unicorn-lockdown 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 931209c4514dbb9f15da327fac6ed81f82fed2a504c500a34aa5f6e2624cde5a
-  data.tar.gz: 160c9cf285e6c4f8abeb38bce3d1b7006f236607e6f18e606fdcbd8b53f73baa
+  metadata.gz: 0f0b84f88c8502c942f5b15b50bb7ac6946de87ef31ee14cf96e9d71b569b8a3
+  data.tar.gz: 69d55260a85368464b5dbb0b9b24120eacb3d9f95f07c4be765f8d913b8e7f2d
 SHA512:
-  metadata.gz: 9f457aefb1571441815165ef9fb032f2de71547debfa81d9a7d4a441019e0671e00258b77bdb4fdca29dca677a5b5e795c65a7f53483cbf67bd12ef2950e4545
-  data.tar.gz: de3ee5209b1cb08dd0918448689868cc7b5c423ec07c929df7a4475d222436b32ea271f972f789a7ee13ffcffc8a7bbafd78950741c40392d49b8c69af69473e
+  metadata.gz: 2622fa1ea4b31f117037175273420574269b8f976e905d39a76137aefb4da44e94e13e1ec121db5a9d21fcef901dc3d5fec42434c36d5dd5cc21640d64379131
+  data.tar.gz: 032dbedbb2e5eab750fb10ae6f9ef0cb108fdedac239bf3adead2faa637bddfb8613a1d9a865730d449e2d4d6d334f35bab5b762f5b97bf4e946872ebdbf1d63

data/CHANGELOG

@@ -1,3 +1,13 @@
+= 1.1.0 (2022-07-18)
+
+* Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)
+
+* Fix roda pg_disconnect plugin to correctly error if error_handler is already loaded (jeremyevans)
+
+* Avoid SSL error in newer versions of net/smtp when notifying about worker crashes (jeremyevans)
+
+* Add flock pledge, needed on Ruby 3.1+ (jeremyevans)
+
 = 1.0.0 (2020-11-09)
 
 * Require unicorn-lockdown-add -o and -u options, and require options have arguments (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2018-2020 Jeremy Evans
+Copyright (c) 2018-2022 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to

data/README.rdoc

@@ -91,9 +91,9 @@ file for the app if one does not already exist, looking similar to:
     :email=>'root',
 
     # More pledges may be needed depending on application
-    :pledge=>'rpath prot_exec inet unix',
+    :pledge=>'rpath prot_exec inet unix flock',
     :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
-    :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil',
+    :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
 
     # More unveils may be needed depending on application
     :unveil=>{
@@ -111,7 +111,7 @@ Unicorn.lockdown options:
 :email :: (optional) an email address to use for notifications when the
           worker process crashes or an unhandled exception is raised by
           the application or middleware.
-:pledge :: (optional) a pledge string to limit the allowed system calls
+:pledge :: (required) a pledge string to limit the allowed system calls
            after privileges have been dropped
 :master_pledge :: (optional) The string to use when pledging the master process before
                   spawning worker processes
@@ -134,6 +134,7 @@ With this example pledge:
   exceptions that occur without process crashes.  pf (OpenBSD's firewall)
   should be used to limit access for the application's operating system
   user to the minimum necessary access needed.
+* flock is needed in Ruby 3.1+ (not necessarily required in older Ruby versions).
 
 With this example master pledge:
 

data/bin/unicorn-lockdown-add

@@ -1,222 +1,2 @@
 #!/usr/bin/env ruby
-
-require 'etc'
-require 'optparse'
-
-def sh(*args)
-  puts "Running: #{args.join(' ')}"
-  system(*args) || raise("Error while running: #{args.join(' ')}")
-end
-
-unicorn = ''
-rackup = ''
-unicorn_file = 'unicorn.conf'
-dir = nil
-user = nil
-new_user_uid = nil
-owner = nil
-owner_uid = nil
-owner_gid = nil
-
-options = OptionParser.new do |opts|
-  opts.banner = "Usage: unicorn-lockdown-add -o owner -u user [options] app_name"
-  opts.separator "Options:"
-
-  opts.on_tail("-h", "-?", "--help", "Show this message") do
-    puts opts
-    exit
-  end
-
-  opts.on("-c RACKUP_FILE", "rackup configuration file") do |v|
-    rackup = "rackup_file=#{v}\n"
-  end
-
-  opts.on("-d DIR", "application directory name") do |v|
-    dir = v
-  end
-
-  opts.on("-f UNICORN_FILE", "unicorn configuration file relative to application directory") do |v|
-    unicorn_file = v
-    unicorn = "unicorn_conf=#{v}\n"
-  end
-
-  opts.on("-o OWNER", "operating system application owner") do |v|
-    owner = v
-    ent = Etc.getpwnam(v)
-    owner_uid = ent.uid
-    owner_gid = ent.gid
-  end
-
-  opts.on("-u USER", "operating system user to run application") do |v|
-    user = v
-  end
-
-  opts.on("--uid UID", "user id to use if creating the user when -U is specified") do |v|
-    new_user_uid = Integer(v, 10)
-  end
-end
-options.parse!
-
-unless user && owner
-  $stderr.puts "Must pass -o and -u options when calling unicorn_lockdown_add"
-  puts options
-  exit(1)
-end
-
-app = ARGV.shift
-dir ||= app
-
-root_id = 0
-bin_id = 7
-www_id = 67
-
-www_root = '/var/www'
-dir = "#{www_root}/#{dir}"
-rc_file = "/etc/rc.d/unicorn_#{app.tr('-', '_')}"
-nginx_file = "/etc/nginx/#{app}.conf"
-unicorn_conf_file = "#{dir}/#{unicorn_file}"
-nonroot_dir = "/var/www/request-error-data/#{app}"
-unicorn_log_file = "/var/log/unicorn/#{app}.log"
-nginx_access_log_file = "/var/log/nginx/#{app}.access.log"
-nginx_error_log_file = "/var/log/nginx/#{app}.error.log"
-
-# Add application user if it doesn't exist
-passwd = begin
-  Etc.getpwnam(user)
-rescue ArgumentError
-  args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
-  if new_user_uid
-    args << '-u' << new_user_uid.to_s
-  end
-  args << user
-  sh(*args)
-  Etc.getpwnam(user)
-end
-app_uid = passwd.uid
-
-# Create the subdirectory used for request error info when not running as root
-unless File.directory?(nonroot_dir)
-  puts "Creating #{nonroot_dir}"
-  Dir.mkdir(nonroot_dir)
-  File.chmod(0700, nonroot_dir)
-  File.chown(app_uid, app_uid, nonroot_dir)
-end
-
-# Create application public directory if it doesn't exist (needed by nginx)
-dirs = [dir, "#{dir}/public"]
-dirs.each do |d|
-  unless File.directory?(d)
-    puts "Creating #{d}"
-    Dir.mkdir(d)
-    File.chmod(0755, d)
-    File.chown(owner_uid, owner_gid, d)
-  end
-end
-
-# DRY up file ownership code
-setup_file_owner = lambda do |file|
-  File.chmod(0644, file)
-  File.chown(owner_uid, owner_gid, file)
-end
-
-# Setup unicorn configuration file
-unless File.file?(unicorn_conf_file)
-  unicorn_conf_dir = File.dirname(unicorn_conf_file)
-  unless File.directory?(unicorn_conf_dir)
-    puts "Creating #{unicorn_conf_dir}"
-    Dir.mkdir(unicorn_conf_dir)
-    File.chmod(0755, unicorn_conf_dir)
-    File.chown(owner_uid, owner_gid, unicorn_conf_dir)
-  end
-  puts "Creating #{unicorn_conf_file}"
-  File.binwrite(unicorn_conf_file, <<END)
-require 'unicorn-lockdown'
-
-Unicorn.lockdown(self,
-  :app=>#{app.inspect},
-
-  # Update this with correct email
-  :email=>'root',
-
-  # More pledges may be needed depending on application
-  :pledge=>'rpath prot_exec inet unix',
-  :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
-  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil',
-
-  # More unveils may be needed depending on application
-  :unveil=>{
-    'views'=>'r'
-  },
-  :dev_unveil=>{
-    'models'=>'r'
-  },
-)
-END
-  setup_file_owner.call(unicorn_conf_file)
-end
-
-# Setup /etc/nginx/* file for nginx configuration
-unless File.file?(nginx_file)
-  puts "Creating #{nginx_file}"
-  File.binwrite(nginx_file, <<END)
-upstream #{app}_unicorn {
-    server unix:/sockets/#{app}.sock fail_timeout=0;
-}
-server {
-    server_name #{app};
-    access_log #{nginx_access_log_file} main;
-    error_log #{nginx_error_log_file} warn;
-    root #{dir}/public;
-    error_page   500 503 /500.html;
-    error_page   502 504 /502.html;
-    proxy_set_header  X-Real-IP  $remote_addr;
-    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header  Host $http_host;
-    proxy_redirect    off;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options deny;
-    add_header X-XSS-Protection "1; mode=block";
-    try_files $uri @#{app}_unicorn;
-    location @#{app}_unicorn {
-        proxy_pass http://#{app}_unicorn;
-    }
-}
-END
-
-  setup_file_owner.call(nginx_file)
-end
-
-# Setup nginx log file
-[nginx_access_log_file, nginx_error_log_file].each do |f|
-  unless File.file?(f)
-    puts "Creating #{f}"
-    File.binwrite(f, '')
-    File.chmod(0644, f)
-    File.chown(www_id, root_id, f)
-  end
-end
-
-# Setup unicorn log file
-unless File.file?(unicorn_log_file)
-  puts "Creating #{unicorn_log_file}"
-  File.binwrite(unicorn_log_file, '')
-  File.chmod(0640, unicorn_log_file)
-  File.chown(app_uid, Etc.getgrnam('_unicorn').gid, unicorn_log_file) if app_uid
-end
-
-# Setup /etc/rc.d/unicorn_* file for daemon management
-unless File.file?(rc_file)
-  puts "Creating #{rc_file}"
-  File.binwrite(rc_file, <<END)
-#!/bin/ksh
-
-daemon_user=#{user}
-unicorn_app=#{app}
-unicorn_dir=#{dir}
-#{unicorn}#{rackup} 
-. /etc/rc.d/rc.unicorn
-END
-
-  File.chmod(0755, rc_file)
-  File.chown(root_id, bin_id, rc_file)
-end
+require_relative '../files/unicorn_lockdown_add'

data/bin/unicorn-lockdown-setup

@@ -1,68 +1,2 @@
 #!/usr/bin/env ruby
-
-require 'etc'
-
-def sh(*args)
-  puts "Running: #{args.join(' ')}"
-  system(*args) || raise("Error while running: #{args.join(' ')}")
-end
-
-request_dir = '/var/www/request-error-data'
-socket_dir = '/var/www/sockets'
-unicorn_log_dir = '/var/log/unicorn'
-nginx_log_dir = "/var/log/nginx"
-rc_unicorn_file = '/etc/rc.d/rc.unicorn'
-
-unicorn_group = '_unicorn'
-root_id = 0
-daemon_id = 1
-www_id = 67
-
-# Add _unicorn group if it doesn't exist
-group = begin
-  Etc.getgrnam(unicorn_group)
-rescue ArgumentError
-  sh('groupadd', unicorn_group)
-  Etc.getgrnam(unicorn_group)
-end
-unicorn_group_id = group.gid
-
-# Setup requests directory to hold per-request information for crash notifications
-unless File.directory?(request_dir)
-  puts "Creating #{request_dir}"
-  Dir.mkdir(request_dir)
-  File.chmod(0710, request_dir)
-  File.chown(root_id, unicorn_group_id, request_dir)
-end
-
-# Setup sockets directory to hold nginx connection sockets
-unless File.directory?(socket_dir)
-  puts "Creating #{socket_dir}"
-  Dir.mkdir(socket_dir)
-  File.chmod(0770, socket_dir)
-  File.chown(www_id, unicorn_group_id, socket_dir)
-end
-
-# Setup log directory to hold unicorn application logs
-unless File.directory?(unicorn_log_dir)
-  puts "Creating #{unicorn_log_dir}"
-  Dir.mkdir(unicorn_log_dir)
-  File.chmod(0755, unicorn_log_dir)
-  File.chown(root_id, daemon_id, unicorn_log_dir)
-end
-
-# Setup log directory to hold nginx logs
-unless File.directory?(nginx_log_dir)
-  puts "Creating #{nginx_log_dir}"
-  Dir.mkdir(nginx_log_dir)
-  File.chmod(0775, nginx_log_dir)
-  File.chown(www_id, root_id, nginx_log_dir)
-end
-
-# Setup rc.unicorn file
-unless File.file?(rc_unicorn_file)
-  puts "Creating #{rc_unicorn_file}"
-  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
-  File.chmod(0644, rc_unicorn_file)
-  File.chown(root_id, root_id, rc_unicorn_file)
-end
+require_relative '../files/unicorn_lockdown_setup'

data/files/unicorn_lockdown_add.rb

@@ -0,0 +1,227 @@
+require 'etc'
+require 'optparse'
+
+unicorn = ''
+rackup = ''
+unicorn_file = 'unicorn.conf'
+dir = nil
+user = nil
+new_user_uid = nil
+owner = nil
+owner_uid = nil
+owner_gid = nil
+
+options = OptionParser.new do |opts|
+  opts.banner = "Usage: unicorn-lockdown-add -o owner -u user [options] app_name"
+  opts.separator "Options:"
+
+  opts.on_tail("-h", "-?", "--help", "Show this message") do
+    puts opts
+    exit
+  end
+
+  opts.on("-c RACKUP_FILE", "rackup configuration file") do |v|
+    rackup = "rackup_file=#{v}\n"
+  end
+
+  opts.on("-d DIR", "application directory name") do |v|
+    dir = v
+  end
+
+  opts.on("-f UNICORN_FILE", "unicorn configuration file relative to application directory") do |v|
+    unicorn_file = v
+    unicorn = "unicorn_conf=#{v}\n"
+  end
+
+  opts.on("-o OWNER", "operating system application owner") do |v|
+    owner = v
+    ent = Etc.getpwnam(v)
+    owner_uid = ent.uid
+    owner_gid = ent.gid
+  end
+
+  opts.on("-u USER", "operating system user to run application") do |v|
+    user = v
+  end
+
+  opts.on("--uid UID", "user id to use if creating the user when -U is specified") do |v|
+    new_user_uid = Integer(v, 10)
+  end
+end
+options.parse!
+
+unless user && owner
+  $stderr.puts "Must pass -o and -u options when calling unicorn_lockdown_add"
+  puts options
+  exit(1)
+end
+
+app = ARGV.shift
+dir ||= app
+
+root_id = 0
+bin_id = 7
+www_id = 67
+
+prefix = ENV['UNICORN_LOCKDOWN_BIN_PREFIX']
+www_root = "#{prefix}/var/www"
+dir = "#{www_root}/#{dir}"
+rc_file = "#{prefix}/etc/rc.d/unicorn_#{app.tr('-', '_')}"
+nginx_file = "#{prefix}/etc/nginx/#{app}.conf"
+unicorn_conf_file = "#{dir}/#{unicorn_file}"
+nonroot_dir = "#{prefix}/var/www/request-error-data/#{app}"
+unicorn_log_file = "#{prefix}/var/log/unicorn/#{app}.log"
+nginx_access_log_file = "#{prefix}/var/log/nginx/#{app}.access.log"
+nginx_error_log_file = "#{prefix}/var/log/nginx/#{app}.error.log"
+
+if Process.uid == 0
+  # :nocov:
+  chown = lambda{|*a| File.chown(*a)}
+  # :nocov:
+else
+  chown = lambda{|*a| }
+end
+
+# Add application user if it doesn't exist
+passwd = begin
+  Etc.getpwnam(user)
+rescue ArgumentError
+  # :nocov:
+  args = ['/usr/sbin/useradd', '-d', '/var/empty', '-g', '=uid', '-G', '_unicorn', '-L', 'daemon', '-s', '/sbin/nologin']
+  if new_user_uid
+    args << '-u' << new_user_uid.to_s
+  end
+  args << user
+  puts "Running: #{args.join(' ')}"
+  system(*args) || raise("Error while running: #{args.join(' ')}")
+  Etc.getpwnam(user)
+  # :nocov:
+end
+app_uid = passwd.uid
+
+# Create the subdirectory used for request error info when not running as root
+unless File.directory?(nonroot_dir)
+  puts "Creating #{nonroot_dir}"
+  Dir.mkdir(nonroot_dir)
+  File.chmod(0700, nonroot_dir)
+  chown.(app_uid, app_uid, nonroot_dir)
+end
+
+# Create application public directory if it doesn't exist (needed by nginx)
+dirs = [dir, "#{dir}/public"]
+dirs.each do |d|
+  unless File.directory?(d)
+    puts "Creating #{d}"
+    Dir.mkdir(d)
+    File.chmod(0755, d)
+    chown.(owner_uid, owner_gid, d)
+  end
+end
+
+# DRY up file ownership code
+setup_file_owner = lambda do |file|
+  File.chmod(0644, file)
+  chown.(owner_uid, owner_gid, file)
+end
+
+# Setup unicorn configuration file
+unless File.file?(unicorn_conf_file)
+  unicorn_conf_dir = File.dirname(unicorn_conf_file)
+  unless File.directory?(unicorn_conf_dir)
+    puts "Creating #{unicorn_conf_dir}"
+    Dir.mkdir(unicorn_conf_dir)
+    File.chmod(0755, unicorn_conf_dir)
+    chown.(owner_uid, owner_gid, unicorn_conf_dir)
+  end
+  puts "Creating #{unicorn_conf_file}"
+  File.binwrite(unicorn_conf_file, <<END)
+require 'unicorn-lockdown'
+
+Unicorn.lockdown(self,
+  :app=>#{app.inspect},
+
+  # Update this with correct email
+  :email=>'root',
+
+  # More pledges may be needed depending on application
+  :pledge=>'rpath prot_exec inet unix flock',
+  :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+
+  # More unveils may be needed depending on application
+  :unveil=>{
+    'views'=>'r'
+  },
+  :dev_unveil=>{
+    'models'=>'r'
+  },
+)
+END
+  setup_file_owner.call(unicorn_conf_file)
+end
+
+# Setup /etc/nginx/* file for nginx configuration
+unless File.file?(nginx_file)
+  puts "Creating #{nginx_file}"
+  File.binwrite(nginx_file, <<END)
+upstream #{app}_unicorn {
+    server unix:/sockets/#{app}.sock fail_timeout=0;
+}
+server {
+    server_name #{app};
+    access_log #{nginx_access_log_file} main;
+    error_log #{nginx_error_log_file} warn;
+    root #{dir}/public;
+    error_page   500 503 /500.html;
+    error_page   502 504 /502.html;
+    proxy_set_header  X-Real-IP  $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header  Host $http_host;
+    proxy_redirect    off;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options deny;
+    add_header X-XSS-Protection "1; mode=block";
+    try_files $uri @#{app}_unicorn;
+    location @#{app}_unicorn {
+        proxy_pass http://#{app}_unicorn;
+    }
+}
+END
+
+  setup_file_owner.call(nginx_file)
+end
+
+# Setup nginx log file
+[nginx_access_log_file, nginx_error_log_file].each do |f|
+  unless File.file?(f)
+    puts "Creating #{f}"
+    File.binwrite(f, '')
+    File.chmod(0644, f)
+    chown.(www_id, root_id, f)
+  end
+end
+
+# Setup unicorn log file
+unless File.file?(unicorn_log_file)
+  puts "Creating #{unicorn_log_file}"
+  File.binwrite(unicorn_log_file, '')
+  File.chmod(0640, unicorn_log_file)
+  chown.(app_uid, Etc.getgrnam('_unicorn').gid, unicorn_log_file)
+end
+
+# Setup /etc/rc.d/unicorn_* file for daemon management
+unless File.file?(rc_file)
+  puts "Creating #{rc_file}"
+  File.binwrite(rc_file, <<END)
+#!/bin/ksh
+
+daemon_user=#{user}
+unicorn_app=#{app}
+unicorn_dir=#{dir}
+#{unicorn}#{rackup}
+. /etc/rc.d/rc.unicorn
+END
+
+  File.chmod(0755, rc_file)
+  chown.(root_id, bin_id, rc_file)
+end

data/files/unicorn_lockdown_setup.rb

@@ -0,0 +1,74 @@
+require 'etc'
+
+prefix = ENV['UNICORN_LOCKDOWN_BIN_PREFIX']
+request_dir = "#{prefix}/var/www/request-error-data"
+socket_dir = "#{prefix}/var/www/sockets"
+unicorn_log_dir = "#{prefix}/var/log/unicorn"
+nginx_log_dir = "#{prefix}/var/log/nginx"
+rc_unicorn_file = "#{prefix}/etc/rc.d/rc.unicorn"
+
+unicorn_group = '_unicorn'
+root_id = 0
+daemon_id = 1
+www_id = 67
+
+if Process.uid == 0
+  # :nocov:
+  chown = lambda{|*a| File.chown(*a)}
+  # :nocov:
+else
+  chown = lambda{|*a| }
+end
+
+# Add _unicorn group if it doesn't exist
+group = begin
+  Etc.getgrnam(unicorn_group)
+rescue ArgumentError
+  # :nocov:
+  args = ['groupadd', unicorn_group]
+  puts "Running: #{args.join(' ')}"
+  system(*args) || raise("Error while running: #{args.join(' ')}")
+  Etc.getgrnam(unicorn_group)
+  # :nocov:
+end
+unicorn_group_id = group.gid
+
+# Setup requests directory to hold per-request information for crash notifications
+unless File.directory?(request_dir)
+  puts "Creating #{request_dir}"
+  Dir.mkdir(request_dir)
+  File.chmod(0710, request_dir)
+  chown.(root_id, unicorn_group_id, request_dir)
+end
+
+# Setup sockets directory to hold nginx connection sockets
+unless File.directory?(socket_dir)
+  puts "Creating #{socket_dir}"
+  Dir.mkdir(socket_dir)
+  File.chmod(0770, socket_dir)
+  chown.(www_id, unicorn_group_id, socket_dir)
+end
+
+# Setup log directory to hold unicorn application logs
+unless File.directory?(unicorn_log_dir)
+  puts "Creating #{unicorn_log_dir}"
+  Dir.mkdir(unicorn_log_dir)
+  File.chmod(0755, unicorn_log_dir)
+  chown.(root_id, daemon_id, unicorn_log_dir)
+end
+
+# Setup log directory to hold nginx logs
+unless File.directory?(nginx_log_dir)
+  puts "Creating #{nginx_log_dir}"
+  Dir.mkdir(nginx_log_dir)
+  File.chmod(0775, nginx_log_dir)
+  chown.(www_id, root_id, nginx_log_dir)
+end
+
+# Setup rc.unicorn file
+unless File.file?(rc_unicorn_file)
+  puts "Creating #{rc_unicorn_file}"
+  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  File.chmod(0644, rc_unicorn_file)
+  chown.(root_id, root_id, rc_unicorn_file)
+end

data/lib/rack/email_exceptions.rb

@@ -36,7 +36,12 @@ ENV:
 #{env.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
 END
 
-      Net::SMTP.start('127.0.0.1'){|s| s.send_message(body, @email, @email)}
+      # :nocov:
+      # Don't verify localhost hostname, to avoid SSL errors raised in newer versions of net/smtp
+      smtp_params = Net::SMTP.method(:start).parameters.include?([:key, :tls_verify]) ? {tls_verify: false, tls_hostname: 'localhost'} : {}
+      # :nocov:
+
+      Net::SMTP.start('127.0.0.1', **smtp_params){|s| s.send_message(body, @email, @email)}
 
       raise
     end

data/lib/roda/plugins/pg_disconnect.rb

@@ -16,19 +16,19 @@ class Roda
     # Sequel database library with the postgres adapter and pg driver.
     module PgDisconnect
       def self.load_dependencies(app)
-        raise RodaError, "error_handler plugin already loaded" if app.method_defined?(:handle_error)
+        raise RodaError, "error_handler plugin already loaded" if app.method_defined?(:handle_error) || app.private_method_defined?(:handle_error)
       end
 
       module InstanceMethods
-        # When database connection is lost, kill the worker process, so a new one will be generated.
-        # This is necessary because the unix socket used by the database connection is no longer available
-        # once the application is unveiled or pledged.
+        # :nocov:
+        # Handle old Roda dispatch API
         def call
           super
         rescue Sequel::DatabaseDisconnectError, Sequel::DatabaseConnectionError, PG::ConnectionBad
           Process.kill(:QUIT, $$)
           raise
         end
+        # :nocov:
 
         # When database connection is lost, kill the worker process, so a new one will be generated.
         # This is necessary because the unix socket used by the database connection is no longer available

data/lib/unicorn-lockdown.rb

@@ -18,7 +18,7 @@ class Unicorn::HttpServer
   # The /var/www/request-error-data/$app_name folder is accessable
   # only to the user of the application.
   def request_filename(pid)
-    "/var/www/request-error-data/#{Unicorn.app_name}/#{pid}.txt"
+    "#{Unicorn.unicorn_lockdown_prefix}/www/request-error-data/#{Unicorn.app_name}/#{pid}.txt"
   end
 
   unless ENV['UNICORN_WORKER']
@@ -80,6 +80,10 @@ class << Unicorn
   # The address to email for crash and unhandled exception notifications.
   attr_accessor :email
 
+  # The prefix for unicorn lockdown files
+  attr_reader :unicorn_lockdown_prefix
+  Unicorn.instance_variable_set(:@unicorn_lockdown_prefix, ENV['UNICORN_LOCKDOWN_PREFIX'] || '/var')
+
   # Helper method to write request information to the request logger.
   # +email_message+ should be an email message including headers and body.
   # This should be called at the top of the Roda route block for the
@@ -117,7 +121,7 @@ class << Unicorn
     Unicorn.dev_unveil = opts[:dev_unveil]
 
     configurator.instance_exec do
-      listen "/var/www/sockets/#{Unicorn.app_name}.sock"
+      listen "#{Unicorn.unicorn_lockdown_prefix}/www/sockets/#{Unicorn.app_name}.sock"
 
       # Buffer all client bodies in memory.  This assumes an Nginx limit of 10MB,
       # by using 11MB this ensures that client bodies are always buffered in
@@ -128,12 +132,15 @@ class << Unicorn
       # Run all worker processes with unique memory layouts
       worker_exec true
 
+      # :nocov:
       # Only change the log path if daemonizing.
       # Otherwise, continue to log to stdout/stderr.
       if Unicorn::Configurator::RACKUP[:daemonize]
-        stdout_path "/var/log/unicorn/#{Unicorn.app_name}.log"
-        stderr_path "/var/log/unicorn/#{Unicorn.app_name}.log"
+        log_path = "#{Unicorn.unicorn_lockdown_prefix}/log/unicorn/#{Unicorn.app_name}.log"
+        stdout_path log_path
+        stderr_path log_path
       end
+      # :nocov:
 
       after_fork do |server, worker|
         server.logger.info("worker=#{worker.nr} spawned pid=#{$$}")
@@ -225,7 +232,7 @@ class << Unicorn
             unless skip_email
               # If the request filename exists and the worker process crashed,
               # send a notification email.
-              Process.waitpid(fork do
+              Process.waitpid(Process.fork do
                 # Load net/smtp early
                 require 'net/smtp'
 
@@ -234,7 +241,7 @@ class << Unicorn
                 body = File.read(file)
 
                 # Then use a restrictive pledge
-                Pledge.pledge('inet prot_exec')
+                Pledge.pledge(ENV['UNICORN_LOCKDOWN_WORKER_CRASH_PLEDGE'] || 'inet prot_exec')
 
                 # If body empty, crash happened before a request was received,
                 # try to at least provide the application name in this case.
@@ -242,8 +249,13 @@ class << Unicorn
                   body = "Subject: [#{Unicorn.app_name}] Unicorn Worker Process Crash\r\n\r\nNo email content provided for app: #{Unicorn.app_name}"
                 end
 
+                # :nocov:
+                # Don't verify localhost hostname, to avoid SSL errors raised in newer versions of net/smtp
+                smtp_params = Net::SMTP.method(:start).parameters.include?([:key, :tls_verify]) ? {tls_verify: false, tls_hostname: 'localhost'} : {}
+                # :nocov:
+
                 # Finally send an email to localhost via SMTP.
-                Net::SMTP.start('127.0.0.1'){|s| s.send_message(body, Unicorn.email, Unicorn.email)}
+                Net::SMTP.start('127.0.0.1', **smtp_params){|s| s.send_message(body, Unicorn.email, Unicorn.email)}
               end)
             end
           end

data/lib/unveiler.rb

@@ -29,10 +29,14 @@ module Unveiler
 
     Pledge.unveil(unveil)
 
-    unless defined?(SimpleCov)
-      # If running coverage tests, don't run pledged as coverage
-      # testing can require many additional permissions.
-      Pledge.pledge(pledge)
+    # :nocov:
+    if defined?(SimpleCov)
+    # :nocov:
+      # If running coverage tests, add necessary pledges for
+      # coverage testing to work.
+      pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
     end
+
+    Pledge.pledge(pledge)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-09 00:00:00.000000000 Z
+date: 2022-07-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -38,6 +38,62 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mail
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: roda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-global_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email: code@jeremyevans.net
 executables:
@@ -52,6 +108,8 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
+- files/unicorn_lockdown_add.rb
+- files/unicorn_lockdown_setup.rb
 - lib/rack/email_exceptions.rb
 - lib/roda/plugins/pg_disconnect.rb
 - lib/unicorn-lockdown.rb
@@ -59,7 +117,11 @@ files:
 homepage: https://github.com/jeremyevans/unicorn-lockdown
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/jeremyevans/unicorn-lockdown/issues
+  changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
+  mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
+  source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -68,14 +130,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD