From 677b7ba5c317778df2ad7e70df94b9b7eec4adbc Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Fri, 10 Sep 2021 04:21:55 +0100 Subject: gentoo resync : 10.09.2021 --- app-backup/bareos/files/bareos-dir.initd | 15 ++++++++++++--- app-backup/bareos/files/bareos-dir.service | 9 ++++++--- app-backup/bareos/files/bareos-sd.initd | 15 ++++++++++++--- app-backup/bareos/files/bareos-sd.service | 9 ++++++--- 4 files changed, 36 insertions(+), 12 deletions(-) (limited to 'app-backup/bareos/files') diff --git a/app-backup/bareos/files/bareos-dir.initd b/app-backup/bareos/files/bareos-dir.initd index 9f17f212e4a4..462ff07843a2 100644 --- a/app-backup/bareos/files/bareos-dir.initd +++ b/app-backup/bareos/files/bareos-dir.initd @@ -1,5 +1,5 @@ #!/sbin/openrc-run -# Copyright 1999-2014 Gentoo Foundation +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 depend() { @@ -8,14 +8,23 @@ depend() { start() { ebegin "Starting bareos director" - checkpath -d -m 0750 -o root:bareos /run/bareos + # g+w until #631598 is resolved + checkpath -d -m 0770 -o root:bareos /run/bareos start-stop-daemon --start --quiet --exec /usr/sbin/bareos-dir \ -- ${DIR_OPTIONS} + # harden pid file until #631598 is resolved + ewaitfile 10 /run/bareos/bareos-dir.9101.pid + chown root:bareos /run/bareos/bareos-dir.9101.pid eend $? } stop() { ebegin "Stopping bareos director" - start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-dir.*.pid + # check pid file until #631598 is resolved + if [[ $(stat -c %U /run/bareos/bareos-dir.9101.pid) != "root" ]]; then + eerror "SECURITY ALERT: pid file is not root owned anymore?! (see #631598)" + else + start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-dir.9101.pid + fi eend $? } diff --git a/app-backup/bareos/files/bareos-dir.service b/app-backup/bareos/files/bareos-dir.service index a342671d0d00..f0a611715487 100644 --- a/app-backup/bareos/files/bareos-dir.service +++ b/app-backup/bareos/files/bareos-dir.service @@ -11,14 +11,17 @@ After=nss-lookup.target network.target remote-fs.target time-sync.target postgre ConditionPathIsDirectory=/var/lib/bareos [Service] -Type=forking +# see bug #631598 +#Type=forking +Type=simple User=bareos Group=bareos WorkingDirectory=/var/lib/bareos -PIDFile=/run/bareos/bareos-dir.9101.pid +#PIDFile=/run/bareos/bareos-dir.9101.pid StandardError=journal ExecStartPre=/usr/sbin/bareos-dir -t -f -ExecStart=/usr/sbin/bareos-dir +#ExecStart=/usr/sbin/bareos-dir +ExecStart=/usr/sbin/bareos-dir -f SuccessExitStatus=0 1 15 #Restart=on-failure diff --git a/app-backup/bareos/files/bareos-sd.initd b/app-backup/bareos/files/bareos-sd.initd index 4f7fbcb52bf2..97b9ccdc92f1 100644 --- a/app-backup/bareos/files/bareos-sd.initd +++ b/app-backup/bareos/files/bareos-sd.initd @@ -1,5 +1,5 @@ #!/sbin/openrc-run -# Copyright 1999-2014 Gentoo Foundation +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 depend() { @@ -8,14 +8,23 @@ depend() { start() { ebegin "Starting bareos storage daemon" - checkpath -d -m 0750 -o root:bareos /run/bareos + # g+w until #631598 is resolved + checkpath -d -m 0770 -o root:bareos /run/bareos start-stop-daemon --start --quiet --exec /usr/sbin/bareos-sd \ -- ${SD_OPTIONS} + # harden pid file until #631598 is resolved + ewaitfile 10 /run/bareos/bareos-sd.9103.pid + chown root:bareos /run/bareos/bareos-sd.9103.pid eend $? } stop() { ebegin "Stopping bareos storage daemon" - start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-sd.*.pid + # check pid file until #631598 is resolved + if [[ $(stat -c %U /run/bareos/bareos-sd.9103.pid) != "root" ]]; then + eerror "SECURITY ALERT: pid file is not root owned anymore?! (see #631598)" + else + start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-sd.9103.pid + fi eend $? } diff --git a/app-backup/bareos/files/bareos-sd.service b/app-backup/bareos/files/bareos-sd.service index 80d9edbc9734..acf8cb0156e1 100644 --- a/app-backup/bareos/files/bareos-sd.service +++ b/app-backup/bareos/files/bareos-sd.service @@ -10,14 +10,17 @@ Requires=nss-lookup.target network.target remote-fs.target time-sync.target After=nss-lookup.target network.target remote-fs.target time-sync.target [Service] -Type=forking +# see bug #631598 +#Type=forking +Type=simple User=root Group=bareos WorkingDirectory=/var/lib/bareos -PIDFile=/run/bareos/bareos-sd.9103.pid +#PIDFile=/run/bareos/bareos-sd.9103.pid StandardError=journal ExecStartPre=/usr/sbin/bareos-sd -t -f -ExecStart=/usr/sbin/bareos-sd +#ExecStart=/usr/sbin/bareos-sd +ExecStart=/usr/sbin/bareos-sd -f # enable this for scsicrypto-sd # CapabilityBoundingSet=cap_sys_rawio+ep SuccessExitStatus=0 15 -- cgit v1.2.3