On Thu, 12 Mar 2020 19:27:17 +0100 Landry Breuil wrote: > On Wed, Mar 11, 2020 at 02:46:38PM +0000, Kevin Chadwick wrote: > > Thankyou for updating the Grafana port. > > > > The /etc/grafana/custom.ini contains a default key and can contain > > passwords. > > > > These are public knowledge but may be changed and better to be secure by > > default. > > > > https://github.com/grafana/grafana/pull/2306 > > https://github.com/grafana/grafana/issues/2126 > > > > Could the recent import be edited to do similar or atleast for custom.ini? > > > > IOW > > Set files in /etc/grafana to mode 0640 and group ownership to _grafana > > > > They are currently root:wheel 0644 in the previous and most recent 6.2.2 pkg > > are you think about it for /etc/grafana/* or only config.ini ? maybe the > dir itself could be root:_grafana 0750...
If I read correctly, commit 2306 changes the ownership of the directory /etc/grafana from root:root to root:$grafana_user and sets mode 640 to all the files in this directory. Directory itself is set to 755. Note that this is only for the .deb and .rpm provided by upstream. There is also commit 2528 that sets umask to 0027 (mode 0640 for files, 0750 for directories) for new files and directories that are created by the binary like the database. This is only for the .deb. Changing /etc/grafana to root:_grafana 750 looks reasonable, I'll try to send a diff soon. v6.7.0-beta1 was released a few hours ago, maybe the fix can go with v6.7.0 as well. > Landry >
