From 9bf7cb0b7415857a4ee73676f986012a419a17b8 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Tue, 19 Apr 2022 14:53:55 +0300 Subject: [PATCH 1/2] packaging: Set default permissions for /var/log/frr to 0755 At the moment we set /var/log/frr permissions to 0750 (frr:frr), but the log file is 0640 (root:adm) (unless logrotated) and that doesn't allow adm group to even open the directory. Signed-off-by: Donatas Abraitis --- debian/frr.postinst | 2 +- redhat/frr.spec.in | 9 +++++---- tools/frr-reload.py | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/debian/frr.postinst b/debian/frr.postinst index 505ff8eaf8..4e23cd3cec 100644 --- a/debian/frr.postinst +++ b/debian/frr.postinst @@ -16,7 +16,7 @@ adduser \ frr usermod -a -G frrvty frr -mkdir -p /var/log/frr +mkdir -m 0755 -p /var/log/frr mkdir -p /etc/frr diff --git a/redhat/frr.spec.in b/redhat/frr.spec.in index 740cfe498a..13ba6c42c0 100644 --- a/redhat/frr.spec.in +++ b/redhat/frr.spec.in @@ -432,7 +432,8 @@ popd %install mkdir -p %{buildroot}%{_sysconfdir}/{frr,sysconfig,logrotate.d,pam.d,default} \ - %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} + %{buildroot}%{_infodir} +mkdir -m 0755 -p %{buildroot}%{_localstatedir}/log/frr make DESTDIR=%{buildroot} INSTALL="install -p" CP="cp -p" install # Remove this file, as it is uninstalled and causes errors when building on RH9 @@ -639,11 +640,11 @@ fi /usr/share/yang/*.yang %if 0%{?frr_user:1} %dir %attr(751,%{frr_user},%{frr_user}) %{configdir} - %dir %attr(750,%{frr_user},%{frr_user}) %{_localstatedir}/log/frr + %dir %attr(755,%{frr_user},%{frr_user}) %{_localstatedir}/log/frr %dir %attr(751,%{frr_user},%{frr_user}) %{rundir} %else %dir %attr(750,root,root) %{configdir} - %dir %attr(750,root,root) %{_localstatedir}/log/frr + %dir %attr(755,root,root) %{_localstatedir}/log/frr %dir %attr(750,root,root) %{rundir} %endif %{_infodir}/frr.info.gz @@ -918,7 +919,7 @@ sed -i 's/ -M rpki//' %{_sysconfdir}/frr/daemons - Add ability to show BGP routes from a particular table version - Add support for for RFC 8050 (MRT add-path) - Add SNMP support for MPLS VPN -- Add `show bgp summary wide` command to show more detailed output +- Add `show bgp summary wide` command to show more detailed output on wide terminals - Add ability for peer-groups to have `ttl-security hops` configured - Add support for conditional Advertisement diff --git a/tools/frr-reload.py b/tools/frr-reload.py index 2b76c43f7b..4f30f7fbd8 100755 --- a/tools/frr-reload.py +++ b/tools/frr-reload.py @@ -1752,7 +1752,7 @@ if __name__ == "__main__": elif args.reload: if not os.path.isdir("/var/log/frr/"): - os.makedirs("/var/log/frr/") + os.makedirs("/var/log/frr/", mode=0o0755) logging.basicConfig( filename="/var/log/frr/frr-reload.log", From b5b09eee6df283c120f9db459a61c9cc4828f59d Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Tue, 19 Apr 2022 16:45:03 +0300 Subject: [PATCH 2/2] packaging: Use 0640 (frr:frr) as permissions when running under logrotate When we do "log file /var/log/frr/something", permissions are set to 0640 (frr:frr), but when the logrotate kicks in, we have 0640 (frr:frrvty). I believe, we should have a consistent permissions. Signed-off-by: Donatas Abraitis --- debian/frr.logrotate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/frr.logrotate b/debian/frr.logrotate index a56a908bdf..a5af25f034 100644 --- a/debian/frr.logrotate +++ b/debian/frr.logrotate @@ -4,7 +4,7 @@ missingok compress rotate 14 - create 640 frr frrvty + create 0640 frr frr postrotate pid=$(lsof -t -a -c /syslog/ /var/log/frr/* 2>/dev/null)