Issue with folder permissions in net-mgmt/librenms

Mathieu Arnold mat at FreeBSD.org
Wed Apr 12 11:23:11 UTC 2017 

Le 12/04/2017 à 10:53, freebsd at jonathanprice.org a écrit :
> Basically, the entire /usr/local/www/librenms should be owned www:www.

This is most certainly not true, and if it is, a very big security risk.
The only files and directories that should be owned by www should be the
ones the software must be able to write to, like a cache directory, or a
configuration file.

> However, a bunch of folders are root:wheel.
> post-install:
>         @${ECHO_CMD} "@owner ${WWWOWN}" >> ${TMPPLIST}
>         @${ECHO_CMD} "@group ${WWWGRP}" >> ${TMPPLIST}
>         @${FIND} -s ${STAGEDIR}${WWWDIR} -not -type d | ${SORT} | \
>                 ${SED} -e 's#^${STAGEDIR}${PREFIX}/##' >> ${TMPPLIST}
>         ${INSTALL_DATA} ${WRKSRC}/config.php.default \
>                ${STAGEDIR}/${WWWDIR}/config.php.sample
>         @${ECHO} @sample ${WWWDIR}/config.php.sample >> ${TMPPLIST}
>         @${ECHO} @dir ${WWWDIR}/rrd >> ${TMPPLIST}
>         @${ECHO} @dir ${WWWDIR}/logs >> ${TMPPLIST}
>         @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/build >> ${TMPPLIST}
>         @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/docs >> ${TMPPLIST}
>         @${ECHO} @dir ${WWWDIR}/lib/influxdb-php/vendor/guzzlehttp/guzzle/tests >> ${TMPPLIST}
>         @${ECHO_CMD} "@group" >> ${TMPPLIST}
>         @${ECHO_CMD} "@owner" >> ${TMPPLIST}
>
> However, if I look at work/.PLIST.mktmp, everything seems to be in order (extract below:
>
> @owner www
> @group www
> ...
> www/librenms/vendor/ulrichsg/getopt-php/CHANGELOG.md
> www/librenms/vendor/ulrichsg/getopt-php/LICENSE
> www/librenms/vendor/ulrichsg/getopt-php/Makefile
> ...
> @group
> @owner
>
> In the above example, "vendor" is one of the directories that's being set to root:wheel.
>
> I believe the problem could lie with the find command. I tried removing "-not -type d", but that seemed to cause most files to not be installed at all. That does however prove that the erroneous folders ARE being added to the TMPPLIST, otherwise they wouldn't get installed in the first place.

You cannot add directories directly to the plist, so, removing the -not
-type d is not the way to go.

You need to add another find like that will output the directories,
something like:

  ${FIND} -s ${STAGEDIR}${WWWDIR} -type d | ${SED} -e 's#^${STAGEDIR}#@dir #' >> ${TMPPLIST}


-- 
Mathieu Arnold


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20170412/790784c2/attachment.sig>

More information about the freebsd-ports mailing list