From 7d239053ed96e2e50f42ab34c02ac9bfbc94de26 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Sun, 14 Jun 2026 22:08:54 +0200 Subject: [PATCH 1/2] fix(rc): make colibri_daemon script live-copy safe (Sam & Codex) Make the FreeBSD rc.d source safe to copy directly onto the live USB: avoid rc.subr's *_program command override, avoid double privilege drop via daemon(8) -u, and keep pid/socket chmod fixes in the source script.\n\nChecks: sh -n packaging/freebsd/colibri_daemon.in; git diff --check. --- packaging/freebsd/colibri_daemon.in | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/packaging/freebsd/colibri_daemon.in b/packaging/freebsd/colibri_daemon.in index e78f65c..63f6260 100644 --- a/packaging/freebsd/colibri_daemon.in +++ b/packaging/freebsd/colibri_daemon.in @@ -4,8 +4,9 @@ # # colibri-daemon runs in the FOREGROUND — it does not self-daemonize or write a # pidfile. rc.d runs it under daemon(8), which backgrounds it, writes the -# child pidfile (colibri-daemon PID), restarts on crash, drops privileges to -# the colibri user, and redirects stdout/stderr (tracing) to a logfile. +# child pidfile (colibri-daemon PID), restarts on crash, and redirects +# stdout/stderr (tracing) to a logfile. rc.subr performs the privilege drop +# through ${name}_user. # # Setup (one-time, as root): # pw groupadd colibri @@ -37,7 +38,7 @@ load_rc_config $name : ${colibri_daemon_enable:="NO"} : ${colibri_daemon_user:="colibri"} : ${colibri_daemon_group:="colibri"} -: ${colibri_daemon_program:="/usr/local/bin/colibri-daemon"} +: ${colibri_daemon_binary:="/usr/local/bin/colibri-daemon"} : ${colibri_daemon_data_dir:="/var/db/colibri"} : ${colibri_daemon_run_dir:="/var/run/colibri"} : ${colibri_daemon_socket:="${colibri_daemon_run_dir}/colibri.sock"} @@ -54,11 +55,13 @@ supervisor_pidfile="${colibri_daemon_run_dir}/colibri-daemon-supervisor.pid" # Run colibri-daemon under daemon(8): # -P supervisor pidfile (the daemon(8) parent — used by stop) # -p child pidfile (writes colibri-daemon PID — used by start/status) -# -r restart on crash, -t process title, -u drop to the colibri user, +# -r restart on crash, -t process title, # -o append stdout/stderr to log. +# rc.subr already runs the command as ${colibri_daemon_user}; do not also pass +# daemon(8) -u or daemon(8) will try to drop privileges a second time. command="/usr/sbin/daemon" -command_args="-P ${supervisor_pidfile} -p ${pidfile} -r -t ${name} -u ${colibri_daemon_user} \ - -o ${colibri_daemon_logfile} ${colibri_daemon_program}" +command_args="-P ${supervisor_pidfile} -p ${pidfile} -r -t ${name} \ + -o ${colibri_daemon_logfile} ${colibri_daemon_binary}" # Use the child's process name so rc.subr can find the right process via the # child pidfile. Using the daemon(8) supervisor path would collide with @@ -101,6 +104,8 @@ colibri_daemon_poststart() if [ -S "${colibri_daemon_socket}" ]; then echo "colibri-daemon socket ready after ${waited}s" + chmod 644 "${pidfile}" 2>/dev/null || true + chmod 660 "${colibri_daemon_socket}" 2>/dev/null || true else echo "WARNING: colibri-daemon socket not ready after ${timeout}s" fi From 07e4660a950f915d5bc7cfc1a212c39b65d169c7 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Sun, 14 Jun 2026 22:39:52 +0200 Subject: [PATCH 2/2] fix(rc): clear stale colibri socket before start (Sam & Codex) Remove stale socket and pidfiles in prestart while rc.d still has root privileges. This handles live USB repair cases where a previous corrupt/root-started daemon left /var/run/colibri/colibri.sock owned by root, causing the colibri user to fail unlink with EPERM and bind with EADDRINUSE.\n\nChecks: sh -n packaging/freebsd/colibri_daemon.in; git diff --check. --- packaging/freebsd/colibri_daemon.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packaging/freebsd/colibri_daemon.in b/packaging/freebsd/colibri_daemon.in index 63f6260..9f0f454 100644 --- a/packaging/freebsd/colibri_daemon.in +++ b/packaging/freebsd/colibri_daemon.in @@ -84,6 +84,11 @@ colibri_daemon_prestart() install -d -o "${colibri_daemon_user}" -g "${colibri_daemon_group}" -m 0750 \ "$(/usr/bin/dirname "${colibri_daemon_logfile}")" + # Remove stale runtime files while rc.d is still root. The daemon process + # runs as colibri and cannot unlink a stale socket left behind by a prior + # root/corrupt manual start. + rm -f "${colibri_daemon_socket}" "${pidfile}" "${supervisor_pidfile}" + # Config is passed to the child via the environment. export COLIBRI_DAEMON_DATA_DIR="${colibri_daemon_data_dir}" export COLIBRI_DAEMON_SOCKET="${colibri_daemon_socket}"