Date: Wed, 12 Apr 2017 13:22:41 +0200 From: Mathieu Arnold <mat@FreeBSD.org> To: freebsd@jonathanprice.org, freebsd-ports@freebsd.org Subject: Re: Issue with folder permissions in net-mgmt/librenms Message-ID: <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org> In-Reply-To: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh
Content-Type: multipart/mixed; boundary="eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7";
protected-headers="v1"
From: Mathieu Arnold <mat@FreeBSD.org>
To: freebsd@jonathanprice.org, freebsd-ports@freebsd.org
Message-ID: <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org>
Subject: Re: Issue with folder permissions in net-mgmt/librenms
References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org>
In-Reply-To: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org>
--eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Le 12/04/2017 =C3=A0 10:53, freebsd@jonathanprice.org a =C3=A9crit :
> Basically, the entire /usr/local/www/librenms should be owned www:www.
This is most certainly not true, and if it is, a very big security risk.
The only files and directories that should be owned by www should be the
ones the software must be able to write to, like a cache directory, or a
configuration file.
> However, a bunch of folders are root:wheel.
> post-install:
> @${ECHO_CMD} "@owner ${WWWOWN}" >> ${TMPPLIST}
> @${ECHO_CMD} "@group ${WWWGRP}" >> ${TMPPLIST}
> @${FIND} -s ${STAGEDIR}${WWWDIR} -not -type d | ${SORT} | \
> ${SED} -e 's#^${STAGEDIR}${PREFIX}/##' >> ${TMPPLIST}
> ${INSTALL_DATA} ${WRKSRC}/config.php.default \
> ${STAGEDIR}/${WWWDIR}/config.php.sample
> @${ECHO} @sample ${WWWDIR}/config.php.sample >> ${TMPPLIST}
> @${ECHO} @dir ${WWWDIR}/rrd >> ${TMPPLIST}
> @${ECHO} @dir ${WWWDIR}/logs >> ${TMPPLIST}
> @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz=
le/build >> ${TMPPLIST}
> @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz=
le/docs >> ${TMPPLIST}
> @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzz=
le/tests >> ${TMPPLIST}
> @${ECHO_CMD} "@group" >> ${TMPPLIST}
> @${ECHO_CMD} "@owner" >> ${TMPPLIST}
>
> However, if I look at work/.PLIST.mktmp, everything seems to be in orde=
r (extract below:
>
> @owner www
> @group www
> ...
> www/librenms/vendor/ulrichsg/getopt-php/CHANGELOG.md
> www/librenms/vendor/ulrichsg/getopt-php/LICENSE
> www/librenms/vendor/ulrichsg/getopt-php/Makefile
> ...
> @group
> @owner
>
> In the above example, "vendor" is one of the directories that's being s=
et to root:wheel.
>
> I believe the problem could lie with the find command. I tried removing=
"-not -type d", but that seemed to cause most files to not be installed =
at all. That does however prove that the erroneous folders ARE being adde=
d to the TMPPLIST, otherwise they wouldn't get installed in the first pla=
ce.
You cannot add directories directly to the plist, so, removing the -not
-type d is not the way to go.
You need to add another find like that will output the directories,
something like:
${FIND} -s ${STAGEDIR}${WWWDIR} -type d | ${SED} -e 's#^${STAGEDIR}#@di=
r #' >> ${TMPPLIST}
--=20
Mathieu Arnold
--eAQfOsFWtk9HBPdxo9qsTXDRNCghFvst7--
--Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJY7g4bXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzQUI2OTc4OUQyRUQxMjEwNjQ0MEJBNUIz
QTQ1MTZGMzUxODNDRTQ4AAoJEDpFFvNRg85I51kP/iIKO82uPTwhhR1td/kCelMz
9mv6el1DV9idCnqc3uTt/hVOslu4zjhOKTr3xXfIi+KVbbBXUv7p05gpCQ5Xs7Pg
un+2/Ys/PLHs92RlEoJbfgkrCUkloH5pmKmbdJOLMUYFbtjR5ZTj//oiLSO+W19S
EFM3Zbpy6yAYLZQMm5bSGkXAqm6yLGNo7Lkz+5Fdj4mgT7pK527IqV1lGCBN6SmV
CWy4LCSvxf+rKishPbkkflE5pwJTrgpjxGNOUzUog6TqBexElh2ESKbfg0TPelUz
He1i4htnkT1K0wjSAePE53s97v07ewz4my8vl84+89mIT+OSqHyD0Ih9J8ZxAjCl
OhbYvJlnFfAP8FXno6/M75L8amaHNSzaHcMov1du/PuV9PcommXGFTNmwCxMRMB6
gpfOXnuEQ1tZgLeYKNt3/jrzSknNUckjZaHpXsZ1hMPahRgR5aefJgSb3wd6A6z4
xLfuB1l8PkyM4QDone9odG8NZZm4Yz+5hKxeAN2JLXgIx4xgAqiq0c3IxLZLPrtn
Pg6HZiq01RZGQFjOhQ28+mJAAWf/rY8/g6RREAmvx+sefmzMxpvOMDkAW1WYKPGr
laQVSmjZ9HQwcx0OJzSx2k3MsZiUmXcBZPsXnXtFajVrftyaCute9ixBVVo+cZep
GyR4MTNuhiJUiNuisr9w
=zPx7
-----END PGP SIGNATURE-----
--Plr1VXwMJO5i8BNXcxJ2Bb8ObKmFFruoh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d87baffb-3b5e-b444-7438-efcf2a145332>