Date: Wed, 12 Apr 2017 12:50:21 +0100 From: Jonathan Price <freebsd@jonathanprice.org> To: Mathieu Arnold <mat@FreeBSD.org>, freebsd-ports@freebsd.org Subject: Re: Issue with folder permissions in net-mgmt/librenms Message-ID: <122dc977-1b2c-b9f2-d084-7d562cb26087@jonathanprice.org> In-Reply-To: <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org> References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org> <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, and thanks for your response.
I agree regarding the permissions, but the application has validation
checks that look for everything to be www:www. If i'm to fix that I
should probably do so upstream.
You'll be pleased to hear that the find command successfully performs
the intended task though.
On 12/04/2017 12:22, Mathieu Arnold wrote:
> Le 12/04/2017 à 10:53, freebsd@jonathanprice.org a écrit :
>> Basically, the entire /usr/local/www/librenms should be owned www:www.
>
> This is most certainly not true, and if it is, a very big security risk.
> The only files and directories that should be owned by www should be the
> ones the software must be able to write to, like a cache directory, or a
> configuration file.
>
>> However, a bunch of folders are root:wheel.
>> post-install:
>> @${ECHO_CMD} "@owner ${WWWOWN}" >> ${TMPPLIST}
>> @${ECHO_CMD} "@group ${WWWGRP}" >> ${TMPPLIST}
>> @${FIND} -s ${STAGEDIR}${WWWDIR} -not -type d | ${SORT} | \
>> ${SED} -e 's#^${STAGEDIR}${PREFIX}/##' >> ${TMPPLIST}
>> ${INSTALL_DATA} ${WRKSRC}/config.php.default \
>> ${STAGEDIR}/${WWWDIR}/config.php.sample
>> @${ECHO} @sample ${WWWDIR}/config.php.sample >> ${TMPPLIST}
>> @${ECHO} @dir ${WWWDIR}/rrd >> ${TMPPLIST}
>> @${ECHO} @dir ${WWWDIR}/logs >> ${TMPPLIST}
>> @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/build >> ${TMPPLIST}
>> @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/docs >> ${TMPPLIST}
>> @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/tests >> ${TMPPLIST}
>> @${ECHO_CMD} "@group" >> ${TMPPLIST}
>> @${ECHO_CMD} "@owner" >> ${TMPPLIST}
>>
>> However, if I look at work/.PLIST.mktmp, everything seems to be in order (extract below:
>>
>> @owner www
>> @group www
>> ...
>> www/librenms/vendor/ulrichsg/getopt-php/CHANGELOG.md
>> www/librenms/vendor/ulrichsg/getopt-php/LICENSE
>> www/librenms/vendor/ulrichsg/getopt-php/Makefile
>> ...
>> @group
>> @owner
>>
>> In the above example, "vendor" is one of the directories that's being set to root:wheel.
>>
>> I believe the problem could lie with the find command. I tried removing "-not -type d", but that seemed to cause most files to not be installed at all. That does however prove that the erroneous folders ARE being added to the TMPPLIST, otherwise they wouldn't get installed in the first place.
>
> You cannot add directories directly to the plist, so, removing the -not
> -type d is not the way to go.
>
> You need to add another find like that will output the directories,
> something like:
>
> ${FIND} -s ${STAGEDIR}${WWWDIR} -type d | ${SED} -e 's#^${STAGEDIR}#@dir #' >> ${TMPPLIST}
>
>
--
Jonathan Price
www.jonathanprice.uk
Verify my identity at https://keybase.io/pricetx
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?122dc977-1b2c-b9f2-d084-7d562cb26087>