From owner-freebsd-ports@freebsd.org Wed Apr 12 11:23:11 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2E0AD3955A for ; Wed, 12 Apr 2017 11:23:11 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from prod2.absolight.net (prod2.absolight.net [79.143.243.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plouf.absolight.net", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 68A82B2F for ; Wed, 12 Apr 2017 11:23:11 +0000 (UTC) (envelope-from mat@FreeBSD.org) Received: from prod2.absolight.net (localhost [127.0.0.1]) by prod2.absolight.net (Postfix) with ESMTP id E9644BDC89; Wed, 12 Apr 2017 13:23:08 +0200 (CEST) Received: from ogg.in.absolight.net (ogg.in.absolight.net [79.143.241.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by prod2.absolight.net (Postfix) with ESMTPSA id B651ABDC85; Wed, 12 Apr 2017 13:23:08 +0200 (CEST) Subject: Re: Issue with folder permissions in net-mgmt/librenms To: freebsd@jonathanprice.org, freebsd-ports@freebsd.org References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> From: Mathieu Arnold Organization: Absolight / The FreeBSD Foundation Message-ID: Date: Wed, 12 Apr 2017 13:22:41 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh" X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2017 11:23:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh Content-Type: multipart/mixed; boundary="eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7"; protected-headers="v1" From: Mathieu Arnold To: freebsd@jonathanprice.org, freebsd-ports@freebsd.org Message-ID: Subject: Re: Issue with folder permissions in net-mgmt/librenms References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> In-Reply-To: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> --eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Le 12/04/2017 =C3=A0 10:53, freebsd@jonathanprice.org a =C3=A9crit : > Basically, the entire /usr/local/www/librenms should be owned www:www. This is most certainly not true, and if it is, a very big security risk. The only files and directories that should be owned by www should be the ones the software must be able to write to, like a cache directory, or a configuration file. > However, a bunch of folders are root:wheel. > post-install: > @${ECHO_CMD} "@owner ${WWWOWN}" >> ${TMPPLIST} > @${ECHO_CMD} "@group ${WWWGRP}" >> ${TMPPLIST} > @${FIND} -s ${STAGEDIR}${WWWDIR} -not -type d | ${SORT} | \ > ${SED} -e 's#^${STAGEDIR}${PREFIX}/##' >> ${TMPPLIST} > ${INSTALL_DATA} ${WRKSRC}/config.php.default \ > ${STAGEDIR}/${WWWDIR}/config.php.sample > @${ECHO} @sample ${WWWDIR}/config.php.sample >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/rrd >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/logs >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz= le/build >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz= le/docs >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz= le/tests >> ${TMPPLIST} > @${ECHO_CMD} "@group" >> ${TMPPLIST} > @${ECHO_CMD} "@owner" >> ${TMPPLIST} > > However, if I look at work/.PLIST.mktmp, everything seems to be in orde= r (extract below: > > @owner www > @group www > ... > www/librenms/vendor/ulrichsg/getopt-php/CHANGELOG.md > www/librenms/vendor/ulrichsg/getopt-php/LICENSE > www/librenms/vendor/ulrichsg/getopt-php/Makefile > ... > @group > @owner > > In the above example, "vendor" is one of the directories that's being s= et to root:wheel. > > I believe the problem could lie with the find command. I tried removing= "-not -type d", but that seemed to cause most files to not be installed = at all. That does however prove that the erroneous folders ARE being adde= d to the TMPPLIST, otherwise they wouldn't get installed in the first pla= ce. You cannot add directories directly to the plist, so, removing the -not -type d is not the way to go. You need to add another find like that will output the directories, something like: ${FIND} -s ${STAGEDIR}${WWWDIR} -type d | ${SED} -e 's#^${STAGEDIR}#@di= r #' >> ${TMPPLIST} --=20 Mathieu Arnold --eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7-- --Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJY7g4bXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzQUI2OTc4OUQyRUQxMjEwNjQ0MEJBNUIz QTQ1MTZGMzUxODNDRTQ4AAoJEDpFFvNRg85I51kP/iIKO82uPTwhhR1td/kCelMz 9mv6el1DV9idCnqc3uTt/hVOslu4zjhOKTr3xXfIi+KVbbBXUv7p05gpCQ5Xs7Pg un+2/Ys/PLHs92RlEoJbfgkrCUkloH5pmKmbdJOLMUYFbtjR5ZTj//oiLSO+W19S EFM3Zbpy6yAYLZQMm5bSGkXAqm6yLGNo7Lkz+5Fdj4mgT7pK527IqV1lGCBN6SmV CWy4LCSvxf+rKishPbkkflE5pwJTrgpjxGNOUzUog6TqBexElh2ESKbfg0TPelUz He1i4htnkT1K0wjSAePE53s97v07ewz4my8vl84+89mIT+OSqHyD0Ih9J8ZxAjCl OhbYvJlnFfAP8FXno6/M75L8amaHNSzaHcMov1du/PuV9PcommXGFTNmwCxMRMB6 gpfOXnuEQ1tZgLeYKNt3/jrzSknNUckjZaHpXsZ1hMPahRgR5aefJgSb3wd6A6z4 xLfuB1l8PkyM4QDone9odG8NZZm4Yz+5hKxeAN2JLXgIx4xgAqiq0c3IxLZLPrtn Pg6HZiq01RZGQFjOhQ28+mJAAWf/rY8/g6RREAmvx+sefmzMxpvOMDkAW1WYKPGr laQVSmjZ9HQwcx0OJzSx2k3MsZiUmXcBZPsXnXtFajVrftyaCute9ixBVVo+cZep GyR4MTNuhiJUiNuisr9w =zPx7 -----END PGP SIGNATURE----- --Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh--