diff options
author | Michael Orlitzky <mjo@gentoo.org> | 2017-08-16 01:15:21 -0400 |
---|---|---|
committer | Michael Orlitzky <mjo@gentoo.org> | 2017-08-16 01:15:21 -0400 |
commit | 5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20 (patch) | |
tree | 5faa235c2925a14c716d51ce1d57b67da9fd87e1 /dev-db/pgagent | |
parent | app-forensics/sleuthkit: add github remote (diff) | |
download | gentoo-5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20.tar.gz gentoo-5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20.tar.bz2 gentoo-5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20.zip |
dev-db/pgagent: new revision with a dedicated "pgagent" user.
The pgagent daemon used to run as root, which can be dangerous. That
system user is used to execute the database jobs, meaning that a
non-root user with permission to schedule pgagent jobs could gain
root. This new revision creates a dedicated "pgagent" system user,
and the new init script launches the daemon as that user.
An ewarn lets users know that some migration work may be needed.
Gentoo-Bug: 537264
Package-Manager: Portage-2.3.6, Repoman-2.3.1
Diffstat (limited to 'dev-db/pgagent')
-rw-r--r-- | dev-db/pgagent/files/pgagent.initd-r1 | 31 | ||||
-rw-r--r-- | dev-db/pgagent/pgagent-3.4.0-r2.ebuild | 69 |
2 files changed, 100 insertions, 0 deletions
diff --git a/dev-db/pgagent/files/pgagent.initd-r1 b/dev-db/pgagent/files/pgagent.initd-r1 new file mode 100644 index 000000000000..a555006d3bd2 --- /dev/null +++ b/dev-db/pgagent/files/pgagent.initd-r1 @@ -0,0 +1,31 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +command="/usr/bin/pgagent" +command_user="pgagent" + +# If pgagent daemonizes itself, it won't write a PID file and +# we have to work a little harder to stop() it. So let it run +# in the foreground, and have OpenRC manage its PID file. +command_args="-f + -t ${PGA_POLL} + -r ${PGA_RETRY} + -s ${PGA_LOG} + -l ${PGA_LEVEL} + hostaddr=${PG_HOST} + dbname=${PG_DBNAME} + user=${PG_USER}" + +command_background="true" +pidfile="/run/pgagent.pid" + +depend() { + use net + need postgresql +} + +start_pre() { + # The log file needs to be writable by the daemon user. + checkpath --file --owner root:pgagent --mode 0660 "${PGA_LOG}" +} diff --git a/dev-db/pgagent/pgagent-3.4.0-r2.ebuild b/dev-db/pgagent/pgagent-3.4.0-r2.ebuild new file mode 100644 index 000000000000..9f44b6fff0f9 --- /dev/null +++ b/dev-db/pgagent/pgagent-3.4.0-r2.ebuild @@ -0,0 +1,69 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +CMAKE_IN_SOURCE_BUILD=1 +WX_GTK_VER="3.0" + +inherit cmake-utils user wxwidgets + +MY_PN=${PN/a/A} + +KEYWORDS="~amd64 ~x86" + +DESCRIPTION="${MY_PN} is a job scheduler for PostgreSQL" +HOMEPAGE="http://www.pgadmin.org/download/pgagent.php" +SRC_URI="mirror://postgresql/pgadmin3/release/${PN}/${MY_PN}-${PV}-Source.tar.gz" +LICENSE="POSTGRESQL GPL-2" +SLOT="0" +IUSE="" + +RDEPEND="dev-db/postgresql:* + x11-libs/wxGTK:${WX_GTK_VER}" +DEPEND="${RDEPEND}" + +S="${WORKDIR}/${MY_PN}-${PV}-Source" + +src_prepare() { + default + sed -e "s:share):share/${P}):" \ + -i CMakeLists.txt || die "failed to patch CMakeLists.txt" + sed -i -e '/SET(WX_VERSION "2.8")/d' CMakeLists.txt || die +} + +src_configure() { + if has_version "x11-libs/wxGTK[X]"; then + need-wxwidgets unicode + else + need-wxwidgets base-unicode + fi + mycmakeargs=( "-DSTATIC_BUILD:BOOLEAN=FALSE" + "-DWX_VERSION=${WX_GTK_VER}" ) + cmake-utils_src_configure +} + +src_install() { + cmake-utils_src_install + + newinitd "${FILESDIR}/pgagent.initd-r1" "${PN}" + newconfd "${FILESDIR}/pgagent.confd" "${PN}" + + rm "${ED}"/usr/{LICENSE,README} || die "failed to remove useless docs" +} + +pkg_preinst() { + # This user needs a real shell, and the daemon will use the + # ~/.pgpass file from its home directory. + enewuser pgagent -1 /bin/bash /home/pgagent +} + +pkg_postinst() { + if [[ -n "${REPLACING_VERSIONS}" ]]; then + # This warning can be removed around a year after this version + # goes stable. + ewarn 'pgAgent now runs as a dedicated "pgagent" user (as' + ewarn 'opposed to root). You may need to move your /root/.pgpass' + ewarn 'file to /home/pgagent/.pgpass, and the new user will' + ewarn 'need permissions on any paths that it will access.' + fi +} |