git: 621d9c9f594a - main - sysutils/zrepl: /var/run/zrepl should not be world-readable

[Lewis Cook]

The branch main has been updated by lcook:

URL: https://cgit.FreeBSD.org/ports/commit/?id=621d9c9f594a0f7d049cb44dab25efed81c35c91

commit 621d9c9f594a0f7d049cb44dab25efed81c35c91
Author:     Lewis Cook <lcook at FreeBSD.org>
AuthorDate: 2021-06-08 15:09:48 +0000
Commit:     Lewis Cook <lcook at FreeBSD.org>
CommitDate: 2021-06-08 15:17:27 +0000

    sysutils/zrepl: /var/run/zrepl should not be world-readable
    
    This partially reverts commit 2a866a1, and instead installs
    the pidfile to /var/run/zrepl.pid fixing the problem seen in
    PR 255981.
    
    As taken from the zrepl documentation[1]:
    
    [....]
    The zrepl daemon needs to open various UNIX sockets in a runtime directory:
    
    a control socket that the CLI commands use to interact with the daemon
    the ssh+stdinserver Transport listener opens one socket per configured
    client, named after client_identity parameter
    
    There is no authentication on these sockets except the UNIX permissions.
    The zrepl daemon will refuse to bind any of the above sockets in a
    directory that is world-accessible.
    [....]
    
    [1]     https://zrepl.github.io/configuration/misc.html#runtime-directories-unix-sockets
    
    PR:             256472
    Reported by:    Raúl <raul.munoz at custos.es>
---
 sysutils/zrepl/Makefile       | 2 +-
 sysutils/zrepl/files/zrepl.in | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sysutils/zrepl/Makefile b/sysutils/zrepl/Makefile
index 124fc8f2eff4..23b3cc16c683 100644
--- a/sysutils/zrepl/Makefile
+++ b/sysutils/zrepl/Makefile
@@ -3,7 +3,7 @@
 PORTNAME=	zrepl
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.4.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 
 MAINTAINER=	lcook at FreeBSD.org
diff --git a/sysutils/zrepl/files/zrepl.in b/sysutils/zrepl/files/zrepl.in
index 57a4d48ce0b6..095a43f0d610 100644
--- a/sysutils/zrepl/files/zrepl.in
+++ b/sysutils/zrepl/files/zrepl.in
@@ -40,7 +40,7 @@ load_rc_config $name
 : ${zrepl_priority:="alert"}
 : ${zrepl_options:="${zrepl_flags} --config ${zrepl_config}"}
 
-pidfile="/var/run/zrepl/daemon.pid"
+pidfile="/var/run/zrepl.pid"
 command="/usr/sbin/daemon"
 procname="%%PREFIX%%/bin/zrepl"
 command_args="-p ${pidfile} %%DAEMON_LOGGING%% ${procname} ${zrepl_options} daemon"
@@ -54,8 +54,8 @@ extra_commands="configtest"
 zrepl_precmd()
 {
 	if [ ! -d "/var/run/zrepl/stdinserver" ]; then
-		install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl";
-		install -d -g ${zrepl_group} -o ${zrepl_user} -m 0755 -- "/var/run/zrepl/stdinserver";
+		install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl";
+		install -d -g ${zrepl_group} -o ${zrepl_user} -m 0700 -- "/var/run/zrepl/stdinserver";
 	fi
 
 	if [ ! -e "${pidfile}" ]; then