create grafana.db in %post (should not be in %files section)

2020-04-24 18:18:05 +02:00 · 2020-04-24 18:18:05 +02:00 · 925160cd8d
parent fab93d6736
commit 925160cd8d
1 changed files with 10 additions and 2 deletions
--- a/grafana.spec
+++ b/grafana.spec
@ -440,7 +440,6 @@ install -p -m 644 packaging/rpm/sysconfig/grafana-server \
 install -d %{buildroot}%{_sharedstatedir}/%{name}
 install -d -m 755 %{buildroot}%{_sharedstatedir}/%{name}
 install -d -m 755 %{buildroot}%{_sharedstatedir}/%{name}/plugins
-touch %{buildroot}%{_sharedstatedir}/%{name}/grafana.db

 # log directory
 install -d %{buildroot}%{_localstatedir}/log/%{name}
@ -467,6 +466,16 @@ exit 0

 %post
 %systemd_post grafana-server.service
+# create grafana.db with secure permissions on new installations
+# otherwise grafana-server is creating grafana.db on first start
+# with world-readable permissions, which may leak encrypted datasource
+# passwords to all users (if the secret_key in grafana.ini was not changed)
+# also fixes https://bugzilla.redhat.com/show_bug.cgi?id=1805472
+if [ "$1" = 1 ] && [ ! -f %{_sharedstatedir}/%{name}/grafana.db ]; then
+    touch %{_sharedstatedir}/%{name}/grafana.db
+    chown %{GRAFANA_USER}:%{GRAFANA_GROUP} %{_sharedstatedir}/%{name}/grafana.db
+    chmod 640 %{_sharedstatedir}/%{name}/grafana.db
+fi

 %postun
 %systemd_postun_with_restart grafana-server.service
@ -501,7 +510,6 @@ export GO111MODULE=off
 # config database directory and plugins
 %attr(-, %{GRAFANA_USER}, %{GRAFANA_GROUP}) %dir %{_sharedstatedir}/%{name}
 %attr(-, %{GRAFANA_USER}, %{GRAFANA_GROUP}) %dir %{_sharedstatedir}/%{name}/plugins
-%attr(640, %{GRAFANA_USER}, %{GRAFANA_GROUP}) %{_sharedstatedir}/%{name}/grafana.db

 # shared directory and all files therein, except some datasources
 %{_datadir}/%{name}