diff options
| author | Arun Isaac | 2024-03-05 14:08:21 +0000 |
|---|---|---|
| committer | Arun Isaac | 2024-03-05 14:09:44 +0000 |
| commit | 5a7537bf91f066e5a7b59b993bb5cc7038d54564 (patch) | |
| tree | f72faabb3359f1d8aa2435b9550e1e9cf9f072be | |
| parent | 36b48fd03fd9593936b88ebcca827e77cb790bf1 (diff) | |
| download | gn-machines-5a7537bf91f066e5a7b59b993bb5cc7038d54564.tar.gz | |
Let the gunicorn-gn-auth user own the auth database.
gn-auth runs as the gunicorn-gn-auth user, not the genenetwork user. * genenetwork/services/genenetwork.scm (genenetwork-activation): Let the gunicorn-gn-auth user own the auth database. Reported-by: Frederick M. Muriithi <fredmanglis@protonmail.com>
| -rw-r--r-- | genenetwork/services/genenetwork.scm | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm index f37a078..aa4ac77 100644 --- a/genenetwork/services/genenetwork.scm +++ b/genenetwork/services/genenetwork.scm @@ -109,10 +109,11 @@ (for-each (lambda (file) (chown file - (passwd:uid (getpw "genenetwork")) - (passwd:gid (getpw "genenetwork")))) - (find-files #$(dirname auth-db) - #:directories? #t)) + (passwd:uid (getpw "gunicorn-gn-auth")) + (passwd:gid (getpw "gunicorn-gn-auth")))) + (cons #$gn-auth-secrets + (find-files #$(dirname auth-db) + #:directories? #t))) ;; Let each service user own their own secrets files. (chown #$gn2-secrets (passwd:uid (getpw "gunicorn-genenetwork2")) @@ -120,9 +121,6 @@ (chown #$gn3-secrets (passwd:uid (getpw "gunicorn-genenetwork3")) (passwd:gid (getpw "gunicorn-genenetwork3"))) - (chown #$gn-auth-secrets - (passwd:uid (getpw "gunicorn-gn-auth")) - (passwd:gid (getpw "gunicorn-gn-auth"))) ;; Set owner-only permissions on secrets files. (for-each (lambda (file) (chmod file #o600)) |