security/stunnel: Drop privs by default, update PID file location

- Document changes in UPDATING

PR:		249151
Reported by:	 Tatsuki Makino <tatsuki_makino@hotmail.com>

UPDATING

@@ -5,6 +5,19 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20220711:
+  AFFECTS: users of security/stunnel
+  AUTHOR: zi@FreeBSD.org
+
+  The stunnel port has been updated to drop privileges to the stunnel
+  user by default.
+
+  As a result of this change, the pid file location has changed.  If
+  you have a running copy of stunnel, you should stop the process
+  before performing the upgrade.  Alternatively, you will need to
+  # pkill stunnel;service stunnel start
+  after the upgrade has been completed.
+
 20220628:
   AFFECTS: users of Erlang and Elixir
   AUTHOR: dch@FreeBSD.org

security/stunnel/Makefile

@@ -16,7 +16,7 @@ LICENSE=	GPLv2 GPLv3
 LICENSE_COMB=	dual
 
 BROKEN_SSL=	libressl libressl-devel
-BROKEN_SSL_REASON=	Missing upstream support
+BROKEN_SSL_REASON=	missing upstream support
 
 USES=		cpe libtool perl5 shebangfix ssl
 USE_PERL5=	build
@@ -27,6 +27,10 @@ GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--localstatedir=/var/tmp --enable-static --disable-systemd \
 		--with-ssl="${OPENSSLBASE}"
 SHEBANG_FILES=	src/stunnel3.in
+SUB_FILES=	daemon.conf
+SUB_LIST=	STUNNEL_PIDFILE=${STUNNEL_PIDFILE} \
+		STUNNEL_USER=${STUNNEL_USER} \
+		STUNNEL_GROUP=${STUNNEL_GROUP}
 
 OPTIONS_DEFINE=			DOCS EXAMPLES FIPS IPV6 LIBWRAP
 OPTIONS_SINGLE=			THREAD
@@ -42,6 +46,7 @@ FORK_DESC=			Use the fork(3) threading model
 PTHREAD_DESC=			Use the pthread(3) threading model
 UCONTEXT_DESC=			Use the ucontext(3) threading model
 
+STUNNEL_PIDFILE=/var/run/stunnel/stunnel.pid
 STUNNEL_USER?=	stunnel
 STUNNEL_GROUP?=	stunnel
 
@@ -101,7 +106,7 @@ post-build:
 
 post-install:
 	${MKDIR} ${STAGEDIR}${ETCDIR}/conf.d/
-	${INSTALL_DATA} ${FILESDIR}/pid.conf ${STAGEDIR}${ETCDIR}/conf.d/00-pid.conf
+	${INSTALL_DATA} ${WRKDIR}/daemon.conf ${STAGEDIR}${ETCDIR}/conf.d/00-daemon.conf
 
 cert:
 	@${ECHO} ""

security/stunnel/files/daemon.conf.in

@@ -0,0 +1,3 @@
+pid = %%STUNNEL_PIDFILE%%
+setuid = %%STUNNEL_USER%%
+setgid = %%STUNNEL_GROUP%%

security/stunnel/files/pid.conf

@@ -1 +0,0 @@
-pid = /var/run/stunnel.pid

security/stunnel/files/stunnel.in

@@ -13,9 +13,11 @@
 #				Set it to the full path to the config file
 #				that stunnel will use during the automated
 #				start-up.
-# stunnel_pidfile (str):	Default "%%PREFIX%%/var/stunnel/stunnel.pid"
+# stunnel_pidfile (str):	Default "%%STUNNEL_PIDFILE%%"
 #				Set it to the value of 'pid' in
 #				the stunnel.conf file.
+# stunnel_uid (str):		Default "%%STUNNEL_USER%%"
+# stunnel_gid (str):		Default "%%STUNNEL_GROUP%%"
 #
 
 . /etc/rc.subr
@@ -27,7 +29,9 @@ load_rc_config $name
 
 : ${stunnel_enable="NO"}
 : ${stunnel_config="%%ETCDIR%%/${name}.conf"}
-: ${stunnel_pidfile="/var/run/${name}.pid"}
+: ${stunnel_pidfile="%%STUNNEL_PIDFILE%%"}
+: ${stunnel_uid="%%STUNNEL_USER%%"}
+: ${stunnel_gid="%%STUNNEL_GROUP%%"}
 
 command="%%PREFIX%%/bin/stunnel"
 command_args=${stunnel_config}
@@ -35,4 +39,14 @@ pidfile=${stunnel_pidfile}
 
 required_files="${stunnel_config}"
 
+start_precmd=stunnel_start_precmd
+
+stunnel_start_precmd () {
+	local piddir
+	piddir=`/usr/bin/dirname "${pidfile}"`
+	if [ ! -d "${piddir}" ] ; then
+		/usr/bin/install -d -o "${stunnel_uid}" -g "${stunnel_gid}" "${piddir}"
+	fi
+}
+
 run_rc_command "$1"

security/stunnel/pkg-plist

@@ -1,7 +1,7 @@
 bin/stunnel
 bin/stunnel3
 %%ETCDIR%%/stunnel.conf-sample
-%%ETCDIR%%/conf.d/00-pid.conf
+%%ETCDIR%%/conf.d/00-daemon.conf
 lib/stunnel/libstunnel.a
 lib/stunnel/libstunnel.so
 man/man8/stunnel.8.gz