www/uwsgi: Further rc script security improvements

This update introduces a dedicated user for uwsgi and introduces the
uwsgi_socket_owner setting which by default is set to www:www. The
previous change to socket mode of 600 has been modified to 660 as well.

This change further increases security while restoring compatibility.

MFH:		2017Q1
Differential Revision:	https://reviews.freebsd.org/D9398

4 files changed, 17 insertions, 10 deletions

diff --git a/GIDs b/GIDs
index e7f4ceee6ba1..699e3ef4220c 100644
--- a/GIDs
+++ b/GIDs
@@ -106,7 +106,7 @@ solr:*:161:
 octoprint:*:162:
 _iked:*:163:
 lightdm:*:164:
-# free: 165
+uwsgi:*:165:
 # free: 166
 # free: 167
 # free: 168
diff --git a/UIDs b/UIDs
index d8c93e0b8222..2d069a5f9ed3 100644
--- a/UIDs
+++ b/UIDs
@@ -111,7 +111,7 @@ solr:*:161:161::0:0:Apache Solr System:/var/db/solr:/usr/sbin/nologin
 octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin
 _iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin
 lightdm:*:164:164::0:0:Light Display Manager:/var/lib/lightdm-data:/usr/sbin/nologin
-# free: 165
+uwsgi:*:165:165::0:0:uwsgi Daemon:/nonexistent:/usr/sbin/nologin
 # free: 166
 # free: 167
 # free: 168
diff --git a/www/uwsgi/Makefile b/www/uwsgi/Makefile
index 7866b9596256..376cd5e32dfa 100644
--- a/www/uwsgi/Makefile
+++ b/www/uwsgi/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	uwsgi
 PORTVERSION=	2.0.14
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www python
 MASTER_SITES=	http://projects.unbit.it/downloads/
 
@@ -17,6 +17,9 @@ USES=		python ssl
 USE_PYTHON=	distutils
 USE_RC_SUBR=	uwsgi
 
+USERS=	uwsgi
+GROUPS=	uwsgi
+
 OPTIONS_DEFINE=	DEBUG JSON PCRE XML
 
 DEBUG_VARS=	PYDISTUTILS_BUILDARGS+=--debug
diff --git a/www/uwsgi/files/uwsgi.in b/www/uwsgi/files/uwsgi.in
index 33ac1ac87d91..33db07b815c0 100644
--- a/www/uwsgi/files/uwsgi.in
+++ b/www/uwsgi/files/uwsgi.in
@@ -14,14 +14,16 @@
 #				Default is /tmp/uwsgi.sock.
 # uwsgi_socket_mode (int):	Set the mode of the socket.
 #				Default is 600.
+# uwsgi_socket_owner (str):	Set the owner of the socket.
+#				Default is www:www.
 # uwsgi_logfile (path):		Set the path to the uwsgi log file
 #				Default is /var/log/uwsgi.log.
 # uwsgi_pidfile (path):		Set the path to the uwsgi pid file
 #				Default is /var/run/uwsgi.pid.
 # uwsgi_uid (int):		Set the UID of the process to run with
-#				Default is 80.
+#				Default is 165 (uwsgi).
 # uwsgi_gid (int):		Set the GID of the process to run with
-#				Default is 80.
+#				Default is 165 (uwsgi).
 # uwsgi_flags (str):		Set the uwsgi command line arguments
 #				Default is "-M -L".
 # uwsgi_procname (str):		Define to "uWSGI" if you start uwsgi with
@@ -47,11 +49,12 @@ command=%%PREFIX%%/bin/uwsgi
 : ${uwsgi_enable="NO"}
 : ${uwsgi_profiles=""}
 : ${uwsgi_socket="/tmp/${name}.sock"}
-: ${uwsgi_socket_mode="600"}
+: ${uwsgi_socket_mode="660"}
+: ${uwsgi_socket_owner="www:www"}
 : ${uwsgi_logfile="/var/log/${name}.log"}
 : ${uwsgi_pidfile="/var/run/${name}.pid"}
-: ${uwsgi_uid="80"}
-: ${uwsgi_gid="80"}
+: ${uwsgi_uid="165"}
+: ${uwsgi_gid="165"}
 : ${uwsgi_flags="-M -L"}
 : ${uwsgi_procname="${command}"}
 
@@ -75,7 +78,8 @@ if [ -n "${uwsgi_profiles}" ]; then
 		        exit 1
 		fi
 		eval uwsgi_socket=\${uwsgi_${profile}_socket:-"/tmp/${name}-${profile}.sock"}
-		eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"600"}
+		eval uwsgi_socket_mode=\${uwsgi_${profile}_socket_mode:-"660"}
+		eval uwsgi_socket_owner=\${uwsgi_${profile}_socket_owner:-"www:www"}
 		eval uwsgi_logfile=\${uwsgi_${profile}_logfile:-"/var/log/${name}-${profile}.log"}
 		eval uwsgi_pidfile=\${uwsgi_${profile}_pidfile:-"/var/run/${name}-${profile}.pid"}
 		eval uwsgi_uid=\${uwsgi_${profile}_uid:-"${uwsgi_uid}"}
@@ -92,7 +96,7 @@ if [ -n "${uwsgi_profiles}" ]; then
 fi
 
 command=%%PREFIX%%/bin/uwsgi
-command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}"
+command_args="--pidfile ${uwsgi_pidfile} -s ${uwsgi_socket} --chmod-socket=${uwsgi_socket_mode} --chown-socket=${uwsgi_socket_owner} -d ${uwsgi_logfile} --uid ${uwsgi_uid} --gid ${uwsgi_gid}"
 pidfile=${uwsgi_pidfile}
 stop_postcmd=stop_postcmd
 reload_precmd=reload_precmd