Date: Tue, 8 Jun 2021 15:18:40 GMT From: Lewis Cook <lcook@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 621d9c9f594a - main - sysutils/zrepl: /var/run/zrepl should not be world-readable Message-ID: <202106081518.158FIeTO053075@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by lcook: URL: https://cgit.FreeBSD.org/ports/commit/?id=621d9c9f594a0f7d049cb44dab25efed81c35c91 commit 621d9c9f594a0f7d049cb44dab25efed81c35c91 Author: Lewis Cook <lcook@FreeBSD.org> AuthorDate: 2021-06-08 15:09:48 +0000 Commit: Lewis Cook <lcook@FreeBSD.org> CommitDate: 2021-06-08 15:17:27 +0000 sysutils/zrepl: /var/run/zrepl should not be world-readable This partially reverts commit 2a866a1, and instead installs the pidfile to /var/run/zrepl.pid fixing the problem seen in PR 255981. As taken from the zrepl documentation[1]: [....] The zrepl daemon needs to open various UNIX sockets in a runtime directory: a control socket that the CLI commands use to interact with the daemon the ssh+stdinserver Transport listener opens one socket per configured client, named after client_identity parameter There is no authentication on these sockets except the UNIX permissions. The zrepl daemon will refuse to bind any of the above sockets in a directory that is world-accessible. [....] [1] https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets PR: 256472 Reported by: Raúl <raul.munoz@custos.es> --- sysutils/zrepl/Makefile | 2 +- sysutils/zrepl/files/zrepl.in | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile index 124fc8f2eff4..23b3cc16c683 100644 --- a/sysutils/zrepl/Makefile +++ b/sysutils/zrepl/Makefile @@ -3,7 +3,7 @@ PORTNAME= zrepl DISTVERSIONPREFIX= v DISTVERSION= 0.4.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MAINTAINER= lcook@FreeBSD.org diff --git a/sysutils/zrepl/files/zrepl.in b/sysutils/zrepl/files/zrepl.in index 57a4d48ce0b6..095a43f0d610 100644 --- a/sysutils/zrepl/files/zrepl.in +++ b/sysutils/zrepl/files/zrepl.in @@ -40,7 +40,7 @@ load_rc_config $name : ${zrepl_priority:="alert"} : ${zrepl_options:="${zrepl_flags} --config ${zrepl_config}"} -pidfile="/var/run/zrepl/daemon.pid" +pidfile="/var/run/zrepl.pid" command="/usr/sbin/daemon" procname="%%PREFIX%%/bin/zrepl" command_args="-p ${pidfile} %%DAEMON_LOGGING%% ${procname} ${zrepl_options} daemon" @@ -54,8 +54,8 @@ extra_commands="configtest" zrepl_precmd() { if [ ! -d "/var/run/zrepl/stdinserver" ]; then - install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl"; - install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl/stdinserver"; + install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl"; + install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl/stdinserver"; fi if [ ! -e "${pidfile}" ]; then
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106081518.158FIeTO053075>