It's neither necessary nor advisable to run ddclient as root. Add a dedicated user.
* change permissions on /etc/ddclient/ddclient.conf to 640, root:_ddclient and delete the mode 600 check from the script. * PID files are now in /var/run/ddclient; this will require users to change their config. Maybe add a MESSAGE? Index: Makefile =================================================================== RCS file: /cvs/ports/net/ddclient/Makefile,v retrieving revision 1.19 diff -u -p -r1.19 Makefile --- Makefile 25 Mar 2014 10:06:25 -0000 1.19 +++ Makefile 21 Mar 2015 21:27:27 -0000 @@ -3,11 +3,12 @@ COMMENT= Dynamic DNS service update client DISTNAME= ddclient-3.8.2 +REVISION= 0 CATEGORIES= net HOMEPAGE= http://ddclient.sourceforge.net/ -# GPL +# GPLv2+ PERMIT_PACKAGE_CDROM= Yes MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ddclient/} Index: patches/patch-ddclient =================================================================== RCS file: patches/patch-ddclient diff -N patches/patch-ddclient --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-ddclient 21 Mar 2015 21:27:27 -0000 @@ -0,0 +1,20 @@ +$OpenBSD$ +--- ddclient.orig Tue Nov 25 15:02:26 2014 ++++ ddclient Tue Nov 25 15:03:18 2014 +@@ -997,16 +997,6 @@ sub _read_config { + # fatal("Cannot open file '%s'. ($!)", $file); + warning("Cannot open file '%s'. ($!)", $file); + } +- # Check for only owner has any access to config file +- my ($dev, $ino, $mode, @statrest) = stat(FD); +- if ($mode & 077) { +- if (-f FD && (chmod 0600, $file)) { +- warning("file $file must be accessible only by its owner (fixed)."); +- } else { +- # fatal("file $file must be accessible only by its owner."); +- warning("file $file must be accessible only by its owner."); +- } +- } + + local $lineno = 0; + my $continuation = ''; Index: patches/patch-sample-etc_ddclient_conf =================================================================== RCS file: patches/patch-sample-etc_ddclient_conf diff -N patches/patch-sample-etc_ddclient_conf --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-sample-etc_ddclient_conf 21 Mar 2015 21:27:27 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- sample-etc_ddclient.conf.orig Tue Nov 25 14:37:20 2014 ++++ sample-etc_ddclient.conf Tue Nov 25 14:37:49 2014 +@@ -22,7 +22,7 @@ daemon=300 # check every 300 seconds + syslog=yes # log update msgs to syslog + mail=root # mail all msgs to root + mail-failure=root # mail failed update msgs to root +-pid=/var/run/ddclient.pid # record PID in file. ++pid=/var/run/ddclient/ddclient.pid # record PID in file. + ssl=yes # use ssl-support. Works with + # ssl-library + # postscript=script # run script after updating. The Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/ddclient/pkg/PLIST,v retrieving revision 1.10 diff -u -p -r1.10 PLIST --- pkg/PLIST 25 Mar 2014 10:06:25 -0000 1.10 +++ pkg/PLIST 21 Mar 2015 21:27:27 -0000 @@ -1,4 +1,7 @@ @comment $OpenBSD: PLIST,v 1.10 2014/03/25 10:06:25 dcoppa Exp $ +@unexec rm -f /var/run/ddclient/ddclient.pid +@newgroup _ddclient:750 +@newuser _ddclient:750:_ddclient:daemon:DynDNS Client:/var/db/ddclient:/sbin/nologin sbin/ddclient share/doc/ddclient/ share/doc/ddclient/README.cisco @@ -9,11 +12,16 @@ share/examples/ddclient/ share/examples/ddclient/sample-ddclient-wrapper.sh share/examples/ddclient/sample-etc_cron.d_ddclient share/examples/ddclient/sample-etc_ddclient.conf -@mode 0600 +@group _ddclient +@mode 0640 @sample ${SYSCONFDIR}/ddclient/ddclient.conf @mode +@group share/examples/ddclient/sample-etc_dhclient-exit-hooks share/examples/ddclient/sample-etc_dhcpc_dhcpcd-eth0.exe share/examples/ddclient/sample-etc_ppp_ip-up.local +@owner _ddclient @sample /var/db/ddclient/ +@sample /var/run/ddclient/ +@owner @rcscript ${RCDIR}/ddclient Index: pkg/ddclient.rc =================================================================== RCS file: /cvs/ports/net/ddclient/pkg/ddclient.rc,v retrieving revision 1.3 diff -u -p -r1.3 ddclient.rc --- pkg/ddclient.rc 27 Dec 2010 14:50:22 -0000 1.3 +++ pkg/ddclient.rc 21 Mar 2015 21:27:27 -0000 @@ -3,6 +3,7 @@ # $OpenBSD: ddclient.rc,v 1.3 2010/12/27 14:50:22 ajacoutot Exp $ daemon="${TRUEPREFIX}/sbin/ddclient" +daemon_user="_ddclient" . /etc/rc.d/rc.subr
