From b51fefdf6dcbead1129259c6dae9e34b724d4461 Mon Sep 17 00:00:00 2001
From: Jeffrey Smith II <jsmith@influxdata.com>
Date: Fri, 2 Sep 2022 14:08:30 -0400
Subject: [PATCH] fix: set limited permissions on package installs (#23683)

* fix: set limited permissions on package installs

* fix: set umask in systemd service to create files as 0750
---
 .circleci/package/control/postinst                           | 4 ++--
 .../package/fs/usr/lib/influxdb/scripts/influxdb.service     | 1 +
 .circleci/package/fs/var/lib/influxdb/.keep                  | 0
 .circleci/scripts/build-package                              | 5 ++++-
 4 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 .circleci/package/fs/var/lib/influxdb/.keep

diff --git a/.circleci/package/control/postinst b/.circleci/package/control/postinst
index e78fddfd48..8862ec34b4 100644
--- a/.circleci/package/control/postinst
+++ b/.circleci/package/control/postinst
@@ -111,8 +111,8 @@ elif [[ -f /etc/debian_version ]]; then
     # Moving these lines out of this if statement would make `rmp -V` fail after installation.
     chown -R -L influxdb:influxdb $LOG_DIR
     chown -R -L influxdb:influxdb $DATA_DIR
-    chmod 755 $LOG_DIR
-    chmod 755 $DATA_DIR
+    chmod 750 $LOG_DIR
+    chmod 750 $DATA_DIR
 
     # Debian/Ubuntu logic
     if command -v systemctl &>/dev/null; then
diff --git a/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service b/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
index ee48e6ced4..d87052c198 100644
--- a/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
+++ b/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
@@ -15,6 +15,7 @@ KillMode=control-group
 Restart=on-failure
 Type=forking
 PIDFile=/var/lib/influxdb/influxd.pid
+UMask=0027
 
 [Install]
 WantedBy=multi-user.target
diff --git a/.circleci/package/fs/var/lib/influxdb/.keep b/.circleci/package/fs/var/lib/influxdb/.keep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/.circleci/scripts/build-package b/.circleci/scripts/build-package
index 6a7bb6731e..bedabee4ad 100755
--- a/.circleci/scripts/build-package
+++ b/.circleci/scripts/build-package
@@ -58,7 +58,10 @@ function run_fpm()
       --after-remove   control/postrm                      \
       `# package files`                                    \
       --chdir          fs/                                 \
-      --package        /artifacts
+      --package        /artifacts                          \
+      --directories    /var/lib/influxdb                   \
+      --rpm-defattrdir 750                                 \
+      --rpm-defattrfile 750
 
     popd