git: 3d3959434d97 - 2021Q2 - sysutils/zrepl: /var/run/zrepl should not be world-readable
Lewis Cook
lcook at FreeBSD.org
Tue Jun 8 15:20:14 UTC 2021
The branch 2021Q2 has been updated by lcook:
URL: https://cgit.FreeBSD.org/ports/commit/?id=3d3959434d9744fa26de7a15119e2e98578f3503
commit 3d3959434d9744fa26de7a15119e2e98578f3503
Author: Lewis Cook <lcook at FreeBSD.org>
AuthorDate: 2021-06-08 15:09:48 +0000
Commit: Lewis Cook <lcook at FreeBSD.org>
CommitDate: 2021-06-08 15:19:20 +0000
sysutils/zrepl: /var/run/zrepl should not be world-readable
This partially reverts commit 2a866a1, and instead installs
the pidfile to /var/run/zrepl.pid fixing the problem seen in
PR 255981.
As taken from the zrepl documentation[1]:
[....]
The zrepl daemon needs to open various UNIX sockets in a runtime directory:
a control socket that the CLI commands use to interact with the daemon
the ssh+stdinserver Transport listener opens one socket per configured
client, named after client_identity parameter
There is no authentication on these sockets except the UNIX permissions.
The zrepl daemon will refuse to bind any of the above sockets in a
directory that is world-accessible.
[....]
[1] https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets
PR: 256472
Reported by: Raúl <raul.munoz at custos.es>
(cherry picked from commit 621d9c9f594a0f7d049cb44dab25efed81c35c91)
---
sysutils/zrepl/Makefile | 2 +-
sysutils/zrepl/files/zrepl.in | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile
index 124fc8f2eff4..23b3cc16c683 100644
--- a/sysutils/zrepl/Makefile
+++ b/sysutils/zrepl/Makefile
@@ -3,7 +3,7 @@
PORTNAME= zrepl
DISTVERSIONPREFIX= v
DISTVERSION= 0.4.0
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= sysutils
MAINTAINER= lcook at FreeBSD.org
diff --git a/sysutils/zrepl/files/zrepl.in b/sysutils/zrepl/files/zrepl.in
index 57a4d48ce0b6..095a43f0d610 100644
--- a/sysutils/zrepl/files/zrepl.in
+++ b/sysutils/zrepl/files/zrepl.in
@@ -40,7 +40,7 @@ load_rc_config $name
: ${zrepl_priority:="alert"}
: ${zrepl_options:="${zrepl_flags} --config ${zrepl_config}"}
-pidfile="/var/run/zrepl/daemon.pid"
+pidfile="/var/run/zrepl.pid"
command="/usr/sbin/daemon"
procname="%%PREFIX%%/bin/zrepl"
command_args="-p ${pidfile} %%DAEMON_LOGGING%% ${procname} ${zrepl_options} daemon"
@@ -54,8 +54,8 @@ extra_commands="configtest"
zrepl_precmd()
{
if [ ! -d "/var/run/zrepl/stdinserver" ]; then
- install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl";
- install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl/stdinserver";
+ install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl";
+ install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl/stdinserver";
fi
if [ ! -e "${pidfile}" ]; then
More information about the dev-commits-ports-branches
mailing list