212490 – databases/postgresql-repmgr weak permission and rc script fix

Bug 212490 - databases/postgresql-repmgr weak permission and rc script fix

Summary: databases/postgresql-repmgr weak permission and rc script fix

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Muhammad Moinur Rahman

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-08 16:58 UTC by Dmitry Morozovsky
Modified:	2017-03-05 10:46 UTC (History)
CC List:	0 users

See Also:

Flags:	bugzilla: maintainer-feedback? (bofh)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dmitry Morozovsky freebsd_committer

2016-09-08 16:58:39 UTC

recovery config, which includes connection password for superuser-class DB user) is created as world readable.

Also, daemon would better run as pgsql user, and for safety by default in monitor only mode.

Patch:

marck@castor:/FreeBSD/ports/ports/databases/postgresql-repmgr> svn diff
Index: Makefile
===================================================================
--- Makefile    (revision 421565)
+++ Makefile    (working copy)
@@ -3,6 +3,7 @@

 PORTNAME=      postgresql-repmgr
 PORTVERSION=   3.1.5
+PORTREVISION=  1
 CATEGORIES=    databases
 MASTER_SITES=  http://www.repmgr.org/download/
 DISTNAME=      repmgr-${PORTVERSION}
Index: files/patch-repmgr.c
===================================================================
--- files/patch-repmgr.c        (revision 0)
+++ files/patch-repmgr.c        (working copy)
@@ -0,0 +1,20 @@
+
+$FreeBSD$
+
+--- repmgr.c.orig
++++ repmgr.c
+@@ -4414,10 +4414,14 @@
+       FILE       *recovery_file;
+       char            recovery_file_path[MAXLEN];
+       char            line[MAXLEN];
++      mode_t          um;
+
+       maxlen_snprintf(recovery_file_path, "%s/%s", data_dir, RECOVERY_COMMAND_FILE);
+
++      um = umask(0);
++      umask(077);
+       recovery_file = fopen(recovery_file_path, "w");
++      umask(um);
+       if (recovery_file == NULL)
+       {
+               log_err(_("unable to create recovery.conf file at '%s'\n"), recovery_file_path);

Property changes on: files/patch-repmgr.c
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: files/repmgrd.in
===================================================================
--- files/repmgrd.in    (revision 421565)
+++ files/repmgrd.in    (working copy)
@@ -22,12 +22,13 @@
 load_rc_config $name

 : ${repmgrd_enable:="NO"}
+: ${repmgrd_user:="pgsql"}
 : ${repmgrd_config="%%PREFIX%%/etc/repmgr.conf"}

 command=%%PREFIX%%/sbin/${name}
 pidfile=/var/run/${name}.pid

-command_args="-p $pidfile -f $repmgrd_config"
+command_args="-m -d -p $pidfile -f $repmgrd_config"

 run_rc_command "$1"

Comment 1 commit-hook freebsd_committer

2017-03-05 10:41:04 UTC

A commit references this bug:

Author: bofh
Date: Sun Mar  5 10:40:45 UTC 2017
New revision: 435467
URL: https://svnweb.freebsd.org/changeset/ports/435467

Log:
  databases/postgresql-repmgr: Update version 3.1.5=>3.3

  - Daemon would better run as pgsql user, and for safety by default in
    monitor only mode [1]

  PR:		212490 [1]
  Submitted by:	marck [1]

Changes:
  head/databases/postgresql-repmgr/Makefile
  head/databases/postgresql-repmgr/distinfo
  head/databases/postgresql-repmgr/files/repmgrd.in

Comment 2 Muhammad Moinur Rahman freebsd_committer

2017-03-05 10:46:15 UTC

Weak permission is fixed in version 3.3.