FreeBSD Bugzilla – Attachment 234420 Details for
Bug 264425
sysutils/nomad: Secure nomad data_dir
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch nomad startup script to make sure nomad data-dir has proper permissions
0001-sysutils-nomad-Secure-nomad-data-directory-on-creati.patch (text/plain), 2.46 KB, created by
Michael Gmelin
on 2022-06-03 13:17:30 UTC
(
hide
)
Description:
Patch nomad startup script to make sure nomad data-dir has proper permissions
Filename:
MIME Type:
Creator:
Michael Gmelin
Created:
2022-06-03 13:17:30 UTC
Size:
2.46 KB
patch
obsolete
>From 50b78c7421b6a4c4aa6b606ae08fb41cff746c35 Mon Sep 17 00:00:00 2001 >From: Michael Gmelin <grembo@FreeBSD.org> >Date: Fri, 3 Jun 2022 01:40:31 +0000 >Subject: [PATCH] sysutils/nomad: Secure nomad data directory on creation > >Also, prevent service start in case an existing nomad data directory >does not use strict permissions. > >See also: >https://www.nomadproject.io/docs/operations/nomad-agent#permissions >--- > sysutils/nomad/Makefile | 2 +- > sysutils/nomad/files/nomad.in | 11 +++++++++-- > sysutils/nomad/pkg-message | 15 +++++++++++++++ > 3 files changed, 25 insertions(+), 3 deletions(-) > create mode 100644 sysutils/nomad/pkg-message > >diff --git a/sysutils/nomad/Makefile b/sysutils/nomad/Makefile >index cbf307c19d..e52d36da21 100644 >--- a/sysutils/nomad/Makefile >+++ b/sysutils/nomad/Makefile >@@ -1,7 +1,7 @@ > PORTNAME= nomad > DISTVERSIONPREFIX= v > DISTVERSION= 1.2.6 >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= sysutils > > MAINTAINER= jhixson@FreeBSD.org >diff --git a/sysutils/nomad/files/nomad.in b/sysutils/nomad/files/nomad.in >index 8dd5202252..c43c3cff53 100644 >--- a/sysutils/nomad/files/nomad.in >+++ b/sysutils/nomad/files/nomad.in >@@ -49,12 +49,19 @@ nomad_startprecmd() > install -o ${nomad_user} -g ${nomad_group} /dev/null ${pidfile}; > fi > >- if [ ! -d ${nomad_dir} ]; then >- install -d -o ${nomad_user} -g ${nomad_group} ${nomad_dir} >+ if [ ! -d "${nomad_dir}" ]; then >+ install -d -o ${nomad_user} -g ${nomad_group} "${nomad_dir}" >+ chmod 0700 "${nomad_dir}" > fi >+ > if [ "${nomad_debug}" != "NO" ]; then > command_args="-T ${name} ${command_args}" > fi >+ >+ if [ "$(stat -f "%Lp" "${nomad_dir}")" -ne "700" ]; then >+ 2>&1 echo "Error: File permissions of ${nomad_dir} must be 700, not starting." >+ exit 1 >+ fi > } > > run_rc_command "$1" >diff --git a/sysutils/nomad/pkg-message b/sysutils/nomad/pkg-message >new file mode 100644 >index 0000000000..33de22ee68 >--- /dev/null >+++ b/sysutils/nomad/pkg-message >@@ -0,0 +1,15 @@ >+[ >+{ type: upgrade, >+ message: <<EOM >+The nomad rc script requires the nomad data directory (as configured >+in the rc variable `nomad_dir`) to use strict directory permissions. >+ >+If your nomad data directory was created automatically using a >+previous version of the package, it is likely that its permissions >+are too lax. If that is the case, nomad will refuse to start with >+an error message and the situation can be resolved by adjusting >+directory permissions manually by issuing the chmod command, >+e.g. `chmod 700 /var/tmp/nomad`. >+EOM >+} >+] >-- >2.35.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=234420">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 264425
:
234404
| 234420