From 405cd495049efa78c901ae767035b594e4188db8 Mon Sep 17 00:00:00 2001 From: Arun Isaac Date: Fri, 1 Mar 2024 11:47:43 +0000 Subject: Set owner-only permissions on secrets files. * genenetwork/services/genenetwork.scm (genenetwork-activation): Set owner-only permissions on secrets files. --- genenetwork/services/genenetwork.scm | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'genenetwork') diff --git a/genenetwork/services/genenetwork.scm b/genenetwork/services/genenetwork.scm index 5a2dda2..2d9e4f1 100644 --- a/genenetwork/services/genenetwork.scm +++ b/genenetwork/services/genenetwork.scm @@ -109,11 +109,24 @@ (chown file (passwd:uid (getpw "genenetwork")) (passwd:gid (getpw "genenetwork")))) - (cons* #$gn2-secrets - #$gn3-secrets - #$gn-auth-secrets - (find-files #$(dirname auth-db) - #:directories? #t))))))) + (find-files #$(dirname auth-db) + #:directories? #t)) + ;; Let each service user own their own secrets files. + (chown #$gn2-secrets + (passwd:uid (getpw "gunicorn-genenetwork2")) + (passwd:gid (getpw "gunicorn-genenetwork2"))) + (chown #$gn3-secrets + (passwd:uid (getpw "gunicorn-genenetwork3")) + (passwd:gid (getpw "gunicorn-genenetwork3"))) + (chown #$gn-auth-secrets + (passwd:uid (getpw "gunicorn-gn-auth")) + (passwd:gid (getpw "gunicorn-gn-auth"))) + ;; Set owner-only permissions on secrets files. + (for-each (lambda (file) + (chmod file #o600)) + (list #$gn2-secrets + #$gn3-secrets + #$gn-auth-secrets)))))) (define (configuration-file-gexp alist) "Return a G-expression that constructs a configuration file of -- cgit v1.2.3