From 81ab09cfce7cc2c089fa2d4643e7f1f356bba5ab Mon Sep 17 00:00:00 2001 From: Mehdi Bendriss Date: Tue, 6 Feb 2024 10:57:22 +0100 Subject: [PATCH] Add mask and group ownership to logs (#41) --- snap/hooks/install | 7 ++++--- snap/local/start-mongod.sh | 13 +++++++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/snap/hooks/install b/snap/hooks/install index c23d488..7fd0a08 100755 --- a/snap/hooks/install +++ b/snap/hooks/install @@ -22,6 +22,7 @@ sed -i "s:/var/lib/mongodb:$SNAP_COMMON/var/lib/mongodb:g" $MONGO_CONFIG_FILE sed -i "s:/var/run:/tmp:g" $MONGO_CONFIG_FILE # Change ownership of snap directories to allow snap_daemon to read/write -chown -R 584788:root ${SNAP_DATA}/* -chown -R 584788:root ${SNAP_COMMON}/* - +chown -R 584788:root "${SNAP_DATA}"/* +chown -R 584788:root "${SNAP_COMMON}"/* +chgrp root "${SNAP_COMMON}/var/log/"* +chmod g+s "${SNAP_COMMON}/var/log/"* diff --git a/snap/local/start-mongod.sh b/snap/local/start-mongod.sh index 8224ba7..279b4ce 100755 --- a/snap/local/start-mongod.sh +++ b/snap/local/start-mongod.sh @@ -1,5 +1,14 @@ #!/bin/bash # For security measures, daemons should not be run as sudo. Execute mongod as the non-sudo user: snap-daemon. -exec $SNAP/usr/bin/setpriv --clear-groups --reuid snap_daemon \ - --regid snap_daemon -- $SNAP/usr/bin/mongod --config ${SNAP_DATA}/etc/mongod/mongod.conf ${MONGOD_ARGS} "$@" +exec \ + "${SNAP}/usr/bin/setpriv" \ + --clear-groups \ + --reuid snap_daemon \ + --regid snap_daemon \ + -- \ + "${SNAP}/usr/bin/mongod" \ + --config "${SNAP_DATA}/etc/mongod/mongod.conf" \ + --setParameter processUmask=037 \ + "${MONGOD_ARGS}" \ + "$@"