app-backup/bareos: add workaround for #631598

Bug: https://bugs.gentoo.org/631598 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>
author: Marc Schiffbauer <mschiff@gentoo.org> 2021-09-06 01:58:41 -1000
committer: Marc Schiffbauer <mschiff@gentoo.org> 2021-09-06 01:59:24 -1000
commit: cee394d24645d97a6904df90fd0ab960de4367ef (patch)
tree: f4b27fd65f5c8eccb5398b6f2a5c3b6cda545d4e /app-backup/bareos
parent: dev-python/requests-kerberos: mark ALLARCHES (diff)
download: gentoo-cee394d24645d97a6904df90fd0ab960de4367ef.tar.gz
gentoo-cee394d24645d97a6904df90fd0ab960de4367ef.tar.bz2
gentoo-cee394d24645d97a6904df90fd0ab960de4367ef.zip
5 files changed, 24 insertions, 6 deletions
diff --git a/app-backup/bareos/bareos-18.2.10-r1.ebuild b/app-backup/bareos/bareos-18.2.10-r2.ebuild
index 996c4c35ce13..996c4c35ce13 100644
--- a/app-backup/bareos/bareos-18.2.10-r1.ebuild
+++ b/app-backup/bareos/bareos-18.2.10-r2.ebuild
diff --git a/app-backup/bareos/bareos-19.2.10-r1.ebuild b/app-backup/bareos/bareos-19.2.10-r2.ebuild
index a9e76afe1016..a9e76afe1016 100644
--- a/app-backup/bareos/bareos-19.2.10-r1.ebuild
+++ b/app-backup/bareos/bareos-19.2.10-r2.ebuild
diff --git a/app-backup/bareos/bareos-20.0.2-r1.ebuild b/app-backup/bareos/bareos-20.0.2-r2.ebuild
index edf65d1c2d93..edf65d1c2d93 100644
--- a/app-backup/bareos/bareos-20.0.2-r1.ebuild
+++ b/app-backup/bareos/bareos-20.0.2-r2.ebuild
diff --git a/app-backup/bareos/files/bareos-dir.initd b/app-backup/bareos/files/bareos-dir.initd
index 9f17f212e4a4..462ff07843a2 100644
--- a/app-backup/bareos/files/bareos-dir.initd
+++ b/app-backup/bareos/files/bareos-dir.initd
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 depend() {
@@ -8,14 +8,23 @@ depend() {
 
 start() {
 	ebegin "Starting bareos director"
-	checkpath -d -m 0750 -o root:bareos /run/bareos
+	# g+w until #631598 is resolved
+	checkpath -d -m 0770 -o root:bareos /run/bareos
 	start-stop-daemon --start --quiet --exec /usr/sbin/bareos-dir \
 		-- ${DIR_OPTIONS}
+	# harden pid file until #631598 is resolved
+	ewaitfile 10 /run/bareos/bareos-dir.9101.pid
+	chown root:bareos /run/bareos/bareos-dir.9101.pid
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping bareos director"
-	start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-dir.*.pid
+	# check pid file until #631598 is resolved
+	if [[ $(stat -c %U /run/bareos/bareos-dir.9101.pid) != "root" ]]; then
+		eerror "SECURITY ALERT: pid file is not root owned anymore?! (see #631598)"
+	else
+		start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-dir.9101.pid
+	fi
 	eend $?
 }
diff --git a/app-backup/bareos/files/bareos-sd.initd b/app-backup/bareos/files/bareos-sd.initd
index 4f7fbcb52bf2..97b9ccdc92f1 100644
--- a/app-backup/bareos/files/bareos-sd.initd
+++ b/app-backup/bareos/files/bareos-sd.initd
@@ -1,5 +1,5 @@
 #!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 depend() {
@@ -8,14 +8,23 @@ depend() {
 
 start() {
 	ebegin "Starting bareos storage daemon"
-	checkpath -d -m 0750 -o root:bareos /run/bareos
+	# g+w until #631598 is resolved
+	checkpath -d -m 0770 -o root:bareos /run/bareos
 	start-stop-daemon --start --quiet --exec /usr/sbin/bareos-sd \
 		-- ${SD_OPTIONS}
+	# harden pid file until #631598 is resolved
+	ewaitfile 10 /run/bareos/bareos-sd.9103.pid
+	chown root:bareos /run/bareos/bareos-sd.9103.pid
 	eend $?
 }
 
 stop() {
 	ebegin "Stopping bareos storage daemon"
-	start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-sd.*.pid 
+	# check pid file until #631598 is resolved
+	if [[ $(stat -c %U /run/bareos/bareos-sd.9103.pid) != "root" ]]; then
+		eerror "SECURITY ALERT: pid file is not root owned anymore?! (see #631598)"
+	else
+		start-stop-daemon --stop --quiet --pidfile /run/bareos/bareos-sd.9103.pid
+	fi
 	eend $?
 }
author	Marc Schiffbauer <mschiff@gentoo.org>	2021-09-06 01:58:41 -1000
committer	Marc Schiffbauer <mschiff@gentoo.org>	2021-09-06 01:59:24 -1000
commit	cee394d24645d97a6904df90fd0ab960de4367ef (patch)
tree	f4b27fd65f5c8eccb5398b6f2a5c3b6cda545d4e /app-backup/bareos
parent	dev-python/requests-kerberos: mark ALLARCHES (diff)
download	gentoo-cee394d24645d97a6904df90fd0ab960de4367ef.tar.gz gentoo-cee394d24645d97a6904df90fd0ab960de4367ef.tar.bz2 gentoo-cee394d24645d97a6904df90fd0ab960de4367ef.zip