Commit 0f25a298 authored by Andrew Lee's avatar Andrew Lee

Move permission adjustment into maintainer script and fix permissions

for upgrade

Move permission adjustment from rake-tasks.sh into obs-api.postinst
script and fix permissions for upgrade. (Closes: #926198)
Signed-off-by: 's avatarAndrew Lee (李健秋) <andrew.lee@collabora.co.uk>
parent 8fac779a
open-build-service (2.9.4-3) UNRELEASED; urgency=medium
[ Lucas Kanashiro ]
* Add patch to publish Debian upstream tarball signatures to the
repositories
* Add patch to publish Ubuntu ddeb files to the repositories
......@@ -10,7 +11,11 @@ open-build-service (2.9.4-3) UNRELEASED; urgency=medium
* Add patch to fix the database migration.
Limit the size of a VARCHAR to not extrapolate the number of bytes allocated.
-- Lucas Kanashiro <kanashiro@debian.org> Mon, 08 Apr 2019 09:33:51 -0300
[ Andrew Lee (李健秋) ]
* Move permission adjustment from rake-tasks.sh into obs-api.postinst
script and fix permissions for upgrade. (Closes: #926198)
-- Andrew Lee (李健秋) <ajqlee@debian.org> Tue, 09 Apr 2019 12:25:55 +0800
open-build-service (2.9.4-2) unstable; urgency=medium
......
......@@ -47,6 +47,12 @@ else
chown obsapi:www-data $SECRET_KEY
fi
# Generate production.sphinx.conf and set owner www-data
if [ ! -x /etc/obs/api/config/production.sphinx.conf ]; then
touch /etc/obs/api/config/production.sphinx.conf
chown www-data.www-data /etc/obs/api/config/production.sphinx.conf
fi
# Generate log files
touch /var/log/obs/access.log
touch /var/log/obs/backend_access.log
......@@ -59,8 +65,15 @@ fi
touch /var/log/obs/production.sphinx.pid
touch /var/log/obs/clockworkd.clock.output
chown -R www-data:www-data /var/log/obs
chown -R www-data:www-data /var/cache/obs/tmp
# Refine permissions for log and tmp
chown -R obsapi.www-data /var/log/obs
chown -R obsapi.www-data /var/cache/obs/tmp
# Grand www-data write access to the tmp folder
chmod -R g+w /var/cache/obs/tmp
# Set permissions for obsapi-*.service files as these runs as www-data
chown www-data.www-data /var/cache/obs/tmp/pids
# Config Database with dbconfig-common
. /usr/share/debconf/confmodule
......@@ -70,6 +83,10 @@ dbc_generate_include_args="-o template_infile=/usr/share/obs/api/config/database
dbc_generate_include_owner=www-data
dbc_go obs-api $@
# Secure database password
chown obsapi.www-data /etc/obs/api/config/database.yml
chmod 0440 /etc/obs/api/config/database.yml
# Test whether a2ensite is available (and thus also apache2ctl).
if [ -x "$(command -v a2ensite)" ]; then
# Enable the obs site
......
......@@ -18,24 +18,6 @@ reload_apache()
case "$1" in
setup)
# Refine permissions for rails app.
chown www-data:root /usr/share/obs/api/config/environment.rb
chown -R www-data:www-data /var/log/obs/
chown -R www-data:www-data /var/cache/obs/tmp/
chown obsapi:www-data /var/cache/obs/tmp/
chmod 775 /var/cache/obs/tmp/
chown -R www-data:www-data /usr/share/obs/api/db
chown -R www-data:www-data /usr/share/obs/api/public
if [ ! -x /etc/obs/api/config/production.sphinx.conf ]; then
touch /etc/obs/api/config/production.sphinx.conf
fi
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
chown obsapi:www-data /etc/obs/api/config/database.yml
chmod 440 /etc/obs/api/config/database.yml
chown obsapi:www-data /var/log/obs/backend_access.log
chown obsapi:www-data /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
rm -f Gemfile.lock
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment