lang/erlang: enhance epmd security
ClosedPublic
Actions

Authored by olgeni on Jun 16 2025, 12:17 PM.

Details

Reviewers

dch

Commits

R11:302b0049a9a0: lang/erlang: enhance epmd security

Summary

Add dedicated beam user (UID/GID 372) for non-root execution
Use daemon(8) for epmd process supervision and auto-restart

This addresses security concerns with epmd running as root by
providing privilege separation and automatic restart capability.

PR: 213001

Diff Detail

Repository

R11 FreeBSD ports repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

olgeni requested review of this revision.Jun 16 2025, 12:17 PM

olgeni created this revision.

Harbormaster completed remote builds in B64900: Diff 157095.Jun 16 2025, 12:17 PM

guest-patmaddox added a subscriber: guest-patmaddox.Jun 16 2025, 3:23 PM

Daemon fixed!

Harbormaster completed remote builds in B64905: Diff 157106.Jun 16 2025, 3:32 PM

\o/ a long overdue improvement! thanks!

This revision is now accepted and ready to land.Jun 17 2025, 10:06 AM

service start|stop epmd fails when flags are provided:

# /etc/rc.conf.d/epmd
epmd_enable=YES
epmd_flags="-address 100.64.0.0"

# service epmd start
/usr/local/etc/rc.d/epmd: DEBUG: run_rc_command: doit:  limits -C daemon  su -m beam -c 'sh -c " /usr/sbin/daemon -address 100.64.0.0 -f -r -P /var/run/epmd/epmd.pid /usr/local/bin/epmd -address 100.64.0.0"'
daemon: invalid option -- a

A solution is to s/flags/opts/ and then the flags are not passed through to daemon itself.

Otherwise LGTM!