diff options
author | Lewis Cook <lcook@FreeBSD.org> | 2021-06-08 15:09:48 +0000 |
---|---|---|
committer | Lewis Cook <lcook@FreeBSD.org> | 2021-06-08 15:17:27 +0000 |
commit | 621d9c9f594a0f7d049cb44dab25efed81c35c91 (patch) | |
tree | d35195606b425346723f150bdc7a6aab2b38e9d8 /sysutils/zrepl | |
parent | 477cf4fa257aa5ca0cc1c9a3d7f552e8170ac27f (diff) | |
download | ports-621d9c9f594a0f7d049cb44dab25efed81c35c91.tar.gz ports-621d9c9f594a0f7d049cb44dab25efed81c35c91.zip |
sysutils/zrepl: /var/run/zrepl should not be world-readable
This partially reverts commit 2a866a1, and instead installs
the pidfile to /var/run/zrepl.pid fixing the problem seen in
PR 255981.
As taken from the zrepl documentation[1]:
[....]
The zrepl daemon needs to open various UNIX sockets in a runtime directory:
a control socket that the CLI commands use to interact with the daemon
the ssh+stdinserver Transport listener opens one socket per configured
client, named after client_identity parameter
There is no authentication on these sockets except the UNIX permissions.
The zrepl daemon will refuse to bind any of the above sockets in a
directory that is world-accessible.
[....]
[1] https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets
PR: 256472
Reported by: Raúl <raul.munoz@custos.es>
Diffstat (limited to 'sysutils/zrepl')
-rw-r--r-- | sysutils/zrepl/Makefile | 2 | ||||
-rw-r--r-- | sysutils/zrepl/files/zrepl.in | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile index 124fc8f2eff4..23b3cc16c683 100644 --- a/sysutils/zrepl/Makefile +++ b/sysutils/zrepl/Makefile @@ -3,7 +3,7 @@ PORTNAME= zrepl DISTVERSIONPREFIX= v DISTVERSION= 0.4.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= sysutils MAINTAINER= lcook@FreeBSD.org diff --git a/sysutils/zrepl/files/zrepl.in b/sysutils/zrepl/files/zrepl.in index 57a4d48ce0b6..095a43f0d610 100644 --- a/sysutils/zrepl/files/zrepl.in +++ b/sysutils/zrepl/files/zrepl.in @@ -40,7 +40,7 @@ load_rc_config $name : ${zrepl_priority:="alert"} : ${zrepl_options:="${zrepl_flags} --config ${zrepl_config}"} -pidfile="/var/run/zrepl/daemon.pid" +pidfile="/var/run/zrepl.pid" command="/usr/sbin/daemon" procname="%%PREFIX%%/bin/zrepl" command_args="-p ${pidfile} %%DAEMON_LOGGING%% ${procname} ${zrepl_options} daemon" @@ -54,8 +54,8 @@ extra_commands="configtest" zrepl_precmd() { if [ ! -d "/var/run/zrepl/stdinserver" ]; then - install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl"; - install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl/stdinserver"; + install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl"; + install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl/stdinserver"; fi if [ ! -e "${pidfile}" ]; then |