Bug 265230 - sysutils/nomad: pkg install creates default datadir with insecure permissions
Summary: sysutils/nomad: pkg install creates default datadir with insecure permissions
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: John Hixson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-15 09:00 UTC by Michael Gmelin
Modified: 2022-12-09 17:15 UTC (History)
0 users

See Also:
jhixson: maintainer-feedback+

Attachments
Change homedir of nomad user to /nonexistent (743 bytes, patch)
2022-07-15 09:00 UTC, Michael Gmelin 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Gmelin freebsd_committer freebsd_triage 2022-07-15 09:00:12 UTC 
Created attachment 235266 [details]
Change homedir of nomad user to /nonexistent

Since bug #264425 nomad only starts if its datadir has secure permissions (700). 
The port's default datadir is /var/tmp/nomad, which also happens to be its user's home directory. Therefore installing the package always creates a default datadir with permissions too lose to actually start the service.

I see various options to correct this:
1. Change port installation to change permissions of /var/tmp/nomad
   (not so nice)
2. Change data dir to be under /var/tmp/nomad, e.g., /var/tmp/nomad/data
   Clean, but might cause breakage on update
3. Change home of nomad user to /nonexistent

As far as I can tell, 3. has the least impact (other hashicorp users like vault do the same). So the attached patch changes UIDs to change nomad's homedir.

I ran some local tests with it and things seem to be fine. So unless there was a very specific reason to have a real HOME for the nomad user, I would suggest to go with the attached patch.
Comment 1 commit-hook freebsd_committer freebsd_triage 2022-08-19 22:49:46 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=fd6aea61743bb5d429872edf9cf1204d1b64e8ec

commit fd6aea61743bb5d429872edf9cf1204d1b64e8ec
Author:     John Hixson <jhixson@FreeBSD.org>
AuthorDate: 2022-08-19 22:45:16 +0000
Commit:     John Hixson <jhixson@FreeBSD.org>
CommitDate: 2022-08-19 22:48:45 +0000

    sysutils/nomad: Change home of nomad user to /nonexistent

    The port's default datadir is /var/tmp/nomad, which also happens to be
    its user's home directory. Therefore installing the package always
    creates a default datadir with permissions too lose to actually start
    the service.

    PR:     265230
    Reported by: Michael Gmelin <grembo@FreeBSD.org>

 UIDs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Hixson freebsd_committer freebsd_triage 2022-08-25 20:18:40 UTC 
I've updated the port with your patch, thanks!
Comment 3 Michael Gmelin freebsd_committer freebsd_triage 2022-10-05 12:36:42 UTC 
(In reply to John Hixson from comment #2)

Hi John,

Re-opening this one, as it requires a PORTREVISION bump, so the change has an effect on builders (also merge back to quarterly).

diff --git a/sysutils/nomad/Makefile b/sysutils/nomad/Makefile
index db5d9b1afcd8..1848cfc9f186 100644
--- a/sysutils/nomad/Makefile
+++ b/sysutils/nomad/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=  nomad
 DISTVERSIONPREFIX= v
 DISTVERSION= 1.3.2
-PORTREVISION=  1
+PORTREVISION=  2
 CATEGORIES=  sysutils
 
 MAINTAINER=  jhixson@FreeBSD.org
Comment 4 Michael Gmelin freebsd_committer freebsd_triage 2022-12-09 17:15:13 UTC 
This was solved as a side-effect of 
bde51869ee0206eeaa2849d8ef28b14da59727a3 (portrevision bump)