gentoo resync : 10.09.2021

4 files changed, 36 insertions, 12 deletions

diff --git a/app-backup/bareos/files/bareos-dir.initd b/app-backup/bareos/files/bareos-dir.initd
index 9f17f212e4a4..462ff07843a2 100644
--- a/app-backup/bareos/files/bareos-dir.initd
+++ b/app-backup/bareos/files/bareos-dir.initd
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 depend() {
@@ -8,14 +8,23 @@ depend() {
 
 start() {
 	ebegin "Starting bareos director"
-	checkpath -d -m 0750 -o root:bareos /run/bareos
+	# g+w until #631598 is resolved
+	checkpath -d -m 0770 -o root:bareos /run/bareos
 	start-stop-daemon --start --quiet --exec /usr/sbin/bareos-dir \
 		-- ${DIR_OPTIONS}
+	# harden pid file until #631598 is resolved
+	ewaitfile 10 /run/bareos/bareos-dir.9101.pid
+	chown root:bareos /run/bareos/bareos-dir.9101.pid
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping bareos director"
-	start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-dir.*.pid
+	# check pid file until #631598 is resolved
+	if [[ $(stat -c %U /run/bareos/bareos-dir.9101.pid) != "root" ]]; then
+		eerror "SECURITY ALERT: pid file is not root owned anymore?! (see #631598)"
+	else
+		start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-dir.9101.pid
+	fi
 	eend $?
 }
diff --git a/app-backup/bareos/files/bareos-dir.service b/app-backup/bareos/files/bareos-dir.service
index a342671d0d00..f0a611715487 100644
--- a/app-backup/bareos/files/bareos-dir.service
+++ b/app-backup/bareos/files/bareos-dir.service
@@ -11,14 +11,17 @@ After=nss-lookup.target network.target remote-fs.target time-sync.target postgre
 ConditionPathIsDirectory=/var/lib/bareos
 
 [Service]
-Type=forking
+# see bug #631598
+#Type=forking
+Type=simple
 User=bareos
 Group=bareos
 WorkingDirectory=/var/lib/bareos
-PIDFile=/run/bareos/bareos-dir.9101.pid
+#PIDFile=/run/bareos/bareos-dir.9101.pid
 StandardError=journal
 ExecStartPre=/usr/sbin/bareos-dir -t -f
-ExecStart=/usr/sbin/bareos-dir
+#ExecStart=/usr/sbin/bareos-dir
+ExecStart=/usr/sbin/bareos-dir -f
 SuccessExitStatus=0 1 15
 #Restart=on-failure
 
diff --git a/app-backup/bareos/files/bareos-sd.initd b/app-backup/bareos/files/bareos-sd.initd
index 4f7fbcb52bf2..97b9ccdc92f1 100644
--- a/app-backup/bareos/files/bareos-sd.initd
+++ b/app-backup/bareos/files/bareos-sd.initd
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 depend() {
@@ -8,14 +8,23 @@ depend() {
 
 start() {
 	ebegin "Starting bareos storage daemon"
-	checkpath -d -m 0750 -o root:bareos /run/bareos
+	# g+w until #631598 is resolved
+	checkpath -d -m 0770 -o root:bareos /run/bareos
 	start-stop-daemon --start --quiet --exec /usr/sbin/bareos-sd \
 		-- ${SD_OPTIONS}
+	# harden pid file until #631598 is resolved
+	ewaitfile 10 /run/bareos/bareos-sd.9103.pid
+	chown root:bareos /run/bareos/bareos-sd.9103.pid
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping bareos storage daemon"
-	start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-sd.*.pid 
+	# check pid file until #631598 is resolved
+	if [[ $(stat -c %U /run/bareos/bareos-sd.9103.pid) != "root" ]]; then
+		eerror "SECURITY ALERT: pid file is not root owned anymore?! (see #631598)"
+	else
+		start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-sd.9103.pid
+	fi
 	eend $?
 }
diff --git a/app-backup/bareos/files/bareos-sd.service b/app-backup/bareos/files/bareos-sd.service
index 80d9edbc9734..acf8cb0156e1 100644
--- a/app-backup/bareos/files/bareos-sd.service
+++ b/app-backup/bareos/files/bareos-sd.service
@@ -10,14 +10,17 @@ Requires=nss-lookup.target network.target remote-fs.target time-sync.target
 After=nss-lookup.target network.target remote-fs.target time-sync.target
 
 [Service]
-Type=forking
+# see bug #631598
+#Type=forking
+Type=simple
 User=root
 Group=bareos
 WorkingDirectory=/var/lib/bareos
-PIDFile=/run/bareos/bareos-sd.9103.pid
+#PIDFile=/run/bareos/bareos-sd.9103.pid
 StandardError=journal
 ExecStartPre=/usr/sbin/bareos-sd -t -f
-ExecStart=/usr/sbin/bareos-sd
+#ExecStart=/usr/sbin/bareos-sd
+ExecStart=/usr/sbin/bareos-sd -f
 # enable this for scsicrypto-sd
 # CapabilityBoundingSet=cap_sys_rawio+ep
 SuccessExitStatus=0 15