From: https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets [....] The zrepl daemon needs to open various UNIX sockets in a runtime directory: a control socket that the CLI commands use to interact with the daemon the ssh+stdinserver Transport listener opens one socket per configured client, named after client_identity parameter There is no authentication on these sockets except the UNIX permissions. The zrepl daemon will refuse to bind any of the above sockets in a directory that is world-accessible. [....] by default, this control socket is created at /var/run/zrepl 0750 would work, but not 0755
Thanks for that tip, Raul. Would it be ok to make the /var/run/zrepl directory 700 again, but move the pidfile to /var/run/zrepl.pid? That would solve the original problem in bug 255981.
Created attachment 225628 [details] /var/run/zrepl.pid
(In reply to Alan Somers from comment #1) Yes, that works here.
Created attachment 225630 [details] /var/run/zrepl.pid a bit sleepy here, don't forget /var/run/zrepl permissions
Thank you for the report, apologies for the oversight in what appeared a trivial change. I'll get round to committing this and as well MFH into 2021Q2.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=621d9c9f594a0f7d049cb44dab25efed81c35c91 commit 621d9c9f594a0f7d049cb44dab25efed81c35c91 Author: Lewis Cook <lcook@FreeBSD.org> AuthorDate: 2021-06-08 15:09:48 +0000 Commit: Lewis Cook <lcook@FreeBSD.org> CommitDate: 2021-06-08 15:17:27 +0000 sysutils/zrepl: /var/run/zrepl should not be world-readable This partially reverts commit 2a866a1, and instead installs the pidfile to /var/run/zrepl.pid fixing the problem seen in PR 255981. As taken from the zrepl documentation[1]: [....] The zrepl daemon needs to open various UNIX sockets in a runtime directory: a control socket that the CLI commands use to interact with the daemon the ssh+stdinserver Transport listener opens one socket per configured client, named after client_identity parameter There is no authentication on these sockets except the UNIX permissions. The zrepl daemon will refuse to bind any of the above sockets in a directory that is world-accessible. [....] [1] https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets PR: 256472 Reported by: Raúl <raul.munoz@custos.es> sysutils/zrepl/Makefile | 2 +- sysutils/zrepl/files/zrepl.in | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3d3959434d9744fa26de7a15119e2e98578f3503 commit 3d3959434d9744fa26de7a15119e2e98578f3503 Author: Lewis Cook <lcook@FreeBSD.org> AuthorDate: 2021-06-08 15:09:48 +0000 Commit: Lewis Cook <lcook@FreeBSD.org> CommitDate: 2021-06-08 15:19:20 +0000 sysutils/zrepl: /var/run/zrepl should not be world-readable This partially reverts commit 2a866a1, and instead installs the pidfile to /var/run/zrepl.pid fixing the problem seen in PR 255981. As taken from the zrepl documentation[1]: [....] The zrepl daemon needs to open various UNIX sockets in a runtime directory: a control socket that the CLI commands use to interact with the daemon the ssh+stdinserver Transport listener opens one socket per configured client, named after client_identity parameter There is no authentication on these sockets except the UNIX permissions. The zrepl daemon will refuse to bind any of the above sockets in a directory that is world-accessible. [....] [1] https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets PR: 256472 Reported by: Raúl <raul.munoz@custos.es> (cherry picked from commit 621d9c9f594a0f7d049cb44dab25efed81c35c91) sysutils/zrepl/Makefile | 2 +- sysutils/zrepl/files/zrepl.in | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
Committed, if there are any further issues regarding this please re-open the bug. Otherwise, thank you both!