From owner-freebsd-ports@freebsd.org  Wed Apr 12 11:50:37 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1B1ED39AD6
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Wed, 12 Apr 2017 11:50:37 +0000 (UTC)
 (envelope-from freebsd@jonathanprice.org)
Received: from wright.jonathanprice.org (wright.jonathanprice.org
 [46.105.124.13])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 392BA7A5;
 Wed, 12 Apr 2017 11:50:36 +0000 (UTC)
 (envelope-from freebsd@jonathanprice.org)
Received: by wright.jonathanprice.org (Postfix, from userid 58)
 id 2C6E93060; Wed, 12 Apr 2017 11:50:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 wright.jonathanprice.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU autolearn=unavailable autolearn_force=no
 version=3.4.1
Received: from [192.168.1.10] (host86-174-123-75.range86-174.btcentralplus.com
 [86.174.123.75])
 by wright.jonathanprice.org (Postfix) with ESMTPSA id 931F9305D;
 Wed, 12 Apr 2017 11:50:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=jonathanprice.org;
 s=default; t=1491997826;
 bh=PlbGJP7sbsljakk/oGdU12E4StJmTeHHI4AB9wo+Xd0=;
 h=Subject:To:References:From:Date:In-Reply-To;
 b=rvKJqtHXKfie/Pq4O8BnywPX+5BfLID58V9E0IFgvBzLRFet5PstVIzr6iKWqtM/X
 I0rr8PeD6O/+59v8s8ELKxlw1OuUhA9m773CRcvTifGkn1N8eEJ8uQloM/1fUDevPz
 Mc65yLJxJHM5osYy0bwAxLkt0H0pxkOiU/xlTwZI=
Subject: Re: Issue with folder permissions in net-mgmt/librenms
To: Mathieu Arnold <mat@FreeBSD.org>, freebsd-ports@freebsd.org
References: <7044ba33fd0394ed4af6f318faec2dd6@mail.jonathanprice.org>
 <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org>
From: Jonathan Price <freebsd@jonathanprice.org>
Message-ID: <122dc977-1b2c-b9f2-d084-7d562cb26087@jonathanprice.org>
Date: Wed, 12 Apr 2017 12:50:21 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <d87baffb-3b5e-b444-7438-efcf2a145332@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2017 11:50:37 -0000

Hello, and thanks for your response.

I agree regarding the permissions, but the application has validation
checks that look for everything to be www:www. If i'm to fix that I
should probably do so upstream.

You'll be pleased to hear that the find command successfully performs
the intended task though.

On 12/04/2017 12:22, Mathieu Arnold wrote:
> Le 12/04/2017 à 10:53, freebsd@jonathanprice.org a écrit :
>> Basically, the entire /usr/local/www/librenms should be owned www:www.
> 
> This is most certainly not true, and if it is, a very big security risk.
> The only files and directories that should be owned by www should be the
> ones the software must be able to write to, like a cache directory, or a
> configuration file.
> 
>> However, a bunch of folders are root:wheel.
>> post-install:
>>         @${ECHO_CMD} "@owner ${WWWOWN}" >> ${TMPPLIST}
>>         @${ECHO_CMD} "@group ${WWWGRP}" >> ${TMPPLIST}
>>         @${FIND} -s ${STAGEDIR}${WWWDIR} -not -type d | ${SORT} | \
>>                 ${SED} -e 's#^${STAGEDIR}${PREFIX}/##' >> ${TMPPLIST}
>>         ${INSTALL_DATA} ${WRKSRC}/config.php.default \
>>                ${STAGEDIR}/${WWWDIR}/config.php.sample
>>         @${ECHO} @sample ${WWWDIR}/config.php.sample >> ${TMPPLIST}
>>         @${ECHO} @dir ${WWWDIR}/rrd >> ${TMPPLIST}
>>         @${ECHO} @dir ${WWWDIR}/logs >> ${TMPPLIST}
>>         @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/build >> ${TMPPLIST}
>>         @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/docs >> ${TMPPLIST}
>>         @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/tests >> ${TMPPLIST}
>>         @${ECHO_CMD} "@group" >> ${TMPPLIST}
>>         @${ECHO_CMD} "@owner" >> ${TMPPLIST}
>>
>> However, if I look at work/.PLIST.mktmp, everything seems to be in order (extract below:
>>
>> @owner www
>> @group www
>> ...
>> www/librenms/vendor/ulrichsg/getopt-php/CHANGELOG.md
>> www/librenms/vendor/ulrichsg/getopt-php/LICENSE
>> www/librenms/vendor/ulrichsg/getopt-php/Makefile
>> ...
>> @group
>> @owner
>>
>> In the above example, "vendor" is one of the directories that's being set to root:wheel.
>>
>> I believe the problem could lie with the find command. I tried removing "-not -type d", but that seemed to cause most files to not be installed at all. That does however prove that the erroneous folders ARE being added to the TMPPLIST, otherwise they wouldn't get installed in the first place.
> 
> You cannot add directories directly to the plist, so, removing the -not
> -type d is not the way to go.
> 
> You need to add another find like that will output the directories,
> something like:
> 
>   ${FIND} -s ${STAGEDIR}${WWWDIR} -type d | ${SED} -e 's#^${STAGEDIR}#@dir #' >> ${TMPPLIST}
> 
> 

-- 
Jonathan Price
www.jonathanprice.uk
Verify my identity at https://keybase.io/pricetx