Date: Wed, 12 Apr 2017 13:22:41 +0200 From: Mathieu Arnold <mat@FreeBSD.org> To: freebsd@jonathanprice.org, freebsd-ports@freebsd.org Subject: Re: Issue with folder permissions in net-mgmt/librenms Message-ID: <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org> In-Reply-To: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh Content-Type: multipart/mixed; boundary="eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7"; protected-headers="v1" From: Mathieu Arnold <mat@FreeBSD.org> To: freebsd@jonathanprice.org, freebsd-ports@freebsd.org Message-ID: <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org> Subject: Re: Issue with folder permissions in net-mgmt/librenms References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> In-Reply-To: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> --eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Le 12/04/2017 =C3=A0 10:53, freebsd@jonathanprice.org a =C3=A9crit : > Basically, the entire /usr/local/www/librenms should be owned www:www. This is most certainly not true, and if it is, a very big security risk. The only files and directories that should be owned by www should be the ones the software must be able to write to, like a cache directory, or a configuration file. > However, a bunch of folders are root:wheel. > post-install: > @${ECHO_CMD} "@owner ${WWWOWN}" >> ${TMPPLIST} > @${ECHO_CMD} "@group ${WWWGRP}" >> ${TMPPLIST} > @${FIND} -s ${STAGEDIR}${WWWDIR} -not -type d | ${SORT} | \ > ${SED} -e 's#^${STAGEDIR}${PREFIX}/##' >> ${TMPPLIST} > ${INSTALL_DATA} ${WRKSRC}/config.php.default \ > ${STAGEDIR}/${WWWDIR}/config.php.sample > @${ECHO} @sample ${WWWDIR}/config.php.sample >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/rrd >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/logs >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz= le/build >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz= le/docs >> ${TMPPLIST} > @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz= le/tests >> ${TMPPLIST} > @${ECHO_CMD} "@group" >> ${TMPPLIST} > @${ECHO_CMD} "@owner" >> ${TMPPLIST} > > However, if I look at work/.PLIST.mktmp, everything seems to be in orde= r (extract below: > > @owner www > @group www > ... > www/librenms/vendor/ulrichsg/getopt-php/CHANGELOG.md > www/librenms/vendor/ulrichsg/getopt-php/LICENSE > www/librenms/vendor/ulrichsg/getopt-php/Makefile > ... > @group > @owner > > In the above example, "vendor" is one of the directories that's being s= et to root:wheel. > > I believe the problem could lie with the find command. I tried removing= "-not -type d", but that seemed to cause most files to not be installed = at all. That does however prove that the erroneous folders ARE being adde= d to the TMPPLIST, otherwise they wouldn't get installed in the first pla= ce. You cannot add directories directly to the plist, so, removing the -not -type d is not the way to go. You need to add another find like that will output the directories, something like: ${FIND} -s ${STAGEDIR}${WWWDIR} -type d | ${SED} -e 's#^${STAGEDIR}#@di= r #' >> ${TMPPLIST} --=20 Mathieu Arnold --eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7-- --Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJY7g4bXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzQUI2OTc4OUQyRUQxMjEwNjQ0MEJBNUIz QTQ1MTZGMzUxODNDRTQ4AAoJEDpFFvNRg85I51kP/iIKO82uPTwhhR1td/kCelMz 9mv6el1DV9idCnqc3uTt/hVOslu4zjhOKTr3xXfIi+KVbbBXUv7p05gpCQ5Xs7Pg un+2/Ys/PLHs92RlEoJbfgkrCUkloH5pmKmbdJOLMUYFbtjR5ZTj//oiLSO+W19S EFM3Zbpy6yAYLZQMm5bSGkXAqm6yLGNo7Lkz+5Fdj4mgT7pK527IqV1lGCBN6SmV CWy4LCSvxf+rKishPbkkflE5pwJTrgpjxGNOUzUog6TqBexElh2ESKbfg0TPelUz He1i4htnkT1K0wjSAePE53s97v07ewz4my8vl84+89mIT+OSqHyD0Ih9J8ZxAjCl OhbYvJlnFfAP8FXno6/M75L8amaHNSzaHcMov1du/PuV9PcommXGFTNmwCxMRMB6 gpfOXnuEQ1tZgLeYKNt3/jrzSknNUckjZaHpXsZ1hMPahRgR5aefJgSb3wd6A6z4 xLfuB1l8PkyM4QDone9odG8NZZm4Yz+5hKxeAN2JLXgIx4xgAqiq0c3IxLZLPrtn Pg6HZiq01RZGQFjOhQ28+mJAAWf/rY8/g6RREAmvx+sefmzMxpvOMDkAW1WYKPGr laQVSmjZ9HQwcx0OJzSx2k3MsZiUmXcBZPsXnXtFajVrftyaCute9ixBVVo+cZep GyR4MTNuhiJUiNuisr9w =zPx7 -----END PGP SIGNATURE----- --Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d87baffb-3b5e-b444-7438-efcf2a145332>