unicorn-lockdown 0.13.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5246972fac1124b5bad333f7c94163ca00193f6ad621febaef8d833be05bb6b8
-  data.tar.gz: f015a78584e3fbbeecdfc961f49acdbd9b6f967d6e73e5e47300ccf3b3b15552
+  metadata.gz: 931209c4514dbb9f15da327fac6ed81f82fed2a504c500a34aa5f6e2624cde5a
+  data.tar.gz: 160c9cf285e6c4f8abeb38bce3d1b7006f236607e6f18e606fdcbd8b53f73baa
 SHA512:
-  metadata.gz: 1d10bca6474b0c6da80c244670e0edd1fd128fa7866285dad4efaf7c5634f48889db95499556330462d23415237bddb537c80e2316e4a2b935878cefc0c2da66
-  data.tar.gz: b325c37291644bc1b06d37ff6184db81c1355668a612a1cf1bb6516aeee199cf664cce13bb4fcaba2c1bfb2252087ced308f2efa6a5c26f2d78a805ab4a271d9
+  metadata.gz: 9f457aefb1571441815165ef9fb032f2de71547debfa81d9a7d4a441019e0671e00258b77bdb4fdca29dca677a5b5e795c65a7f53483cbf67bd12ef2950e4545
+  data.tar.gz: de3ee5209b1cb08dd0918448689868cc7b5c423ec07c929df7a4475d222436b32ea271f972f789a7ee13ffcffc8a7bbafd78950741c40392d49b8c69af69473e

data/CHANGELOG

@@ -1,3 +1,17 @@
+= 1.0.0 (2020-11-09)
+
+* Require unicorn-lockdown-add -o and -u options, and require options have arguments (jeremyevans)
+
+* Switch to starting unicorn master process as application user, drop chroot support, require unveil (jeremyevans)
+
+* Remove chrooter library (jeremyevans)
+
+* Add unveiler library for testing pledged/unveiled applications, similar to chrooter but smaller (jeremyevans)
+
+* Add :master_execpledge option to Unicorn.lockdown, for initial pledge of worker processes (jeremyevans)
+
+* Add :master_pledge option to Unicorn.lockdown, for pledging the master process (jeremyevans)
+
 = 0.13.0 (2019-07-09)
 
 * Add Chrooter.unveil for using unveil in tests (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2018 Jeremy Evans
+Copyright (c) 2018-2020 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -1,32 +1,24 @@
 = unicorn-lockdown
 
-unicorn-lockdown is a helper library for running Unicorn on OpenBSD in a way
-that supports security features such as chroot (or unveil), privdrop, fork+exec,
-and pledge.
-
-With the configuration unicorn-lockdown uses, the unicorn process executes as root,
-and the unicorn master process continues to run as root.  The master process
-forks worker processes, which re-exec (fork+exec) so that a new memory layout
-is used in each worker process.  The worker process then loads the application,
-after which it chroots to the application's directory (or uses unveil to limit
-file system permissions), drops root privileges and then runs as the application
-user (privdrop), then runs pledge to limit the allowed system calls to the minimum
-required to run the application.
+unicorn-lockdown is a helper library for running Unicorn on OpenBSD with pledge,
+unveil, and fork+exec for increased security.
+
+With unicorn-lockdown, unicorn should be started as the application user, which
+should be different than the user that owns the application's files.  unicorn
+will pledge the master process, then fork worker processes.  The worker
+processes will re-exec (fork+exec), then load the application, then set unveil
+to restrict file system access, then pledge to limit the allowed system calls
+at runtime.
 
 == Assumptions
 
-unicorn-lockdown assumes you are using OpenBSD 6.2+ with the nginx and
-rubyXY-unicorn packages installed, and that you have a unicorn symlink in
-the PATH to the appropriate unicornXY executable.
+unicorn-lockdown assumes you are using OpenBSD 6.6+ with the nginx and
+<tt>rubyXY-unicorn</tt> and <tt>rubyXY-pledge</tt> packages installed, and that
+you have a +unicorn+ symlink in the PATH to the appropriate +unicornXY+ executable.
 
 It also assumes you have a SMTP server listening on localhost port 25 to
 receive notification emails of worker crashes, if you are notifying for those.
 
-If using unveil instead of chroot to limit file system access, you must be
-using OpenBSD 6.6+ (or 6.5-current after July 2019), one of the OpenBSD Ruby
-ports with backported support for unveil to work correctly with +File.realpath+,
-and version 1.2.0+ of the pledge gem.
-
 == Usage
 
 === unicorn-lockdown-setup
@@ -39,14 +31,14 @@ the following as root after reading the file and understanding what it does.
 Briefly, the configuration this uses the following directories:
 
 /var/www/sockets :: Stores unix sockets that Unicorn listens on and Nginx uses.
-/var/www/requests :: Stores temporary files for each request with request info,
-                     used for crash notifications
+/var/www/request-error-info :: Stores temporary files for each request with request info,
+                               used for crash notifications
 /var/log/unicorn :: Stores unicorn log files, one per application
 /var/log/nginx :: Stores nginx log files, two per application, one for access
                   and one for errors
 
-This adds a _unicorn group that all per-application users will use as their
-group, as well as a /etc/rc.d/rc.unicorn file that the per application
+This adds a _unicorn group that all application users will use as one of their
+groups, as well as a /etc/rc.d/rc.unicorn file that the application
 /etc/rc.d/unicorn_* files will use.
 
 === unicorn-lockdown-add
@@ -54,30 +46,38 @@ group, as well as a /etc/rc.d/rc.unicorn file that the per application
 For each application you want to run with unicorn lockdown, run the following
 as root, again after reading the file and understanding what it does:
 
-  unicorn-lockdown-add
+  unicorn-lockdown-add -o $owner -u $user $app_name
 
-Here's an excerpt of the usage:
+Here's the usage:
 
-  Usage: unicorn-lockdown-add [options] app_name
+  Usage: unicorn-lockdown-add -o owner -u user [options] app_name
   Options:
-      -c     rackup_file   rackup configuration file
-      -d     dir           application directory name
-      -f     unicorn_file  unicorn configuration file relative to application directory
-      -o     owner         operating system application owner
-      -u     user          operating system user to run application
-      --uid  uid           user id to use if creating the user when -U is specified
-
-It is a very good idea to specify -o and -u, the other options can be ignored
-if you are OK with the default values.  The owner (-o) and the user (-u) should be
-different.  The user is the user the application runs as, and should have very limited
-access to the application directory.  The owner is the user that owns the application
-directory and can make modifications to the application.
+      -c RACKUP_FILE                   rackup configuration file
+      -d DIR                           application directory name
+      -f UNICORN_FILE                  unicorn configuration file relative to application directory
+      -o OWNER                         operating system application owner
+      -u USER                          operating system user to run application
+          --uid UID                    user id to use if creating the user when -U is specified
+      -h, -?, --help                   Show this message
+
+The <tt>-o</tt> and <tt>-u</tt> options are required.  Default values for other options are:
+
+<tt>-c</tt> :: None, Unicorn will use <tt>config.ru</tt> by default.
+<tt>-d</tt> :: Same as +app_name+.  The value provided should a relative path under <tt>/var/www</tt>.
+<tt>-f</tt> :: <tt>unicorn.conf</tt>.  This file should be relative to +dir+.
+<tt>--uid</tt> :: The uid automatically generated by +useradd+.
+
+The owner <tt>-o</tt> and the user <tt>-u</tt> should be different.  The user is the user the
+application runs as, and should have read-only access to the application directory,
+other than locations where you want the application user to be able to modify files
+at runtime.  The owner is the user that owns the application directory and can make
+modifications to the application.
 
 === unicorn-lockdown
 
 unicorn-lockdown is the library required in your unicorn configuration
 file for the application, to handle configuring unicorn to run the app
-with chroot (or unveil), privdrop, fork+exec, and pledge.
+with fork+exec, unveil, and pledge.
 
 When you run unicorn-lockdown-add, it will create the unicorn configuration
 file for the app if one does not already exist, looking similar to:
@@ -86,48 +86,75 @@ file for the app if one does not already exist, looking similar to:
 
   Unicorn.lockdown(self,
     :app=>"app_name",
-    :user=>"user_name", # Set application user here
-    :pledge=>'rpath prot_exec inet unix', # More may be needed
-    :email=>'root' # update this with correct email
+
+    # Update this with correct email
+    :email=>'root',
+
+    # More pledges may be needed depending on application
+    :pledge=>'rpath prot_exec inet unix',
+    :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
+    :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil',
+
+    # More unveils may be needed depending on application
+    :unveil=>{
+      'views'=>'r'
+    },
+    :dev_unveil=>{
+      'models'=>'r'
+    },
   )
 
 Unicorn.lockdown options:
 
 :app :: (required) a short string for the name of the application, used
         for socket/log file names and in notifications
-:user :: (required) the user to drop privileges to
-:group :: (optional) the group to use to run the application.  On Unicorn
-          5.5.0+, can be an array with two entries, the first used as the
-          process primary group, the second as the owner of the unicorn
-          log files.
+:email :: (optional) an email address to use for notifications when the
+          worker process crashes or an unhandled exception is raised by
+          the application or middleware.
 :pledge :: (optional) a pledge string to limit the allowed system calls
            after privileges have been dropped
-:unveil :: (optional) a hash of paths to limit file system access, passed
-           to +Pledge.unveil+.  Forces use of unveil instead of chroot.
-:dev_unveil :: (optional, requires :unveil option) a hash of paths to
-               limit file system, merged into the :unveil option paths
-               if in the development environment.  Useful if you are
+:master_pledge :: (optional) The string to use when pledging the master process before
+                  spawning worker processes
+:master_execpledge :: (optional) The pledge string for processes spawned by the master
+                      process (i.e. worker processes before loading the app)
+:unveil :: (required) a hash of paths to limit file system access, passed
+           to +Pledge.unveil+.
+:dev_unveil :: (optional) a hash of paths to limit file system, merged into the :unveil
+               option paths if in the development environment.  Useful if you are
                allowing more access in development, such as access needed
                for file reloading.
-:email :: (optional) an email address to use for notifications when the
-          worker process crashes or an unhandled exception is raised by
-          the application or middleware.
 
 With this example pledge:
 
-* rpath is needed to read files in the chrooted file system
+* rpath is needed to read files
 * prot_exec is needed in most cases
 * unix is needed for the unix socket to nginx
-* inet is not needed in all cases, but in most applications need some form
-  of network access.  pf (OpenBSD's firewall) should be used to limit
-  access for the application's operating system user to the minimum
-  necessary access needed.
-
-unicorn-lockdown has specific support for allowing for emails to be sent
-for Unicorn worker crashes (e.g. pledge violations). It also has support
-for using rack-unreloader to run your application in development mode
-under the chroot while allowing for reloading files if they are modified.
-Additionally, unicorn-lockdown modifies unicorn's process status line in a
+* inet is not needed in all cases, but most applications need some form
+  of network access, and it is needed by default for emailing about
+  exceptions that occur without process crashes.  pf (OpenBSD's firewall)
+  should be used to limit access for the application's operating system
+  user to the minimum necessary access needed.
+
+With this example master pledge:
+
+* rpath is needed to read files
+* prot_exec is needed in most cases
+* cpath and wpath are needed to unlink the request error files
+* inet is needed to send emails for worker crashes
+* proc and exec are needed to spawn worker processes
+
+With this examle master exec pledge:
+
+* stdio must be added because ruby-pledge doesn't add it automatically
+  to execpromises, and Ruby requires it
+* rpath, prot_exec, unix, inet are needed for the worker (see above)
+* cpath and wpath are needed to create the request error files
+* unveil is needed to restrict file system access
+
+unicorn-lockdown has specific support for allowing emails to be sent
+for Unicorn worker crashes (e.g. pledge violations) and unhandled
+application exceptions (e.g. pledge violations).  Additionally,
+unicorn-lockdown modifies unicorn's process status line in a
 way that allows it to be controllable via OpenBSD's rcctl program for
 stopping/starting/reloading/restarting daemons.
 
@@ -136,7 +163,12 @@ with the expectation of an Nginx limit of 10MB, such that all client
 requests will be buffered in memory and unicorn will not need to write
 temporary files to disk.  If this limit is not correct for your
 application, please call client_body_buffer_size after calling
-Unicorn.lockdown to set an appropriate limit.
+Unicorn.lockdown to set an appropriate limit.  Note that rack still
+creates temporary files for file uploads by default, you'll need to
+configure rack to disallow file uploads if your application does not
+need to accept uploaded files and you don't want file upload attempts
+to cause pledge violations.  With Roda, you can use the
+disallow_file_uploads plugin to prevent file upload attempts.
 
 When Unicorn.lockdown is used with the :email option, if the worker
 process crashes, it will email the address using the contents specified
@@ -155,6 +187,8 @@ and then at the top of the route block, do:
 
   if defined?(Unicorn) && Unicorn.respond_to?(:write_request)
     Unicorn.write_request(error_email_content("Unicorn Worker Process Crash"))
+    # or
+    Unicorn.write_request(error_mail_content("Unicorn Worker Process Crash"))
   end
 
 If you don't have useful information in the request file, an email will
@@ -166,10 +200,20 @@ underlying problem.
 
 If you are using PostgreSQL as the database for the application, and using
 unix sockets to connect the application to the database, if the database
-is restarted, the application will no longer be able to connect to it.  The
-only way to fix this is to kill the worker process and have the master
-process spawn a new worker.  The roda-pg_disconnect plugin is a plugin
-for the roda web toolkit to kill the worker if it detects the database
+is restarted, the application will no longer be able to connect to it unless
+you unveil the path the database socket (stored in /tmp by default).  It can
+be a better approach security wise not to allow this, to prevent the
+application from being able to establish new database connections with
+potentially different credentials, as a mitigation in case the server is
+compromised.
+
+To allow the application to handle cases where the database is disconnected,
+such as due to a restart of PostgreSQL, you can kill the worker process if
+a disconnect error is detected, and have the master process then spawn a new
+worker.
+
+The roda-pg_disconnect plugin is a plugin for the roda web toolkit to kill the
+worker process after handling the connection if it detects the database
 connection has been lost.  This plugin assumes the use of the Sequel database
 library and postgres adapter with the pg driver.
 
@@ -178,78 +222,58 @@ In your Roda application:
   # Sometime before loading the error_handler plugin
   plugin :pg_disconnect
 
+To specifically restrict access to the database socket even when access to
+/tmp is allowed, you can unveil the database socket path with no permissions:
+
+  '/tmp/.s.PGSQL.5432'=>''
+
+Note that there are potentially other security issues with unveiling access
+to /tmp beyond granting access to the database server, so it is recommended
+you do not unveil it.  If the application needs a directory for temporary
+files (e.g. for handling uploaded files with rack), you can set the +TMPDIR+
+environment variable to an appropriate directory that is writable by the
+application user and not other users, and most web applications will respect
+that (assuming they use the tmpfile/tmpdir libraries in the standard library).
+
 === rack-email_exceptions
 
-rack-email_exceptions is a rack middleware designed to be the first
-middleware loaded into applications.  It rescues unhandled exceptions
+rack-email_exceptions is a rack middleware designed to wrap all other
+middleware and the application.  It rescues unhandled exceptions
 raised by subsequent middleware or the application itself.
-
 Unicorn.lockdown will automatically setup this middleware if the :email
-option is used and the RACK_ENV environment variable is set to production,
-such that it wraps the application and all other middleware.
+option is used.
 
 It is possible to use this middleware manually:
 
   require 'rack/email_exceptions'
   use Rack::EmailExceptions, "app_name", 'foo@example.com'
 
-=== chrooter
+=== unveiler
 
-chrooter is a library designed to help with testing applications both in
-chroot mode and non-chroot mode.  If you are running your application
-chrooted, you must support testing while chrooted otherwise it is very
-difficult to find problems that only occur when chrooted before putting
-the application into production, such as a file being read from outside
-the chroot.
+unveiler is a library designed to help with testing applications that
+use pledge and unveil.  If you are running your application pledged and
+unveiled, you want your tests to run pledged and unveiled to find
+problems.
 
-chrooter assumes you are using minitest for testing.  To use chrooter:
+unveiler assumes you are using minitest for testing.  To use unveiler:
 
   require 'minitest/autorun'
-  require 'chrooter'
-  at_exit{Chrooter.chroot('user_name', 'rpath prot_exec inet unix')}
-
-If you run your specs as a regular user, it will execute them without
-chrooting, but in a way that can still catch some problems that occur
-when chrooted.  If you run your specs as root, it will chroot to
-the current directory after loading the specs, then drop
-privileges to the user given (and optionally pledging using the given
-pledge string), then run the specs.
-
-If you want to use unveil instead of chroot, you can use
-+Chrooter.unveil+:
-
-  require 'minitest/autorun'
-  require 'chrooter'
+  require 'unveiler'
   at_exit do
-    Chrooter.unveil('user_name', 'rpath prot_exec inet unix',
-      'views' => 'r',
-      'rack' => :gem,
-      'mail' => :gem,
-    )
+    Unveiler.pledge_and_unveil('rpath prot_exec inet unix', 'views' => 'r')
   end
 
-One advantage of using unveil instead of chroot is that the unveils
-will take effect even when not starting the tests as root.
-
 == autoload
 
-As you'll find out if you try to run your applications with chroot,
-autoload is the enemy.  Both unicorn-lockdown and chrooter have support
-for handling common autoloaded constants in the rack and mail gems.
-If you use other gems that use autoload, you'll have to add code that
-references the autoloaded constants after the application is loaded but
-before chrooting.
-
-If you have to use libraries that use autoload, it is recommended that
-you use the support for unveil instead of using chroot, and allow
-access to the given gems.  unicorn-lockdown will automatically unveil
-the +rack+ gem, and will unveil the +mail+ gem if the +Mail+ constant
-is defined.
+As you'll find out if you try to run your applications with unveil,
+autoload and other forms of runtime requires are the enemy.  Both
+unicorn-lockdown and unveiler have support for handling common autoloaded
+constants in the rack and mail gems.  If you use other gems that use
+autoload or runtime requires, you'll have to add unveils for the appropriate
+gems:
 
   Unicorn.lockdown(self,
-    :app=>"app_name",
-    :user=>"user_name", # Set application user here
-    :pledge=>'rpath prot_exec inet unix', # More may be needed
+    # ...
     :unveil=>{
       'views' => 'r',
       'gem-name' => :gem,

data/bin/unicorn-lockdown-add

@@ -19,7 +19,7 @@ owner_uid = nil
 owner_gid = nil
 
 options = OptionParser.new do |opts|
-  opts.banner = "Usage: unicorn-lockdown-add [options] app_name"
+  opts.banner = "Usage: unicorn-lockdown-add -o owner -u user [options] app_name"
   opts.separator "Options:"
 
   opts.on_tail("-h", "-?", "--help", "Show this message") do
@@ -27,39 +27,44 @@ options = OptionParser.new do |opts|
     exit
   end
 
-  opts.on("-c rackup_file", "rackup configuration file") do |v|
+  opts.on("-c RACKUP_FILE", "rackup configuration file") do |v|
     rackup = "rackup_file=#{v}\n"
   end
 
-  opts.on("-d dir", "application directory name") do |v|
+  opts.on("-d DIR", "application directory name") do |v|
     dir = v
   end
 
-  opts.on("-f unicorn_file", "unicorn configuration file relative to application directory") do |v|
+  opts.on("-f UNICORN_FILE", "unicorn configuration file relative to application directory") do |v|
     unicorn_file = v
     unicorn = "unicorn_conf=#{v}\n"
   end
 
-  opts.on("-o owner", "operating system application owner") do |v|
+  opts.on("-o OWNER", "operating system application owner") do |v|
     owner = v
     ent = Etc.getpwnam(v)
     owner_uid = ent.uid
     owner_gid = ent.gid
   end
 
-  opts.on("-u user", "operating system user to run application") do |v|
+  opts.on("-u USER", "operating system user to run application") do |v|
     user = v
   end
 
-  opts.on("--uid uid", "user id to use if creating the user when -U is specified") do |v|
+  opts.on("--uid UID", "user id to use if creating the user when -U is specified") do |v|
     new_user_uid = Integer(v, 10)
   end
 end
 options.parse!
 
+unless user && owner
+  $stderr.puts "Must pass -o and -u options when calling unicorn_lockdown_add"
+  puts options
+  exit(1)
+end
+
 app = ARGV.shift
 dir ||= app
-base_dir = dir
 
 root_id = 0
 bin_id = 7
@@ -67,72 +72,51 @@ www_id = 67
 
 www_root = '/var/www'
 dir = "#{www_root}/#{dir}"
-etc_dir = "#{dir}/etc"
-hosts_file = "#{etc_dir}/hosts"
-resolv_file = "#{etc_dir}/resolv.conf"
 rc_file = "/etc/rc.d/unicorn_#{app.tr('-', '_')}"
 nginx_file = "/etc/nginx/#{app}.conf"
 unicorn_conf_file = "#{dir}/#{unicorn_file}"
+nonroot_dir = "/var/www/request-error-data/#{app}"
 unicorn_log_file = "/var/log/unicorn/#{app}.log"
 nginx_access_log_file = "/var/log/nginx/#{app}.access.log"
 nginx_error_log_file = "/var/log/nginx/#{app}.error.log"
 
 # Add application user if it doesn't exist
-if user
-  passwd = begin
-    Etc.getpwnam(user)
-  rescue ArgumentError
-    args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
-    if new_user_uid
-      args << '-u' << new_user_uid.to_s
-    end
-    args << user
-    sh(*args)
-    Etc.getpwnam(user)
+passwd = begin
+  Etc.getpwnam(user)
+rescue ArgumentError
+  args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
+  if new_user_uid
+    args << '-u' << new_user_uid.to_s
   end
-  app_uid = passwd.uid
+  args << user
+  sh(*args)
+  Etc.getpwnam(user)
+end
+app_uid = passwd.uid
+
+# Create the subdirectory used for request error info when not running as root
+unless File.directory?(nonroot_dir)
+  puts "Creating #{nonroot_dir}"
+  Dir.mkdir(nonroot_dir)
+  File.chmod(0700, nonroot_dir)
+  File.chown(app_uid, app_uid, nonroot_dir)
 end
 
-# Create application directory and chroot directories if they doesn't exist
-[dir, "#{dir}/var", "#{dir}/var/www", "#{dir}/etc", "#{dir}/public"].each do |d|
+# Create application public directory if it doesn't exist (needed by nginx)
+dirs = [dir, "#{dir}/public"]
+dirs.each do |d|
   unless File.directory?(d)
     puts "Creating #{d}"
     Dir.mkdir(d)
     File.chmod(0755, d)
-    File.chown(owner_uid, owner_gid, d) if owner
+    File.chown(owner_uid, owner_gid, d)
   end
 end
 
 # DRY up file ownership code
 setup_file_owner = lambda do |file|
   File.chmod(0644, file)
-  File.chown(owner_uid, owner_gid, file) if owner
-end
-
-# Setup symlink to root so that the same paths work both when
-# chrooted and when not chrooted.
-chroot_link = "#{dir}#{dir}"
-unless File.symlink?(chroot_link)
-  puts "Creating #{chroot_link}"
-  File.symlink('/', chroot_link)
-end
-
-# Add /etc/hosts files to chroot
-unless File.file?(hosts_file)
-  puts "Creating #{hosts_file}"
-  File.binwrite(hosts_file, <<END)
-127.0.0.1 localhost
-END
-  setup_file_owner.call(hosts_file)
-end
-
-# Add /etc/resolv.conf files to chroot
-unless File.file?(resolv_file)
-  puts "Creating #{resolv_file}"
-  File.binwrite(resolv_file, <<END)
-lookup file
-END
-  setup_file_owner.call(resolv_file)
+  File.chown(owner_uid, owner_gid, file)
 end
 
 # Setup unicorn configuration file
@@ -142,7 +126,7 @@ unless File.file?(unicorn_conf_file)
     puts "Creating #{unicorn_conf_dir}"
     Dir.mkdir(unicorn_conf_dir)
     File.chmod(0755, unicorn_conf_dir)
-    File.chown(owner_uid, owner_gid, unicorn_conf_dir) if owner
+    File.chown(owner_uid, owner_gid, unicorn_conf_dir)
   end
   puts "Creating #{unicorn_conf_file}"
   File.binwrite(unicorn_conf_file, <<END)
@@ -150,9 +134,22 @@ require 'unicorn-lockdown'
 
 Unicorn.lockdown(self,
   :app=>#{app.inspect},
-  :user=>#{user.inspect}, # Set application user here
-  :pledge=>'rpath prot_exec inet unix', # More may be needed
-  :email=>'root' # update this with correct email
+
+  # Update this with correct email
+  :email=>'root',
+
+  # More pledges may be needed depending on application
+  :pledge=>'rpath prot_exec inet unix',
+  :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil',
+
+  # More unveils may be needed depending on application
+  :unveil=>{
+    'views'=>'r'
+  },
+  :dev_unveil=>{
+    'models'=>'r'
+  },
 )
 END
   setup_file_owner.call(unicorn_conf_file)
@@ -204,7 +201,7 @@ unless File.file?(unicorn_log_file)
   puts "Creating #{unicorn_log_file}"
   File.binwrite(unicorn_log_file, '')
   File.chmod(0640, unicorn_log_file)
-  File.chown(app_uid, app_uid, unicorn_log_file) if app_uid
+  File.chown(app_uid, Etc.getgrnam('_unicorn').gid, unicorn_log_file) if app_uid
 end
 
 # Setup /etc/rc.d/unicorn_* file for daemon management
@@ -213,6 +210,7 @@ unless File.file?(rc_file)
   File.binwrite(rc_file, <<END)
 #!/bin/ksh
 
+daemon_user=#{user}
 unicorn_app=#{app}
 unicorn_dir=#{dir}
 #{unicorn}#{rackup} 

data/bin/unicorn-lockdown-setup

@@ -7,7 +7,7 @@ def sh(*args)
   system(*args) || raise("Error while running: #{args.join(' ')}")
 end
 
-request_dir = '/var/www/requests'
+request_dir = '/var/www/request-error-data'
 socket_dir = '/var/www/sockets'
 unicorn_log_dir = '/var/log/unicorn'
 nginx_log_dir = "/var/log/nginx"
@@ -31,11 +31,11 @@ unicorn_group_id = group.gid
 unless File.directory?(request_dir)
   puts "Creating #{request_dir}"
   Dir.mkdir(request_dir)
-  File.chmod(0700, request_dir)
-  File.chown(root_id, daemon_id, request_dir)
+  File.chmod(0710, request_dir)
+  File.chown(root_id, unicorn_group_id, request_dir)
 end
 
-# Setup sockets directory to hold PostgreSQL database connection sockets
+# Setup sockets directory to hold nginx connection sockets
 unless File.directory?(socket_dir)
   puts "Creating #{socket_dir}"
   Dir.mkdir(socket_dir)

data/lib/roda/plugins/pg_disconnect.rb

@@ -8,10 +8,9 @@ class Roda
     # the QUIT signal, allowing Unicorn to finish handling the current request before exiting.
     #
     # This is designed to be used with applications that cannot connect to the database
-    # after application initialization, either because they are using chroot and the database
-    # connection socket is outside the chroot, or because they are using a firewall and access
-    # to the database server is not allowed from the application the process is running as after
-    # privileges are dropped.
+    # after application initialization, either because they are restricting access to the database
+    # socket using unveil, or because they are using a firewall and access to the database server is
+    # not allowed from the application the process is running as after privileges are dropped.
     # 
     # This plugin must be loaded before the roda error_handler plugin, and it assumes usage of the
     # Sequel database library with the postgres adapter and pg driver.
@@ -23,7 +22,7 @@ class Roda
       module InstanceMethods
         # When database connection is lost, kill the worker process, so a new one will be generated.
         # This is necessary because the unix socket used by the database connection is no longer available
-        # once the application is chrooted.
+        # once the application is unveiled or pledged.
         def call
           super
         rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad
@@ -33,7 +32,7 @@ class Roda
 
         # When database connection is lost, kill the worker process, so a new one will be generated.
         # This is necessary because the unix socket used by the database connection is no longer available
-        # once the application is chrooted.
+        # once the application is unveiled or pledged.
         def _roda_handle_main_route
           super
         rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad

data/lib/unicorn-lockdown.rb

@@ -1,25 +1,38 @@
-# unicorn-lockdown is designed to be used with Unicorn's chroot support, and
-# handles:
+# unicorn-lockdown is designed to handle fork+exec, unveil, and pledge support
+# when using Unicorn, including:
+# * restricting file system access using unveil
 # * pledging the app to restrict allowed syscalls at the appropriate point
-# * handling notifications of worker crashes
-# * forcing loading of some common autoloaded constants
-# * stripping path prefixes from the reloader in development mode
+# * handling notifications of worker crashes (which are likely due to pledge
+#   violations)
 
 require 'pledge'
+require 'unveil'
 
-# Loading single_byte encoding
+# Load common encodings
 "\255".force_encoding('ISO8859-1').encode('UTF-8')
-
-# Load encodings
 ''.force_encoding('UTF-16LE')
 ''.force_encoding('UTF-16BE')
 
 class Unicorn::HttpServer
-  # The file name in which to store request information. The
-  # /var/www/requests folder is currently accessable only
-  # to root.
+  # The file name in which to store request information.
+  # The /var/www/request-error-data/$app_name folder is accessable
+  # only to the user of the application.
   def request_filename(pid)
-    "/var/www/requests/#{Unicorn.app_name}.#{pid}.txt"
+    "/var/www/request-error-data/#{Unicorn.app_name}/#{pid}.txt"
+  end
+
+  unless ENV['UNICORN_WORKER']
+    alias _original_spawn_missing_workers spawn_missing_workers
+
+    # This is the master process, set the master pledge before spawning
+    # workers, because spawning workers will also need to be done at runtime.
+    def spawn_missing_workers
+      if pledge = Unicorn.master_pledge
+        Unicorn.master_pledge = nil
+        Pledge.pledge(pledge, Unicorn.master_execpledge)
+      end
+      _original_spawn_missing_workers
+    end
   end
 
   # Override the process name for the unicorn processes, both master and
@@ -49,14 +62,13 @@ class << Unicorn
   # to enable programmers to debug and fix the issue.
   attr_accessor :request_logger
 
-  # The user to run as. Also specifies the group to run as if group_name is not set.
-  attr_accessor :user_name
+  # The pledge string to use for the master process's spawned processes by default.
+  attr_accessor :master_execpledge
 
-  # The group name to run as.  Can be an array of two strings, where the first string
-  # is the primary group, and the second string is the group used for the log files.
-  attr_accessor :group_name
+  # The pledge string to use for the master process.
+  attr_accessor :master_pledge
 
-  # The pledge string to use.
+  # The pledge string to use for worker processes.
   attr_accessor :pledge
 
   # The hash of unveil paths to use.
@@ -65,13 +77,13 @@ class << Unicorn
   # The hash of additional unveil paths to use if in the development environment.
   attr_accessor :dev_unveil
 
-  # The address to email for crash and unhandled exception notifications
+  # The address to email for crash and unhandled exception notifications.
   attr_accessor :email
 
   # Helper method to write request information to the request logger.
   # +email_message+ should be an email message including headers and body.
   # This should be called at the top of the Roda route block for the
-  # application.
+  # application (or at some early point before processing in other web frameworks).
   def write_request(email_message)
     request_logger.seek(0, IO::SEEK_SET)
     request_logger.truncate(0)
@@ -79,26 +91,27 @@ class << Unicorn
     request_logger.fsync
   end
 
-  # Helper method that sets up all necessary code for chroot/pledge support.
+  # Helper method that sets up all necessary code for unveil/pledge support.
   # This should be called inside the appropriate unicorn.conf file.
   # The configurator should be self in the top level scope of the
   # unicorn.conf file, and this takes options:
   #
   # Options:
-  # :app :: The name of the application (required)
+  # :app (required) :: The name of the application
   # :email : The email to notify for worker crashes
-  # :user :: The user to run as (required)
-  # :group :: The group to run as (if not set, uses :user as the group).
-  #           Can be an array of two strings, where the first string is the primary
-  #           group, and the second string is the group used for the log files.
-  # :pledge :: The string to use when pledging
-  # :unveil :: A hash of unveil paths
-  # :dev_unveil :: A hash of unveil paths to use in development
+  # :pledge :: The string to use when pledging worker processes after loading the app
+  # :master_pledge :: The string to use when pledging the master process before
+  #                   spawning worker processes
+  # :master_execpledge :: The pledge string for processes spawned by the master
+  #                       process (i.e. worker processes before loading the app)
+  # :unveil :: A hash of unveil paths, passed to Pledge.unveil.
+  # :dev_unveil :: A hash of unveil paths to use in development, in addition
+  #                to the ones in :unveil.
   def lockdown(configurator, opts)
     Unicorn.app_name = opts.fetch(:app)
-    Unicorn.user_name = opts.fetch(:user)
-    Unicorn.group_name = opts[:group] || opts[:user]
     Unicorn.email = opts[:email]
+    Unicorn.master_pledge = opts[:master_pledge]
+    Unicorn.master_execpledge = opts[:master_execpledge]
     Unicorn.pledge = opts[:pledge]
     Unicorn.unveil = opts[:unveil]
     Unicorn.dev_unveil = opts[:dev_unveil]
@@ -125,13 +138,12 @@ class << Unicorn
       after_fork do |server, worker|
         server.logger.info("worker=#{worker.nr} spawned pid=#{$$}")
 
-        # Set the request logger for the worker process after forking. The
-        # process is still root here, so it can open the file in write mode.
+        # Set the request logger for the worker process after forking.
         Unicorn.request_logger = File.open(server.request_filename($$), "wb")
         Unicorn.request_logger.sync = true
       end
 
-      if wrap_app = Unicorn.email && ENV['RACK_ENV'] == 'production'
+      if wrap_app = Unicorn.email
         require 'rack/email_exceptions'
       end
 
@@ -147,80 +159,31 @@ class << Unicorn
           end
         end
 
-        if unveil = Unicorn.unveil
-          require 'unveil'
-
-          unveil = if Unicorn.dev_unveil && ENV['RACK_ENV'] == 'development'
-            unveil.merge(Unicorn.dev_unveil)
-          else
-            Hash[unveil]
-          end
+        unveil = if Unicorn.dev_unveil && ENV['RACK_ENV'] == 'development'
+          Unicorn.unveil.merge(Unicorn.dev_unveil)
+        else
+          Hash[Unicorn.unveil]
+        end
 
+        # Don't allow loading files in rack and mail gems if not using rubygems
+        if defined?(Gem) && Gem.respond_to?(:loaded_specs)
           # Allow read access to the rack gem directory, as rack autoloads constants.
-          unveil['rack'] = :gem
-
-          if defined?(Mail)
-            # If using the mail library, allow read access to the mail gem directory,
-            # as mail autoloads constants.
-            unveil['mail'] = :gem
-          end
-
-          # Drop privileges
-          worker.user(Unicorn.user_name, Unicorn.group_name)
-
-          # Restrict access to the file system based on the specified unveil.
-          Pledge.unveil(unveil)
-        else
-          # Before chrooting, reference all constants that use autoload
-          # that are probably needed at runtime.  This must be done
-          # before chrooting as attempting to load the constants after
-          # chrooting will break things.
-          
-          # Start with rack, which uses autoload for all constants.
-          # Most of rack's constants are not used at runtime, this
-          # lists the ones most commonly needed.
-          Rack::Multipart
-          Rack::Multipart::Parser
-          Rack::Multipart::Generator
-          Rack::Multipart::UploadedFile
-          Rack::Mime
-          Rack::Auth::Digest::Params
-
-          # In the development environment, reference all middleware
-          # the unicorn will load by default, unless unicorn is
-          # set to not load middleware by default.
-          if ENV['RACK_ENV'] == 'development' && (!respond_to?(:set) || set[:default_middleware] != false)
-            Rack::ContentLength
-            Rack::CommonLogger
-            Rack::Chunked
-            Rack::Lint
-            Rack::ShowExceptions
-            Rack::TempfileReaper
+          if defined?(Rack) && Gem.loaded_specs['rack']
+            unveil['rack'] = :gem
           end
 
-          # If using the mail library, eagerly autoload all constants.
-          # This costs about 9MB of memory, but the mail gem changes
-          # their autoloaded constants on a regular basis, so it's
-          # better to be safe than sorry.
-          if defined?(Mail)
-            Mail.eager_autoload!
+          # If using the mail library, allow read access to the mail gem directory,
+          # as mail autoloads constants.
+          if defined?(Mail) && Gem.loaded_specs['mail']
+            unveil['mail'] = :gem
           end
-
-          # Strip path prefixes from the reloader.  This is only
-          # really need in development mode for code reloading to work.
-          pwd = Dir.pwd
-          Unreloader.strip_path_prefix(pwd) if defined?(Unreloader)
-
-          # Drop privileges.  This must be done after chrooting as
-          # chrooting requires root privileges.
-          worker.user(Unicorn.user_name, Unicorn.group_name, pwd)
         end
 
-        if Unicorn.pledge
-          # Pledge after dropping privileges, because dropping
-          # privileges requires a separate pledge.
-          Pledge.pledge(Unicorn.pledge)
-        end
+        # Restrict access to the file system based on the specified unveil.
+        Pledge.unveil(unveil)
+
+        # Pledge after unveiling, because unveiling requires a separate pledge.
+        Pledge.pledge(Unicorn.pledge)
       end
 
       # the last time there was a worker crash and the request information
@@ -263,30 +226,13 @@ class << Unicorn
               # If the request filename exists and the worker process crashed,
               # send a notification email.
               Process.waitpid(fork do
-                # Load net/smtp early, before chrooting. 
+                # Load net/smtp early
                 require 'net/smtp'
 
                 # When setting the email, first get the contents of the email
                 # from the request file.
                 body = File.read(file)
 
-                # Then get information from /etc and drop group privileges
-                uid = Etc.getpwnam(Unicorn.user_name).uid
-                group = Unicorn.group_name
-                group = group.first if group.is_a?(Array)
-                gid = Etc.getgrnam(group).gid
-                if gid && Process.egid != gid
-                  Process.initgroups(Unicorn.user_name, gid)
-                  Process::GID.change_privilege(gid)
-                end
-
-                # Then chroot
-                Dir.chroot(Dir.pwd)
-                Dir.chdir('/')
-
-                # Then drop user privileges
-                Process.euid != uid and Process::UID.change_privilege(uid)
-
                 # Then use a restrictive pledge
                 Pledge.pledge('inet prot_exec')
 
@@ -309,4 +255,3 @@ class << Unicorn
     end
   end
 end
-

data/lib/unveiler.rb

@@ -0,0 +1,38 @@
+require 'pledge'
+require 'unveil'
+
+# Load encodings
+"\255".force_encoding('ISO8859-1').encode('UTF-8')
+''.force_encoding('UTF-16LE')
+''.force_encoding('UTF-16BE')
+
+# Don't run external diff program for failures
+Minitest::Assertions.diff = false if defined?(Minitest::Assertions)
+
+# Unveiler allows for testing programs using pledge and unveil.
+module Unveiler
+  # Use Pledge.unveil to limit access to the file system based on the
+  # +unveil+ argument.  Then pledge the process with the given +pledge+
+  # permissions.  This will automatically unveil the rack and mail gems
+  # if they are loaded.
+  def self.pledge_and_unveil(pledge, unveil)
+    unveil = Hash[unveil]
+
+    if defined?(Gem) && Gem.respond_to?(:loaded_specs)
+      if defined?(Rack) && Gem.loaded_specs['rack']
+        unveil['rack'] = :gem
+      end
+      if defined?(Mail) && Gem.loaded_specs['mail']
+        unveil['mail'] = :gem
+      end
+    end
+
+    Pledge.unveil(unveil)
+
+    unless defined?(SimpleCov)
+      # If running coverage tests, don't run pledged as coverage
+      # testing can require many additional permissions.
+      Pledge.pledge(pledge)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 0.13.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-09 00:00:00.000000000 Z
+date: 2020-11-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -52,10 +52,10 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
-- lib/chrooter.rb
 - lib/rack/email_exceptions.rb
 - lib/roda/plugins/pg_disconnect.rb
 - lib/unicorn-lockdown.rb
+- lib/unveiler.rb
 homepage: https://github.com/jeremyevans/unicorn-lockdown
 licenses:
 - MIT
@@ -75,9 +75,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
-summary: Helper library for running Unicorn with (chroot|unveil)/privdrop/fork+exec/pledge
-  on OpenBSD
+summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
 test_files: []

data/lib/chrooter.rb

@@ -1,153 +0,0 @@
-require 'etc'
-require 'pledge'
-
-# Loading single_byte encoding
-"\255".force_encoding('ISO8859-1').encode('UTF-8')
-
-# Load encodings
-''.force_encoding('UTF-16LE')
-''.force_encoding('UTF-16BE')
-
-# Don't run external diff program for failures
-Minitest::Assertions.diff = false
-
-if defined?(SimpleCov) && Process.euid == 0
-  # Prevent coverage testing in chroot mode. Chroot vs
-  # non-chroot should not matter in terms of lines covered,
-  # and running coverage tests in chroot mode will probable fail
-  # when it comes time to write the coverage files.
-  SimpleCov.at_exit{}
-  raise "cannot run coverage testing in chroot mode"
-end
-
-# Chrooter allows for testing programs in both chroot/unveil and non
-# chroot modes.
-module Chrooter
-  # If the current user is the super user, drop privileges to
-  # the given +user+ first.
-  #
-  # Use Pledge.unveil to limit access to the file system based on the
-  # +unveil+ option.  Then pledge the process with the given +pledge+
-  # permissions (if given).
-  def self.unveil(user, pledge=nil, unveil={}, group=user)
-    require 'unveil'
-
-    unveil = Hash[unveil]
-    if defined?(Rack)
-      unveil['rack'] = :gem
-    end
-    if defined?(Mail)
-      unveil['mail'] = :gem
-    end
-
-    if Process.euid == 0
-      _drop_privs(user, group)
-      puts "Unveiled, running as user #{user}"
-    end
-
-    Pledge.unveil(unveil)
-
-    _pledge(pledge)
-  end
-
-  # If the current user is the super user, change to the given
-  # user/group, chroot to the given directory, and pledge
-  # the process with the given permissions (if given).
-  #
-  # If the current user is not the super user, freeze
-  # $LOADED_FEATURES to more easily detect problems with
-  # autoloaded constants, and just pledge the process with the
-  # given permissions (if given).
-  #
-  # This will reference common autoloaded constants in the
-  # rack and mail libraries if they are defined.  Other
-  # autoloaded constants should be referenced before calling
-  # this method.
-  #
-  # In general this should be called inside an at_exit block
-  # after loading minitest/autorun, so it will run after all
-  # specs are loaded, but before running specs.
-  def self.chroot(user, pledge=nil, group=user, dir=Dir.pwd)
-    # Work around autoload issues in libraries.
-    # autoload is problematic when chrooting because if the
-    # constant is not referenced before chrooting, an
-    # exception is raised if the constant is raised
-    # after chrooting.
-    #
-    # The constants listed here are the autoloaded constants
-    # known to be used by any applications.  This list
-    # may need to be updated when libraries are upgraded
-    # and add new constants, or when applications start
-    # using new features.
-    if defined?(Rack)
-      Rack::MockRequest if defined?(Rack::MockRequest)
-      Rack::Auth::Digest::Params if defined?(Rack::Auth::Digest::Params)
-      if defined?(Rack::Multipart)
-        Rack::Multipart
-        Rack::Multipart::Parser
-        Rack::Multipart::Generator
-        Rack::Multipart::UploadedFile
-      end
-    end
-    if defined?(Mail)
-      Mail::Address
-      Mail::AddressList
-      Mail::Parsers::AddressListsParser
-      Mail::ContentTransferEncodingElement
-      Mail::ContentDispositionElement
-      Mail::MessageIdsElement
-      Mail::MimeVersionElement
-      Mail::OptionalField
-      Mail::ContentTypeElement
-    end
-
-    if Process.euid == 0
-      _drop_privs(user, group) do
-        Dir.chroot(dir)
-        Dir.chdir('/')
-      end
-      puts "Chrooted to #{dir}, running as user #{user}"
-    else
-      # Load minitest plugins before freezing loaded features,
-      # so they don't break.
-      Minitest.load_plugins
-
-      # Emulate chroot not working by freezing $LOADED_FEATURES
-      # This allows to more easily catch bugs that only occur
-      # when chrooted, such as referencing an autoloaded constant
-      # that wasn't loaded before the chroot.
-      $LOADED_FEATURES.freeze
-    end
-
-    _pledge(pledge)
-  end
-
-  def self._drop_privs(user, group)
-    uid = Etc.getpwnam(user).uid
-    gid = Etc.getgrnam(group).gid
-    if Process.egid != gid
-      Process.initgroups(user, gid)
-      Process::GID.change_privilege(gid)
-    end
-
-    yield if block_given?
-
-    Process.euid != uid and Process::UID.change_privilege(uid)
-
-    nil
-  end
-  private_class_method :_drop_privs
-
-  def self._pledge(pledge)
-    unless defined?(SimpleCov)
-      if pledge
-        # If running coverage tests, don't run pledged as coverage
-        # testing can require many additional permissions.
-        Pledge.pledge(pledge)
-      end
-    end
-
-    nil
-  end
-  private_class_method :_pledge
-end