Closed JeetKunDoug closed 8 years ago
create jira issue
Are you planning on fixing perms on other platforms too?
Yes, other affected platforms will be fixed - just working out some details on which ones need it internally.
For Centos 7:
Reviewed ownership for /usr/sbin files - also were owned by riak. 12fee7a fixes that.
sudo rpm -i riak-ee-2.0.6.6e387249-1.el7.centos.x86_64.rpm
[sudo] password for doug:
usermod: no changes
[doug@centos7 packages]$ ls -al /etc/rc.d/init.d/riak
-rwxr-xr-x 1 root root 3302 Mar 4 22:56 /etc/rc.d/init.d/riak
[doug@centos7 packages]$ ls -al /usr/sbin/*riak*
-rwxr-xr-x 1 root root 12948 Mar 4 22:06 /usr/sbin/riak
-rwxr-xr-x 1 root root 34420 Mar 4 22:49 /usr/sbin/riak-admin
-rwxr-xr-x 1 root root 32756 Mar 4 22:49 /usr/sbin/riak-debug
-rwxr-xr-x 1 root root 18925 Mar 4 22:49 /usr/sbin/riak-repl
[doug@centos7 packages]$ ls -al /usr/sbin/search-cmd
-rwxr-xr-x 1 root root 722 Mar 4 22:49 /usr/sbin/search-cmd
[doug@centos7 packages]$ ls -al /usr/sbin | grep riak
-rwxr-xr-x 1 root root 12948 Mar 4 22:06 riak
-rwxr-xr-x 1 root root 34420 Mar 4 22:49 riak-admin
-rwxr-xr-x 1 root root 32756 Mar 4 22:49 riak-debug
-rwxr-xr-x 1 root root 18925 Mar 4 22:49 riak-repl
For FreeBSD:
[vagrant@vagrant-freebsd-92-i386 ~]$ sudo pkg_add riak-ee-2.0.6-cfd05263-FreeBSD-amd64.tbz
Thank you for installing riak-ee.
riak-ee has been installed in /usr/local owned by user:group riak:riak
The primary directories are:
{platform_bin_dir, "/usr/local/sbin"}
{platform_data_dir, "/var/db/riak"}
{platform_etc_dir, "/usr/local/etc/riak"}
{platform_lib_dir, "/usr/local/lib/riak/lib"}
{platform_log_dir, "/var/log/riak"}
These can be configured and changed in the /usr/local/etc/riak/app.config.
Add /usr/local/sbin to your path to run riak riak-admin search-cmd riak-repl riak-debug directly.
Man pages are available for riak(1) riak-admin(1) search-cmd(1) riak-repl(1) riak-debug(1)
[vagrant@vagrant-freebsd-92-i386 ~]$ cd /usr/local/sbin
[vagrant@vagrant-freebsd-92-i386 /usr/local/sbin]$ ls -al *riak*
-rwxr-xr-x 1 root wheel 12952 Mar 4 21:10 riak
-rwxr-xr-x 1 root wheel 34424 Mar 4 21:10 riak-admin
-rwxr-xr-x 1 root wheel 32780 Mar 4 21:10 riak-debug
-rwxr-xr-x 1 root wheel 18929 Mar 4 21:10 riak-repl
[vagrant@vagrant-freebsd-92-i386 /usr/local/sbin]$
:+1: b92e7ba
Need to audit file ownership across packages in general - follow conventions of other packages and install as few things as possible as riak:riak (since most systems install executables/libraries as root:root or root:wheel)
Specific issues found:
init.d script in RPM should be owned by root:root not riak:riak - can create a potential security issue. As a workaround, you should ensure that your init.d scripts are owned by root:root not riak:riak.
on FreeBSD systems using older pkg_add (vs. pkgng) /usr/local/sbin/riak should be owned by root:wheel rather than {{package_install_user}}:{{package_install_group}}
Many installers install most/all of the riak binaries/libraries as riak:riak - change to root:wheel, root:bin, or root:root where appropriate
.erlang.cookie
file is written wherever theriak
user's home directory is. There were several packages that had set it to be {{platform_base_dir}} rather than {{platform_data_dir}}, and {{platform_base_dir}} really should not be writable to the service user. Make sure that any configuration files are readable by riak - in a few cases, this means groupriak
with appropriate (640) permissions - in others, the default is to install 644 so the files are world-readable. Not changing this for now.riak start
and make sure it starts cleanly.riak-admin ping
riak-admin test
to make sure you can actually write/read datariak-admin attach-direct
Todo list for testing: