On Wed, Apr 15, 2020 at 05:44:24PM +0200, Rafael Sadowski wrote:
> On Wed Apr 15, 2020 at 04:18:56PM +0200, Eric Elena wrote:
> > On Wed, 15 Apr 2020 08:51:35 +0200 Landry Breuil wrote:
> > > On Wed, Apr 15, 2020 at 08:11:09AM +0200, Martin Reindl wrote:
> > > > On Tue, Apr 14, 2020 at 04:51:38PM +0200, Martin Reindl wrote:
> > > > > Am 14.04.20 um 16:21 schrieb Stuart Henderson:
> > > > > > On 2020/04/14 15:59, Eric Elena wrote:
> > > > > >> On Tue, 14 Apr 2020 14:38:37 +0100 Stuart Henderson wrote:
> > > > > >>> On 2020/04/14 14:28, Kevin Chadwick wrote:
> > > > > >>>> On 2020-04-14 14:15, Stuart Henderson wrote:
> > > > > >>>>> my 2p: setting the directory 750 is a pain for tab completion,
> > > > > >>>>> so if this is changed I think it would be better to set
> > > > > >>>>> permissions on
> > > > > >>>>> the sensitive files only.
> > > > > >>>>
> > > > > >>>> AFAIK /etc/grafana/config.ini is the only sensitive config file.
> > > > > >>>> Though I have
> > > > > >>>> seen various other names for the configuration file in
> > > > > >>>> documentation. The db dir
> > > > > >>>> is already secured.
> > > > > >>>>
> > > > > >>>
> > > > > >>> ldap.toml too.
> > > > > >>
> > > > > >> I have a diff with stricter permissions for the directories and
> > > > > >> the files. I wanted to send it with an update of loki that is
> > > > > >> taking more time than expected. Note that for people who have
> > > > > >> modified their config.ini: they will have to adjust the
> > > > > >> permissions.
> > > > > >
> > > > > > my 2p: setting the directory 750 is a pain for tab completion,
> > > > > > so if this is changed I think it would be better to set permissions
> > > > > > on
> > > > > > the sensitive files only.
> > > > > >
> > > > >
> > > > > I agree with Stuart here. So with my previous diff, it should be
> > > > > enough
> > > > > to move the config.ini line to the end of the PLIST.
> > > >
> > > > Like this, OK?
> > >
> > > Im not sure this will achieve what you want..
> > >
> > >
> > > > share/examples/grafana/sample.ini
> > > > -@sample ${SYSCONFDIR}/grafana/config.ini
> > >
> > > <snip>
> > >
> > > > @group _grafana
> > > > @sample /var/grafana/
> > > > @sample /var/log/grafana/
> > > > +@sample ${SYSCONFDIR}/grafana/config.ini
> > >
> > > from my experience and understanding, @sample works in conjunction with
> > > the previous entry for files:
> > >
> > > @sample filename
> > > Last preceding @file item is a sample configuration file, to
> > > be
> > > copied to filename at pkg_add(1) time and to be removed at
> > > pkg_delete(1) time.
> > >
> > > adding the @sample at the end of PLIST, i dunno what it will refer to,
> > > but surely not share/examples/grafana/sample.ini
> > >
> > > so if you want the change perms/ownership on the sample.ini file, i
> > > think you need something like
> > >
> > > share/examples/grafana/sample.ini
> > > @mode 0640
> > > @owner _grafana
> > > @group _grafana
> > > @sample ${SYSCONFDIR}/grafana/config.ini
> > > @mode
> > > @owner
> > > @group
> >
> > I'm not sure why my mail didn't reach the list yesterday. Anyway here
> > is a diff that sets permissions to 0755 on directories and 0640 on
> > configuration files.
>
> This version works for me. OK rsadowski@
Apologies for the delayed followup. Per Stuart's recommendation the update to
6.7.2 was commited independently without any changes to permissions.
Attached diff is the essence of Eric's diff with regard to file permissions.
Rafael, is your OK still valid?
-m
Index: Makefile
===================================================================
RCS file: /cvs/ports/sysutils/grafana/Makefile,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 Makefile
--- Makefile 15 Apr 2020 18:18:19 -0000 1.11
+++ Makefile 22 Apr 2020 11:21:05 -0000
@@ -5,6 +5,7 @@ COMMENT = monitoring and metric analytic
GH_ACCOUNT = grafana
GH_PROJECT = grafana
GH_TAGNAME = v6.7.2
+REVISION = 0
CATEGORIES = sysutils
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/sysutils/grafana/pkg/PLIST,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 PLIST
--- pkg/PLIST 15 Apr 2020 18:18:19 -0000 1.8
+++ pkg/PLIST 22 Apr 2020 11:21:05 -0000
@@ -7,25 +7,75 @@
@bin bin/grafana-cli
@bin bin/grafana-server
share/examples/grafana/
+@mode 0755
+@owner root
+@group _grafana
@sample ${SYSCONFDIR}/grafana/
+@mode
+@owner
+@group
share/examples/grafana/ldap.toml
+@mode 0640
+@group _grafana
@sample ${SYSCONFDIR}/grafana/ldap.toml
+@mode
+@group
share/examples/grafana/provisioning/
+@mode 0755
+@owner root
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/
+@mode
+@owner
+@group
share/examples/grafana/provisioning/dashboards/
+@mode 0755
+@owner root
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/dashboards/
+@mode
+@owner
+@group
share/examples/grafana/provisioning/dashboards/sample.yaml
+@mode 0640
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/dashboards/sample.yaml
+@mode
+@group
share/examples/grafana/provisioning/datasources/
+@mode 0755
+@owner root
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/datasources/
+@mode
+@owner
+@group
share/examples/grafana/provisioning/datasources/sample.yaml
+@mode 0640
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/datasources/sample.yaml
+@mode
+@group
share/examples/grafana/provisioning/notifiers/
+@mode 0755
+@owner root
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/notifiers/
+@mode
+@owner
+@group
share/examples/grafana/provisioning/notifiers/sample.yaml
+@mode 0640
+@group _grafana
@sample ${SYSCONFDIR}/grafana/provisioning/notifiers/sample.yaml
+@mode
+@group
share/examples/grafana/sample.ini
+@mode 0640
+@group _grafana
@sample ${SYSCONFDIR}/grafana/config.ini
+@mode
+@group
share/grafana/
share/grafana/conf/
share/grafana/conf/defaults.ini
@@ -2510,7 +2560,7 @@ share/grafana/public/views/error-templat
share/grafana/public/views/error.html
share/grafana/public/views/index-template.html
share/grafana/public/views/index.html
-@mode 750
+@mode 0750
@owner _grafana
@group _grafana
@sample /var/grafana/
