From ade21ad9a1e458c8c0bc6d90b9050c811f40c56f Mon Sep 17 00:00:00 2001
From: Brandon Pfeifer <bpfeifer@influxdata.com>
Date: Tue, 13 Dec 2022 11:00:50 -0500
Subject: [PATCH] fix: restrict file permissions by default (#23959)

Most of these changes can be overridden by the system
maintainer with environment variables or systemd
override snippets.
---
 .../usr/lib/influxdb/scripts/influxdb.service |  5 ++++
 .../fs/usr/lib/influxdb/scripts/init.sh       | 28 +++++++++++++------
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service b/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
index ee48e6ced4..abaf7ec31d 100644
--- a/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
+++ b/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
@@ -15,6 +15,11 @@ KillMode=control-group
 Restart=on-failure
 Type=forking
 PIDFile=/var/lib/influxdb/influxd.pid
+StateDirectory=influxdb
+StateDirectoryMode=0750
+LogsDirectory=influxdb
+LogsDirectoryMode=0750
+UMask=0027
 
 [Install]
 WantedBy=multi-user.target
diff --git a/.circleci/package/fs/usr/lib/influxdb/scripts/init.sh b/.circleci/package/fs/usr/lib/influxdb/scripts/init.sh
index 2d3b32dac2..6f8e323a89 100644
--- a/.circleci/package/fs/usr/lib/influxdb/scripts/init.sh
+++ b/.circleci/package/fs/usr/lib/influxdb/scripts/init.sh
@@ -24,6 +24,13 @@ NAME=influxdb
 USER=influxdb
 GROUP=influxdb
 
+if [ -n "${INFLUXD_SERVICE_UMASK:-}" ]
+then
+  umask "${INFLUXD_SERVICE_UMASK}"
+else
+  umask 0027
+fi
+
 # Check for sudo or root privileges before continuing
 if [ "$UID" != "0" ]; then
     echo "You must be root to run this script"
@@ -40,10 +47,11 @@ fi
 
 # PID file for the daemon
 PIDFILE=/var/run/influxdb/influxd.pid
-PIDDIR=`dirname $PIDFILE`
-if [ ! -d "$PIDDIR" ]; then
-    mkdir -p $PIDDIR
-    chown $USER:$GROUP $PIDDIR
+piddir="$(dirname "${PIDFILE}")"
+if [ ! -d "${piddir}" ]; then
+    mkdir -p "${piddir}"
+    chown "${USER}:${GROUP}" "${piddir}"
+    chmod 0750 "${piddir}"
 fi
 
 # Max open files
@@ -58,16 +66,20 @@ if [ -z "$STDOUT" ]; then
     STDOUT=/var/log/influxdb/influxd.log
 fi
 
-if [ ! -f "$STDOUT" ]; then
-    mkdir -p $(dirname $STDOUT)
+outdir="$(dirname "${STDOUT}")"
+if [ ! -d "${outdir}" ]; then
+    mkdir -p "${outdir}"
+    chmod 0750 "${outdir}"
 fi
 
 if [ -z "$STDERR" ]; then
     STDERR=/var/log/influxdb/influxd.log
 fi
 
-if [ ! -f "$STDERR" ]; then
-    mkdir -p $(dirname $STDERR)
+errdir="$(dirname "${STDERR}")"
+if [ ! -d "${errdir}" ]; then
+    mkdir -p "${errdir}"
+    chmod 0750 "${errdir}"
 fi
 
 # Override init script variables with DEFAULT values