Merge pull request #1040 from SUSE/fix_rmt_service_file_permissions

Fix: Set correct user for service and cli
SUSE · Dec 7, 2023 · f89f337 · f89f337
2 parents f8da43c + d4d7485
commit f89f337
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 4 deletions.
diff --git a/package/files/nginx/nginx-http.conf b/package/files/nginx/nginx-http.conf
@@ -25,6 +25,10 @@ server {
         # return 301 https://$host$request_uri;
     }
 
+    location /public/tools {
+        autoindex on;
+    }
+
     location /suma {
         autoindex on;
     }

diff --git a/package/files/nginx/nginx-https.conf b/package/files/nginx/nginx-https.conf
@@ -28,6 +28,10 @@ server {
         try_files $uri @rmt_app;
     }
 
+    location /public/tools {
+        autoindex on;
+    }
+
     location /suma {
         autoindex on;
     }

diff --git a/package/files/update_rmt_app_dir_permissions.sh b/package/files/update_rmt_app_dir_permissions.sh
@@ -16,3 +16,17 @@ if [[ $app_dir_ownership == "_rmt nginx" ]]; then
 
   find -P $app_dir -type f -user _rmt -group nginx | xargs -I {} chown -h root:root {}
 fi
+
+# Change secrets encrypted and key files to nginx readable
+secret_key_files=('config/secrets.yml.key' 'config/secrets.yml.enc')
+
+for secretFile in $secret_key_files; do
+  file_path="$app_dir/$secretFile"
+  if [[ -e $file_path ]]; then
+    if [[ "$(stat -c "%U %G" $file_path)" == "root root" ]]; then
+      chmod 0640 $file_path
+      chown -h root:nginx $file_path
+    fi
+  fi
+
+done
diff --git a/package/obs/rmt-server.changes b/package/obs/rmt-server.changes
@@ -9,6 +9,7 @@ Wed Oct 04 13:23:00 UTC 2023 - Felix Schnizlein <[email protected]>
 - Version 2.15:
   * Moving system hardware information to systems database table to
     allow transmitting system information dynamically. (jsc#PED-3734)
+  * Fix secrets access for server user (bsc#1215176)
 
 -------------------------------------------------------------------
 Thu Jun 06 15:44:00 UTC 2023 - Luís Caparroz <[email protected]>

diff --git a/package/obs/rmt-server.spec b/package/obs/rmt-server.spec
@@ -240,6 +240,7 @@ chrpath -d %{buildroot}%{lib_dir}/vendor/bundle/ruby/*/extensions/*/*/mysql2-*/m
 
 %files
 %attr(0755,root,root) %{app_dir}
+%attr(0755,root,root) %{app_dir}/public/tools
 %exclude %{app_dir}/engines/
 %exclude %{app_dir}/package/
 %exclude %{app_dir}/rmt/tmp
@@ -253,8 +254,8 @@ chrpath -d %{buildroot}%{lib_dir}/vendor/bundle/ruby/*/extensions/*/*/mysql2-*/m
 %ghost %{_datadir}/rmt/public/suma
 
 # The secrets file is created by running the initial rake tasks in the `post` section
-%ghost %{app_dir}/config/secrets.yml.key
-%ghost %{app_dir}/config/secrets.yml.enc
+%ghost %attr(0640,root,%{rmt_group}) %{app_dir}/config/secrets.yml.key
+%ghost %attr(0640,root,%{rmt_group}) %{app_dir}/config/secrets.yml.enc
 
 %dir %{_sysconfdir}/slp.reg.d
 %config(noreplace) %attr(0640, %{rmt_user}, root) %{_sysconfdir}/rmt.conf
@@ -320,8 +321,12 @@ getent passwd %{rmt_user} >/dev/null || \
 
 %post
 %service_add_post rmt-server.target rmt-server.service rmt-server-migration.service rmt-server-mirror.service rmt-server-sync.service rmt-server-systems-scc-sync.service
-cd %{_datadir}/rmt && bin/rails rmt:secrets:create_encryption_key >/dev/null RAILS_ENV=production && \
-cd %{_datadir}/rmt && bin/rails rmt:secrets:create_secret_key_base >/dev/null RAILS_ENV=production && \
+
+# Rails by default creates `secrets.yml.key` with `0600` file mode, see here
+# https://github.com/rails/rails/blob/6-0-stable/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
+cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_encryption_key >/dev/null RAILS_ENV=production && \
+cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_secret_key_base >/dev/null RAILS_ENV=production && \
+
 # Run only on install
 if [ $1 -eq 1 ]; then
   echo "Please run the YaST RMT module (or 'yast2 rmt' from the command line) to complete the configuration of your RMT" >> /dev/stdout