On Wed Apr 15, 2020 at 04:18:56PM +0200, Eric Elena wrote: > On Wed, 15 Apr 2020 08:51:35 +0200 Landry Breuil wrote: > > On Wed, Apr 15, 2020 at 08:11:09AM +0200, Martin Reindl wrote: > > > On Tue, Apr 14, 2020 at 04:51:38PM +0200, Martin Reindl wrote: > > > > Am 14.04.20 um 16:21 schrieb Stuart Henderson: > > > > > On 2020/04/14 15:59, Eric Elena wrote: > > > > >> On Tue, 14 Apr 2020 14:38:37 +0100 Stuart Henderson wrote: > > > > >>> On 2020/04/14 14:28, Kevin Chadwick wrote: > > > > >>>> On 2020-04-14 14:15, Stuart Henderson wrote: > > > > >>>>> my 2p: setting the directory 750 is a pain for tab completion, > > > > >>>>> so if this is changed I think it would be better to set > > > > >>>>> permissions on > > > > >>>>> the sensitive files only. > > > > >>>> > > > > >>>> AFAIK /etc/grafana/config.ini is the only sensitive config file. > > > > >>>> Though I have > > > > >>>> seen various other names for the configuration file in > > > > >>>> documentation. The db dir > > > > >>>> is already secured. > > > > >>>> > > > > >>> > > > > >>> ldap.toml too. > > > > >> > > > > >> I have a diff with stricter permissions for the directories and the > > > > >> files. I wanted to send it with an update of loki that is taking > > > > >> more time than expected. Note that for people who have modified > > > > >> their config.ini: they will have to adjust the permissions. > > > > > > > > > > my 2p: setting the directory 750 is a pain for tab completion, > > > > > so if this is changed I think it would be better to set permissions on > > > > > the sensitive files only. > > > > > > > > > > > > > I agree with Stuart here. So with my previous diff, it should be enough > > > > to move the config.ini line to the end of the PLIST. > > > > > > Like this, OK? > > > > Im not sure this will achieve what you want.. > > > > > > > share/examples/grafana/sample.ini > > > -@sample ${SYSCONFDIR}/grafana/config.ini > > > > <snip> > > > > > @group _grafana > > > @sample /var/grafana/ > > > @sample /var/log/grafana/ > > > +@sample ${SYSCONFDIR}/grafana/config.ini > > > > from my experience and understanding, @sample works in conjunction with > > the previous entry for files: > > > > @sample filename > > Last preceding @file item is a sample configuration file, to be > > copied to filename at pkg_add(1) time and to be removed at > > pkg_delete(1) time. > > > > adding the @sample at the end of PLIST, i dunno what it will refer to, > > but surely not share/examples/grafana/sample.ini > > > > so if you want the change perms/ownership on the sample.ini file, i > > think you need something like > > > > share/examples/grafana/sample.ini > > @mode 0640 > > @owner _grafana > > @group _grafana > > @sample ${SYSCONFDIR}/grafana/config.ini > > @mode > > @owner > > @group > > I'm not sure why my mail didn't reach the list yesterday. Anyway here > is a diff that sets permissions to 0755 on directories and 0640 on > configuration files.
This version works for me. OK rsadowski@