diff options
author | Arun Isaac | 2024-03-01 11:47:43 +0000 |
---|---|---|
committer | Arun Isaac | 2024-03-01 11:47:43 +0000 |
commit | 405cd495049efa78c901ae767035b594e4188db8 (patch) | |
tree | cc060a2e01db2ffb49d2c66dc5862a205e6f3278 | |
parent | 1dc59cdfeeaebdbfe58a4cf7c8a72795e61bbc6a (diff) | |
download | gn-machines-405cd495049efa78c901ae767035b594e4188db8.tar.gz |
Set owner-only permissions on secrets files.
* genenetwork/services/genenetwork.scm (genenetwork-activation): Set
owner-only permissions on secrets files.
-rw-r--r-- | genenetwork/services/genenetwork.scm | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm index 5a2dda2..2d9e4f1 100644 --- a/genenetwork/services/genenetwork.scm +++ b/genenetwork/services/genenetwork.scm @@ -109,11 +109,24 @@ (chown file (passwd:uid (getpw "genenetwork")) (passwd:gid (getpw "genenetwork")))) - (cons* #$gn2-secrets - #$gn3-secrets - #$gn-auth-secrets - (find-files #$(dirname auth-db) - #:directories? #t))))))) + (find-files #$(dirname auth-db) + #:directories? #t)) + ;; Let each service user own their own secrets files. + (chown #$gn2-secrets + (passwd:uid (getpw "gunicorn-genenetwork2")) + (passwd:gid (getpw "gunicorn-genenetwork2"))) + (chown #$gn3-secrets + (passwd:uid (getpw "gunicorn-genenetwork3")) + (passwd:gid (getpw "gunicorn-genenetwork3"))) + (chown #$gn-auth-secrets + (passwd:uid (getpw "gunicorn-gn-auth")) + (passwd:gid (getpw "gunicorn-gn-auth"))) + ;; Set owner-only permissions on secrets files. + (for-each (lambda (file) + (chmod file #o600)) + (list #$gn2-secrets + #$gn3-secrets + #$gn-auth-secrets)))))) (define (configuration-file-gexp alist) "Return a G-expression that constructs a configuration file of |