Commit 31174c81 authored by swills's avatar swills
Browse files

security/vault: add vault user to daemon class

This allows use of mlock() when vault is started via rc script.

Submitted by:	dch
Reviewed by:	jrm
Differential Revision:	https://reviews.freebsd.org/D20025
parent 6d21fe43
......@@ -416,7 +416,7 @@ netmon:*:467:467::0:0:Network monitor account:/var/netmon:/usr/sbin/nologin
slurm:*:468:468::0:0:SLURM Daemon:/nonexistent:/usr/sbin/nologin
consul:*:469:469::0:0:Consul Daemon:/var/tmp/consul:/usr/sbin/nologin
serf:*:470:470::0:0:Serf Daemon:/nonexistent:/usr/sbin/nologin
vault:*:471:471::0:0:Vault Daemon:/nonexistent:/usr/sbin/nologin
vault:*:471:471:daemon:0:0:Vault Daemon:/nonexistent:/usr/sbin/nologin
nomad:*:472:472::0:0:Nomad Daemon:/var/tmp/nomad:/usr/sbin/nologin
minio:*:473:473::0:0:Minio Daemon:/var/tmp/minio:/usr/sbin/nologin
gitlab-runner:*:474:474::0:0:GitLab Runner Daemon:/var/tmp/gitlab_runner:/usr/sbin/nologin
......
......@@ -2,6 +2,7 @@
PORTNAME= vault
PORTVERSION= 1.1.2
PORTREVISION= 1
DISTVERSIONPREFIX= v
CATEGORIES= security
......@@ -26,6 +27,7 @@ USERS= vault
GROUPS= vault
PLIST_FILES= bin/${PORTNAME}
SUB_FILES= pkg-message
post-patch:
@${CP} ${WRKDIR}/vaultui-${PORTVERSION}/http/bindata_assetfs.go ${WRKDIR}/vault-${PORTVERSION}/http/bindata_assetfs.go
......
The vault user created by the vault package is now a member of the daemon
class, which will allow it to use mlock() when started by the rc script. This
will not be reflected in systems where the user already exists. Please add the
vault user to the daemon class manually by running:
pw usermod -L daemon -n vault
or delete the user and reinstall the package.
You may also need to increase memorylocked for the daemon class in
/etc/login.conf to 256M or more and run:
cap_mkdb /etc/login.conf
Or to disable mlock, add:
disable_mlock = 1
to %%PREFIX%%/etc/vault.hcl
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment