aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArun Isaac2024-03-01 11:47:43 +0000
committerArun Isaac2024-03-01 11:47:43 +0000
commit405cd495049efa78c901ae767035b594e4188db8 (patch)
treecc060a2e01db2ffb49d2c66dc5862a205e6f3278
parent1dc59cdfeeaebdbfe58a4cf7c8a72795e61bbc6a (diff)
downloadgn-machines-405cd495049efa78c901ae767035b594e4188db8.tar.gz
Set owner-only permissions on secrets files.
* genenetwork/services/genenetwork.scm (genenetwork-activation): Set owner-only permissions on secrets files.
-rw-r--r--genenetwork/services/genenetwork.scm23
1 files changed, 18 insertions, 5 deletions
diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm
index 5a2dda2..2d9e4f1 100644
--- a/genenetwork/services/genenetwork.scm
+++ b/genenetwork/services/genenetwork.scm
@@ -109,11 +109,24 @@
(chown file
(passwd:uid (getpw "genenetwork"))
(passwd:gid (getpw "genenetwork"))))
- (cons* #$gn2-secrets
- #$gn3-secrets
- #$gn-auth-secrets
- (find-files #$(dirname auth-db)
- #:directories? #t)))))))
+ (find-files #$(dirname auth-db)
+ #:directories? #t))
+ ;; Let each service user own their own secrets files.
+ (chown #$gn2-secrets
+ (passwd:uid (getpw "gunicorn-genenetwork2"))
+ (passwd:gid (getpw "gunicorn-genenetwork2")))
+ (chown #$gn3-secrets
+ (passwd:uid (getpw "gunicorn-genenetwork3"))
+ (passwd:gid (getpw "gunicorn-genenetwork3")))
+ (chown #$gn-auth-secrets
+ (passwd:uid (getpw "gunicorn-gn-auth"))
+ (passwd:gid (getpw "gunicorn-gn-auth")))
+ ;; Set owner-only permissions on secrets files.
+ (for-each (lambda (file)
+ (chmod file #o600))
+ (list #$gn2-secrets
+ #$gn3-secrets
+ #$gn-auth-secrets))))))
(define (configuration-file-gexp alist)
"Return a G-expression that constructs a configuration file of