fix: set limited permissions on package installs (#23683)

* fix: set limited permissions on package installs * fix: set umask in systemd service to create files as 0750
2022-09-02 14:08:30 -04:00 · 2022-09-02 14:08:30 -04:00 · b51fefdf6d
parent 485968cce4
commit b51fefdf6d
4 changed files with 7 additions and 3 deletions
--- a/.circleci/package/control/postinst
+++ b/.circleci/package/control/postinst
@ -111,8 +111,8 @@ elif [[ -f /etc/debian_version ]]; then
    # Moving these lines out of this if statement would make `rmp -V` fail after installation.
    chown -R -L influxdb:influxdb $LOG_DIR
    chown -R -L influxdb:influxdb $DATA_DIR
-    chmod 755 $LOG_DIR
-    chmod 755 $DATA_DIR
+    chmod 750 $LOG_DIR
+    chmod 750 $DATA_DIR

    # Debian/Ubuntu logic
    if command -v systemctl &>/dev/null; then
--- a/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
+++ b/.circleci/package/fs/usr/lib/influxdb/scripts/influxdb.service
@ -15,6 +15,7 @@ KillMode=control-group
 Restart=on-failure
 Type=forking
 PIDFile=/var/lib/influxdb/influxd.pid
+UMask=0027

 [Install]
 WantedBy=multi-user.target
--- a/.circleci/package/fs/var/lib/influxdb/.keep
+++ b/.circleci/package/fs/var/lib/influxdb/.keep
--- a/.circleci/scripts/build-package
+++ b/.circleci/scripts/build-package
@ -58,7 +58,10 @@ function run_fpm()
      --after-remove   control/postrm                      \
      `# package files`                                    \
      --chdir          fs/                                 \
-      --package        /artifacts
+      --package        /artifacts                          \
+      --directories    /var/lib/influxdb                   \
+      --rpm-defattrdir 750                                 \
+      --rpm-defattrfile 750

    popd