aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--genenetwork/services/genenetwork.scm23
1 files changed, 18 insertions, 5 deletions
diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm
index 5a2dda2..2d9e4f1 100644
--- a/genenetwork/services/genenetwork.scm
+++ b/genenetwork/services/genenetwork.scm
@@ -109,11 +109,24 @@
(chown file
(passwd:uid (getpw "genenetwork"))
(passwd:gid (getpw "genenetwork"))))
- (cons* #$gn2-secrets
- #$gn3-secrets
- #$gn-auth-secrets
- (find-files #$(dirname auth-db)
- #:directories? #t)))))))
+ (find-files #$(dirname auth-db)
+ #:directories? #t))
+ ;; Let each service user own their own secrets files.
+ (chown #$gn2-secrets
+ (passwd:uid (getpw "gunicorn-genenetwork2"))
+ (passwd:gid (getpw "gunicorn-genenetwork2")))
+ (chown #$gn3-secrets
+ (passwd:uid (getpw "gunicorn-genenetwork3"))
+ (passwd:gid (getpw "gunicorn-genenetwork3")))
+ (chown #$gn-auth-secrets
+ (passwd:uid (getpw "gunicorn-gn-auth"))
+ (passwd:gid (getpw "gunicorn-gn-auth")))
+ ;; Set owner-only permissions on secrets files.
+ (for-each (lambda (file)
+ (chmod file #o600))
+ (list #$gn2-secrets
+ #$gn3-secrets
+ #$gn-auth-secrets))))))
(define (configuration-file-gexp alist)
"Return a G-expression that constructs a configuration file of