Set owner-only permissions on secrets files.

* genenetwork/services/genenetwork.scm (genenetwork-activation): Set
owner-only permissions on secrets files.

1 files changed, 18 insertions, 5 deletions

diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm
index 5a2dda2..2d9e4f1 100644
--- a/genenetwork/services/genenetwork.scm
+++ b/genenetwork/services/genenetwork.scm
@@ -109,11 +109,24 @@
                       (chown file
                              (passwd:uid (getpw "genenetwork"))
                              (passwd:gid (getpw "genenetwork"))))
-                    (cons* #$gn2-secrets
-                           #$gn3-secrets
-                           #$gn-auth-secrets
-                           (find-files #$(dirname auth-db)
-                                       #:directories? #t)))))))
+                    (find-files #$(dirname auth-db)
+                                #:directories? #t))
+          ;; Let each service user own their own secrets files.
+          (chown #$gn2-secrets
+                 (passwd:uid (getpw "gunicorn-genenetwork2"))
+                 (passwd:gid (getpw "gunicorn-genenetwork2")))
+          (chown #$gn3-secrets
+                 (passwd:uid (getpw "gunicorn-genenetwork3"))
+                 (passwd:gid (getpw "gunicorn-genenetwork3")))
+          (chown #$gn-auth-secrets
+                 (passwd:uid (getpw "gunicorn-gn-auth"))
+                 (passwd:gid (getpw "gunicorn-gn-auth")))
+          ;; Set owner-only permissions on secrets files.
+          (for-each (lambda (file)
+                      (chmod file #o600))
+                    (list #$gn2-secrets
+                          #$gn3-secrets
+                          #$gn-auth-secrets))))))
 
 (define (configuration-file-gexp alist)
   "Return a G-expression that constructs a configuration file of