From 1a9ac8c93a6b09a23be7fe7315eaf907bc3fdcbd Mon Sep 17 00:00:00 2001
From: Steve Wills <swills@FreeBSD.org>
Date: Thu, 25 Apr 2019 21:00:52 +0000
Subject: [PATCH] security/vault: add vault user to daemon class

This allows use of mlock() when vault is started via rc script.

Submitted by:	dch
Reviewed by:	jrm
Differential Revision:	https://reviews.freebsd.org/D20025
---
 UIDs                                |  2 +-
 security/vault/Makefile             |  2 ++
 security/vault/files/pkg-message.in | 19 +++++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 security/vault/files/pkg-message.in

diff --git a/UIDs b/UIDs
index b824836b37a8..e1bfad3d5bed 100644
--- a/UIDs
+++ b/UIDs
@@ -416,7 +416,7 @@ netmon:*:467:467::0:0:Network monitor account:/var/netmon:/usr/sbin/nologin
 slurm:*:468:468::0:0:SLURM Daemon:/nonexistent:/usr/sbin/nologin
 consul:*:469:469::0:0:Consul Daemon:/var/tmp/consul:/usr/sbin/nologin
 serf:*:470:470::0:0:Serf Daemon:/nonexistent:/usr/sbin/nologin
-vault:*:471:471::0:0:Vault Daemon:/nonexistent:/usr/sbin/nologin
+vault:*:471:471:daemon:0:0:Vault Daemon:/nonexistent:/usr/sbin/nologin
 nomad:*:472:472::0:0:Nomad Daemon:/var/tmp/nomad:/usr/sbin/nologin
 minio:*:473:473::0:0:Minio Daemon:/var/tmp/minio:/usr/sbin/nologin
 gitlab-runner:*:474:474::0:0:GitLab Runner Daemon:/var/tmp/gitlab_runner:/usr/sbin/nologin
diff --git a/security/vault/Makefile b/security/vault/Makefile
index d3cf9d3e66c9..20c9efae016e 100644
--- a/security/vault/Makefile
+++ b/security/vault/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	vault
 PORTVERSION=	1.1.2
+PORTREVISION=	1
 DISTVERSIONPREFIX=	v
 CATEGORIES=	security
 
@@ -26,6 +27,7 @@ USERS=		vault
 GROUPS=		vault
 
 PLIST_FILES=	bin/${PORTNAME}
+SUB_FILES=	pkg-message
 
 post-patch:
 	@${CP} ${WRKDIR}/vaultui-${PORTVERSION}/http/bindata_assetfs.go ${WRKDIR}/vault-${PORTVERSION}/http/bindata_assetfs.go
diff --git a/security/vault/files/pkg-message.in b/security/vault/files/pkg-message.in
new file mode 100644
index 000000000000..e9d8e0b29b30
--- /dev/null
+++ b/security/vault/files/pkg-message.in
@@ -0,0 +1,19 @@
+The vault user created by the vault package is now a member of the daemon
+class, which will allow it to use mlock() when started by the rc script. This
+will not be reflected in systems where the user already exists. Please add the
+vault user to the daemon class manually by running:
+
+pw usermod -L daemon -n vault
+
+or delete the user and reinstall the package.
+
+You may also need to increase memorylocked for the daemon class in
+/etc/login.conf to 256M or more and run:
+
+cap_mkdb /etc/login.conf
+
+Or to disable mlock, add:
+
+disable_mlock = 1
+
+to %%PREFIX%%/etc/vault.hcl