root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

packaging: Set log directory permissions on fresh install 

On a fresh install, we want to limit access to the log directory to the
owner and group. This is in case sensitive data are logged.

We don't enforce the permissions on upgrade because:
    1. We don't want to break exising installs by reducing
       permissions.
    2. The admin may want to setup different permissions.

References rabbitmq/rabbitmq-management#474.
[#150970897]
This commit is contained in:
Jean-Sébastien Pédron 2017-09-12 12:59:22 +02:00
parent 76e999049c
commit f86423feeb
No known key found for this signature in database
GPG Key ID: 39E99761A5FD94CC
2 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
packaging/RPMS/Fedora/rabbitmq-server.spec
View File

@ -103,6 +103,14 @@ find %{buildroot} -path "*%{_initrddir}*" -type f -printf "/%%P\n" >>%{_builddir
%pre
# If the log directory exists, record its permissions so we can restore
# them after an upgrade. The goal is to set the permissions to 0750 on a
# fresh install but to keep permissions set by the user or a different
# default from a previous package.
if test -d /var/log/rabbitmq; then
stat --format '%a' /var/log/rabbitmq > /var/log/rabbitmq/permissions
fi
if [ $1 -gt 1 ]; then
# Upgrade - stop previous instance of rabbitmq-server init.d (this
# will also activate systemd if it was used) script.
@ -141,6 +149,13 @@ fi
chmod -R o-rwx,g-w %{_localstatedir}/lib/rabbitmq/mnesia
# Restore permissions saved during %pre. See comment in %pre for the
# reason behind this.
if test -f /var/log/rabbitmq/permissions; then
chmod "$(cat /var/log/rabbitmq/permissions)" /var/log/rabbitmq
rm -f /var/log/rabbitmq/permissions
fi
# Update profile to enable autocompletion
. /etc/profile
@ -203,9 +218,8 @@ systemctl try-restart %{name}.service >/dev/null 2>&1 || :
%defattr(-,root,root,-)
%attr(0755, rabbitmq, rabbitmq) %dir %{_localstatedir}/lib/rabbitmq
%attr(0750, rabbitmq, rabbitmq) %dir %{_localstatedir}/lib/rabbitmq/mnesia
%attr(0755, rabbitmq, rabbitmq) %dir %{_localstatedir}/log/rabbitmq
%attr(0750, rabbitmq, rabbitmq) %dir %{_localstatedir}/log/rabbitmq
%attr(2750, -, rabbitmq) %dir %{_sysconfdir}/rabbitmq
%{_sysconfdir}/profile.d/rabbitmqctl-autocomplete.sh
%{_datarootdir}/zsh/vendor-functions/_enable_rabbitmqctl_completion

16
packaging/debs/Debian/debian/postinst
View File

@ -42,6 +42,22 @@ chmod -R o-rwx,g-w /var/lib/rabbitmq/mnesia
case "$1" in
configure)
if test -z "$2"; then
# This is a fresh install of the package.
# On a fresh install, we want to limit permissions on the
# log directory to the owner and the group. Others won't
# have any access to log files: this is in case sensitive
# data are accidentally logged (like process crash data).
chmod 750 /var/log/rabbitmq
else
# The package was already configured: it's an upgrade over
# a previously installed version, or it's an install over
# a non-purged version (i.e. deinstalled but configuration
# files and data are still there).
true
fi
if [ -n "$ZSH_VERSION" ]; then
echo "Z Shell detected.
to enable rabbitmqctl autocompletion add the following to your .zshrc file: