On Wed Apr 15, 2020 at 04:18:56PM +0200, Eric Elena wrote:
> On Wed, 15 Apr 2020 08:51:35 +0200 Landry Breuil wrote:
> > On Wed, Apr 15, 2020 at 08:11:09AM +0200, Martin Reindl wrote:
> > > On Tue, Apr 14, 2020 at 04:51:38PM +0200, Martin Reindl wrote:
> > > > Am 14.04.20 um 16:21 schrieb Stuart Henderson:
> > > > > On 2020/04/14 15:59, Eric Elena wrote:
> > > > >> On Tue, 14 Apr 2020 14:38:37 +0100 Stuart Henderson wrote:
> > > > >>> On 2020/04/14 14:28, Kevin Chadwick wrote:
> > > > >>>> On 2020-04-14 14:15, Stuart Henderson wrote:
> > > > >>>>> my 2p: setting the directory 750 is a pain for tab completion,
> > > > >>>>> so if this is changed I think it would be better to set
> > > > >>>>> permissions on
> > > > >>>>> the sensitive files only.
> > > > >>>>
> > > > >>>> AFAIK /etc/grafana/config.ini is the only sensitive config file.
> > > > >>>> Though I have
> > > > >>>> seen various other names for the configuration file in
> > > > >>>> documentation. The db dir
> > > > >>>> is already secured.
> > > > >>>>
> > > > >>>
> > > > >>> ldap.toml too.
> > > > >>
> > > > >> I have a diff with stricter permissions for the directories and the
> > > > >> files. I wanted to send it with an update of loki that is taking
> > > > >> more time than expected. Note that for people who have modified
> > > > >> their config.ini: they will have to adjust the permissions.
> > > > >
> > > > > my 2p: setting the directory 750 is a pain for tab completion,
> > > > > so if this is changed I think it would be better to set permissions on
> > > > > the sensitive files only.
> > > > >
> > > >
> > > > I agree with Stuart here. So with my previous diff, it should be enough
> > > > to move the config.ini line to the end of the PLIST.
> > >
> > > Like this, OK?
> >
> > Im not sure this will achieve what you want..
> >
> >
> > > share/examples/grafana/sample.ini
> > > -@sample ${SYSCONFDIR}/grafana/config.ini
> >
> > <snip>
> >
> > > @group _grafana
> > > @sample /var/grafana/
> > > @sample /var/log/grafana/
> > > +@sample ${SYSCONFDIR}/grafana/config.ini
> >
> > from my experience and understanding, @sample works in conjunction with
> > the previous entry for files:
> >
> > @sample filename
> > Last preceding @file item is a sample configuration file, to be
> > copied to filename at pkg_add(1) time and to be removed at
> > pkg_delete(1) time.
> >
> > adding the @sample at the end of PLIST, i dunno what it will refer to,
> > but surely not share/examples/grafana/sample.ini
> >
> > so if you want the change perms/ownership on the sample.ini file, i
> > think you need something like
> >
> > share/examples/grafana/sample.ini
> > @mode 0640
> > @owner _grafana
> > @group _grafana
> > @sample ${SYSCONFDIR}/grafana/config.ini
> > @mode
> > @owner
> > @group
>
> I'm not sure why my mail didn't reach the list yesterday. Anyway here
> is a diff that sets permissions to 0755 on directories and 0640 on
> configuration files.
This version works for me. OK rsadowski@
