From d845a2239b1952468cc963da07612672878881ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Mon, 21 Aug 2023 12:57:11 -1000 Subject: [PATCH] Improve ownership and permissions of files in deb and rpm packages (#3898) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Romain Tartière --- .../opensearch/deb/debian/postinst | 12 ++++++--- .../deb/debmake_opensearch_install.sh | 3 ++- .../opensearch/rpm/opensearch.rpm.spec | 27 +++++++++++-------- 3 files changed, 27 insertions(+), 15 deletions(-) diff --git a/scripts/pkg/build_templates/opensearch/deb/debian/postinst b/scripts/pkg/build_templates/opensearch/deb/debian/postinst index cc84020eb7..a192b660b1 100755 --- a/scripts/pkg/build_templates/opensearch/deb/debian/postinst +++ b/scripts/pkg/build_templates/opensearch/deb/debian/postinst @@ -37,11 +37,17 @@ if ! grep -q '## OpenSearch Performance Analyzer' ${config_dir}/jvm.options; the echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" >> ${config_dir}/jvm.options fi -# Set owner -chown -R opensearch.opensearch ${product_dir} +# Set ownership and permissions +# FIXME: the opensearch service should not have w permission in the config directory chown -R opensearch.opensearch ${config_dir} -chown -R opensearch.opensearch ${log_dir} +chmod -R u=rwX,g=rX,o= ${config_dir} + +chown -R opensearch.adm ${log_dir} +chmod 750 ${log_dir} + chown -R opensearch.opensearch ${data_dir} +chmod 750 ${data_dir} + chown -R opensearch.opensearch ${pid_dir} # Reload systemctl daemon diff --git a/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh b/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh index 206ca6d6d6..ff87e544d5 100755 --- a/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh +++ b/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh @@ -41,6 +41,7 @@ ln -s ${data_dir} ${buildroot}${product_dir}/data ln -s ${log_dir} ${buildroot}${product_dir}/logs # Change Permissions -chmod -Rf a+rX,u+w,g-w,o-w ${buildroot}/* +chmod -Rf g-s ${buildroot}/* +chmod -Rf u=rwX,g=rX,o=rX ${buildroot}/* exit 0 diff --git a/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec b/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec index f2df1879e0..ea2ddb2108 100644 --- a/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec +++ b/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec @@ -68,7 +68,8 @@ if [ ! -f %{buildroot}%{data_dir}/performance_analyzer_enabled.conf ]; then echo 'true' > %{buildroot}%{data_dir}/performance_analyzer_enabled.conf fi # Change Permissions -chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/* +chmod -Rf g-s %{buildroot}/* +chmod -Rf u=rwX,g=rX,o= %{buildroot}/etc exit 0 %pre @@ -150,13 +151,6 @@ exit 0 # Permissions %defattr(-, %{name}, %{name}) -# Root dirs/docs/licenses -%dir %{product_dir} -%doc %{product_dir}/NOTICE.txt -%doc %{product_dir}/README.md -%license %{product_dir}/LICENSE.txt -%{product_dir}/manifest.yml - # Config dirs/files %dir %{config_dir} %{config_dir}/jvm.options.d @@ -175,6 +169,20 @@ exit 0 %attr(0644, root, root) %config(noreplace) %{_prefix}/lib/sysctl.d/%{name}.conf %attr(0644, root, root) %config(noreplace) %{_prefix}/lib/tmpfiles.d/%{name}.conf +%dir %attr(750, %{name}, %{name}) %{data_dir} +%attr(750, %{name}, %{name}) %{log_dir} +%attr(750, %{name}, %{name}) %{pid_dir} + +# Permissions +%defattr(-, root, root) + +# Root dirs/docs/licenses +%dir %{product_dir} +%doc %{product_dir}/NOTICE.txt +%doc %{product_dir}/README.md +%license %{product_dir}/LICENSE.txt +%{product_dir}/manifest.yml + # Main dirs %{product_dir}/bin %{product_dir}/jdk @@ -182,9 +190,6 @@ exit 0 %{product_dir}/modules %{product_dir}/performance-analyzer-rca %{product_dir}/plugins -%{log_dir} -%{pid_dir} -%dir %{data_dir} # Symlinks %{product_dir}/data