particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

stricter config file permissions

Browse source 
Fixes: https://pagure.io/koji/issue/2124
This commit is contained in:
Tomas Kopecek 2020-08-19 15:53:19 +02:00
parent ff055ada11
commit e72a7be0a1
4 changed files with 24 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

21
docs/source/server_howto.rst
View file

@ -648,6 +648,7 @@ Configuration Files
-------------------
* ``/etc/koji-hub/hub.conf``
* ``/etc/koji-hub/hub.conf.d/*``
* ``/etc/httpd/conf/httpd.conf``
* ``/etc/httpd/conf.d/kojihub.conf``
* ``/etc/httpd/conf.d/ssl.conf`` (when using ssl auth)
@ -766,6 +767,16 @@ Apache to connect to the remote PostgreSQL server::
root@localhost$ setsebool -P httpd_can_network_connect_db=1
Note, that database connection parameters (password) are sensitive values.
Config is installed by default with 0640 root/apache file permissions. If you're
not installing hub from rpm double-check these permissions.
Furthermore, you can install any config file in ``/etc/koji-hub/hub.conf.d``
directory. These files are read *at first* and main config is allowed to
override all these values. So, you can use e.g.
``/etc/koji-hub/hub.conf.d/secret.conf`` for sensitive values. Typical usecase
for separate config is :doc:`policy <defining_hub_policies>` configuration file.
Authentication Configuration
----------------------------
@ -914,6 +925,7 @@ Configuration Files
* ``/etc/httpd/conf.d/kojiweb.conf``
* ``/etc/httpd/conf.d/ssl.conf``
* ``/etc/kojiweb/web.conf``
* ``/etc/kojiweb/web.conf.d/*``
Install Koji-Web
----------------
@ -973,7 +985,14 @@ it should use to access the hub, the koji packages and its own web interface.
You will also need to tell kojiweb where it can find the SSL certificates for
each of these components. If you are using SSL authentication, the "WebCert"
line below must contain both the public **and** private key. You will also want
to change the last line in the example below to a unique password.
to change the last line in the example below to a unique password. Also check
the file permissions (due to Secret value) if you're not installing koji web
from rpm (0640, root/apache by default).
Furthermore, you can install any config file in ``/etc/kojiweb/web.conf.d``
directory. These files are read *at first* and main config is allowed to
override all these values. So, you can use e.g.
``/etc/kojiweb/web.conf.d/secret.conf`` for sensitive values.
::

1
hub/hub.conf
View file

@ -11,6 +11,7 @@ DBName = koji
DBUser = koji
#DBHost = db.example.com
#DBPort = 5432
#Note, that db password is sensitive and this file shouldn't be publicly readable.
#DBPass = example_password
KojiDir = /mnt/koji

4
koji.spec
View file

@ -500,9 +500,9 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{py3_support} > 1
%files hub
%config(noreplace) /etc/httpd/conf.d/kojihub.conf
%config(noreplace) %attr(0640, root, apache) /etc/httpd/conf.d/kojihub.conf
%dir /etc/koji-hub
%config(noreplace) /etc/koji-hub/hub.conf
%config(noreplace) %attr(0640, root, apache) /etc/koji-hub/hub.conf
%dir /etc/koji-hub/hub.conf.d
%{_sbindir}/koji-sweep-db
%if %{use_systemd}

2
www/conf/web.conf
View file

@ -21,7 +21,7 @@ KojiFilesURL = http://server.example.com/kojifiles
LoginTimeout = 72
# This must be changed and uncommented before deployment
# This must be CHANGED to random value and uncommented before deployment
# Secret = CHANGE_ME
LibPath = /usr/share/koji-web/lib