for worker crashes
+  # :user :: The user/group to run as (required)
+  # :pledge :: The string to use when pledging
+  def lockdown(configurator, opts)
+    Unicorn.app_name = opts.fetch(:app)
+    Unicorn.user_name = opts.fetch(:user)
+    Unicorn.email = opts[:email]
+    Unicorn.pledge = opts[:pledge]
+
+    configurator.instance_exec do
+      listen "/var/www/sockets/#{Unicorn.app_name}.sock"
+
+      # Buffer all client bodies in memory.  This assumes an Nginx limit of 10MB,
+      # by using 11MB this ensures that client bodies are always buffered in
+      # memory, preventing file uploading causing a program crash if the
+      # pledge does not allow wpath and cpath.
+      client_body_buffer_size(11*1024*1024)
+
+      # Run all worker processes with unique memory layouts
+      worker_exec true
+
+      # Only change the log path if daemonizing.
+      # Otherwise, continue to log to stdout/stderr.
+      if Unicorn::Configurator::RACKUP[:daemonize]
+        stdout_path "/var/log/unicorn/#{Unicorn.app_name}.log"
+        stderr_path "/var/log/unicorn/#{Unicorn.app_name}.log"
+      end
+
+      after_fork do |server, worker|
+        server.logger.info("worker=#{worker.nr} spawned pid=#{$$}")
+
+        # Set the request logger for the worker process after forking. The
+        # process is still root here, so it can open the file in write mode.
+        Unicorn.request_logger = File.open(server.request_filename($$), "wb")
+        Unicorn.request_logger.sync = true
+      end
+
+      if wrap_app = Unicorn.email && ENV['RACK_ENV'] == 'production'
+        require 'rack/email_exceptions'
+      end
+
+      after_worker_ready do |server, worker|
+        server.logger.info("worker=#{worker.nr} ready")
+
+        # If an notification email address is setup, wrap the entire app in
+        # a middleware that will notify about any exceptions raised when
+        # processing that aren't caught by other middleware.
+        if wrap_app
+          server.instance_exec do
+            @app = Rack::EmailExceptions.new(@app, Unicorn.app_name, Unicorn.email)
+          end
+        end
+
+        # Before chrooting, reference all constants that use autoload
+        # that are probably needed at runtime.  This must be done
+        # before chrooting as attempting to load the constants after
+        # chrooting will break things.
+        #
+        # This part is the most prone to breakage, as new versions
+        # of the rack or mail libraries (or new libraries that
+        # use autoload) could break things, as well as existing
+        # applications using new features at runtime that were
+        # not loaded at load time.
+        Rack::Multipart
+        Rack::Multipart::Parser
+        Rack::Multipart::Generator
+        Rack::Multipart::UploadedFile
+        Rack::CommonLogger
+        Rack::Mime
+        Rack::Auth::Digest::Params
+        if ENV['RACK_ENV'] == 'development'
+          Rack::Lint
+          Rack::ShowExceptions
+        end
+        if defined?(Mail)
+          Mail::Address
+          Mail::AddressList
+          Mail::Parsers::AddressListsParser
+          Mail::ContentTransferEncodingElement
+          Mail::ContentDispositionElement
+          Mail::MessageIdsElement
+          Mail::MimeVersionElement
+          Mail::OptionalField
+          Mail::ContentTypeElement
+          Mail::SMTP
+        end
+
+        # Strip path prefixes from the reloader.  This is only
+        # really need in development mode for code reloading to work.
+        pwd = Dir.pwd
+        Unreloader.strip_path_prefix(pwd) if defined?(Unreloader)
+
+        # Drop privileges.  This must be done after chrooting as
+        # chrooting requires root privileges.
+        worker.user(Unicorn.user_name, Unicorn.user_name, pwd)
+
+        if Unicorn.pledge
+          # Pledge after dropping privileges, because dropping
+          # privileges requires a separate pledge.
+          Pledge.pledge(Unicorn.pledge)
+        end
+      end
+
+      # the last time there was a worker crash and the request information
+      # file was empty.  Set by default to 10 minutes ago, so the first
+      # crash will always receive an email.
+      last_empty_crash = Time.now - 600
+
+      after_worker_exit do |server, worker, status|
+        m = "reaped #{status.inspect} worker=#{worker.nr rescue 'unknown'}"
+        if status.success?
+          server.logger.info(m)
+        else
+          server.logger.error(m)
+        end
+
+        # Email about worker process crashes.  This is necessary so that
+        # programmers are notified about any pledge violations.  Pledge
+        # violations immediately abort the process, and are bugs in the
+        # application that should be fixed.  This can also catch other
+        # crashes such as SIGSEGV or SIGBUS.
+        file = server.request_filename(status.pid)
+        if File.exist?(file)
+          if !status.success? && Unicorn.email
+            if File.size(file).zero?
+              # If a crash happens and the request information file is empty,
+              # it is generally because the crash happened during initialization,
+              # in which case it will generally continue to crash in a loop until the
+              # problem is fixed.  In that case, only send an email if there hasn't
+              # been a similar crash in the last 5 minutes.  This rate-limits the
+              # crash notification emails to 1 every 5 minutes instead of potentially
+              # multiple times per second.
+              if Time.now - last_empty_crash > 300
+                last_empty_crash = Time.now
+              else
+                skip_email = true
+              end
+            end
+
+            unless skip_email
+              # If the request filename exists and the worker process crashed,
+              # send a notification email.
+              Process.waitpid(fork do
+                # Load net/smtp early, before chrooting. 
+                require 'net/smtp'
+
+                # When setting the email, first get the contents of the email
+                # from the request file.
+                body = File.read(file)
+
+                # Then get information from /etc and drop group privileges
+                uid = Etc.getpwnam(Unicorn.user_name).uid
+                gid = Etc.getgrnam(Unicorn.user_name).gid
+                if gid && Process.egid != gid
+                  Process.initgroups(Unicorn.user_name, gid)
+                  Process::GID.change_privilege(gid)
+                end
+
+                # Then chroot
+                Dir.chroot(Dir.pwd)
+                Dir.chdir('/')
+
+                # Then drop user privileges
+                Process.euid != uid and Process::UID.change_privilege(uid)
+
+                # Then use a restrictive pledge
+                Pledge.pledge('inet prot_exec')
+
+                # If body empty, crash happened before a request was received,
+                # try to at least provide the application name in this case.
+                if body.empty?
+                  body = "Subject: [#{Unicorn.app_name}] Unicorn Worker Process Crash\r\n\r\nNo email content provided for app: #{Unicorn.app_name}"
+                end
+
+                # Finally send an email to localhost via SMTP.
+                Net::SMTP.start('127.0.0.1'){|s| s.send_message(body, Unicorn.email, Unicorn.email)}
+              end)
+            end
+          end
+
+          # Remove any request logger file if it exists.
+          File.delete(file)
+        end
+      end
+    end
+  end
+end
+

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification
+name: unicorn-lockdown
+version: !ruby/object:Gem::Version
+  version: 0.9.0
+platform: ruby
+authors:
+- Jeremy Evans
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-05-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pledge
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: unicorn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email: code@jeremyevans.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.rdoc
+- files/rc.unicorn
+- lib/chrooter.rb
+- lib/rack/email_exceptions.rb
+- lib/roda/plugins/pg_disconnect.rb
+- lib/unicorn-lockdown.rb
+homepage: https://github.com/jeremyevans/unicorn-lockdown
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Helper library for running Unicorn with chroot/privdrop/fork+exec/pledge
+  on OpenBSD
+test_files: []