summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Orlitzky <mjo@gentoo.org>2017-08-16 01:15:21 -0400
committerMichael Orlitzky <mjo@gentoo.org>2017-08-16 01:15:21 -0400
commit5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20 (patch)
tree5faa235c2925a14c716d51ce1d57b67da9fd87e1 /dev-db/pgagent
parentapp-forensics/sleuthkit: add github remote (diff)
downloadgentoo-5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20.tar.gz
gentoo-5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20.tar.bz2
gentoo-5b41b4fb3fc10a2b4046fb2c8c97d9b824505f20.zip
dev-db/pgagent: new revision with a dedicated "pgagent" user.
The pgagent daemon used to run as root, which can be dangerous. That system user is used to execute the database jobs, meaning that a non-root user with permission to schedule pgagent jobs could gain root. This new revision creates a dedicated "pgagent" system user, and the new init script launches the daemon as that user. An ewarn lets users know that some migration work may be needed. Gentoo-Bug: 537264 Package-Manager: Portage-2.3.6, Repoman-2.3.1
Diffstat (limited to 'dev-db/pgagent')
-rw-r--r--dev-db/pgagent/files/pgagent.initd-r131
-rw-r--r--dev-db/pgagent/pgagent-3.4.0-r2.ebuild69
2 files changed, 100 insertions, 0 deletions
diff --git a/dev-db/pgagent/files/pgagent.initd-r1 b/dev-db/pgagent/files/pgagent.initd-r1
new file mode 100644
index 000000000000..a555006d3bd2
--- /dev/null
+++ b/dev-db/pgagent/files/pgagent.initd-r1
@@ -0,0 +1,31 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/bin/pgagent"
+command_user="pgagent"
+
+# If pgagent daemonizes itself, it won't write a PID file and
+# we have to work a little harder to stop() it. So let it run
+# in the foreground, and have OpenRC manage its PID file.
+command_args="-f
+ -t ${PGA_POLL}
+ -r ${PGA_RETRY}
+ -s ${PGA_LOG}
+ -l ${PGA_LEVEL}
+ hostaddr=${PG_HOST}
+ dbname=${PG_DBNAME}
+ user=${PG_USER}"
+
+command_background="true"
+pidfile="/run/pgagent.pid"
+
+depend() {
+ use net
+ need postgresql
+}
+
+start_pre() {
+ # The log file needs to be writable by the daemon user.
+ checkpath --file --owner root:pgagent --mode 0660 "${PGA_LOG}"
+}
diff --git a/dev-db/pgagent/pgagent-3.4.0-r2.ebuild b/dev-db/pgagent/pgagent-3.4.0-r2.ebuild
new file mode 100644
index 000000000000..9f44b6fff0f9
--- /dev/null
+++ b/dev-db/pgagent/pgagent-3.4.0-r2.ebuild
@@ -0,0 +1,69 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+CMAKE_IN_SOURCE_BUILD=1
+WX_GTK_VER="3.0"
+
+inherit cmake-utils user wxwidgets
+
+MY_PN=${PN/a/A}
+
+KEYWORDS="~amd64 ~x86"
+
+DESCRIPTION="${MY_PN} is a job scheduler for PostgreSQL"
+HOMEPAGE="http://www.pgadmin.org/download/pgagent.php"
+SRC_URI="mirror://postgresql/pgadmin3/release/${PN}/${MY_PN}-${PV}-Source.tar.gz"
+LICENSE="POSTGRESQL GPL-2"
+SLOT="0"
+IUSE=""
+
+RDEPEND="dev-db/postgresql:*
+ x11-libs/wxGTK:${WX_GTK_VER}"
+DEPEND="${RDEPEND}"
+
+S="${WORKDIR}/${MY_PN}-${PV}-Source"
+
+src_prepare() {
+ default
+ sed -e "s:share):share/${P}):" \
+ -i CMakeLists.txt || die "failed to patch CMakeLists.txt"
+ sed -i -e '/SET(WX_VERSION "2.8")/d' CMakeLists.txt || die
+}
+
+src_configure() {
+ if has_version "x11-libs/wxGTK[X]"; then
+ need-wxwidgets unicode
+ else
+ need-wxwidgets base-unicode
+ fi
+ mycmakeargs=( "-DSTATIC_BUILD:BOOLEAN=FALSE"
+ "-DWX_VERSION=${WX_GTK_VER}" )
+ cmake-utils_src_configure
+}
+
+src_install() {
+ cmake-utils_src_install
+
+ newinitd "${FILESDIR}/pgagent.initd-r1" "${PN}"
+ newconfd "${FILESDIR}/pgagent.confd" "${PN}"
+
+ rm "${ED}"/usr/{LICENSE,README} || die "failed to remove useless docs"
+}
+
+pkg_preinst() {
+ # This user needs a real shell, and the daemon will use the
+ # ~/.pgpass file from its home directory.
+ enewuser pgagent -1 /bin/bash /home/pgagent
+}
+
+pkg_postinst() {
+ if [[ -n "${REPLACING_VERSIONS}" ]]; then
+ # This warning can be removed around a year after this version
+ # goes stable.
+ ewarn 'pgAgent now runs as a dedicated "pgagent" user (as'
+ ewarn 'opposed to root). You may need to move your /root/.pgpass'
+ ewarn 'file to /home/pgagent/.pgpass, and the new user will'
+ ewarn 'need permissions on any paths that it will access.'
+ fi
+}