From d7399667a102c6488752f0c1bd7c40a35642e026 Mon Sep 17 00:00:00 2001 From: Dave Conroy Date: Fri, 10 Nov 2023 07:16:56 -0800 Subject: [PATCH] Update _FILESYSTEM_PERMISSIONS from 700 to 600 and add undocumented DBBACKUP_USER|GROUP variable --- README.md | 4 ++-- install/assets/defaults/10-db-backup | 4 +++- install/assets/functions/10-db-backup | 10 +++++----- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5dc2b74..0f43ea2 100644 --- a/README.md +++ b/README.md @@ -327,7 +327,7 @@ If `DEFAULT_BACKUP_LOCTION` = `FILESYSTEM` then the following options are used: | `DEFAULT_CREATE_LATEST_SYMLINK` | Create a symbolic link pointing to last backup in this format: `latest-(DB_TYPE)-(DB_NAME)-(DB_HOST)` | `TRUE` | | `DEFAULT_FILESYSTEM_PATH` | Directory where the database dumps are kept. | `/backup` | | `DEFAULT_FILESYSTEM_ARCHIVE_PATH` | Optional Directory where the database dumps archives are kept | `${DEFAULT_FILESYSTEM_PATH}/archive/` | -| `DEFAULT_FILESYSTEM_PERMISSION` | Directory and File permissions to apply to files. | `700` | +| `DEFAULT_FILESYSTEM_PERMISSION` | Directory and File permissions to apply to files. | `600` | ###### S3 @@ -602,7 +602,7 @@ If `DB01_BACKUP_LOCTION` = `FILESYSTEM` then the following options are used: | `DB01_CREATE_LATEST_SYMLINK` | Create a symbolic link pointing to last backup in this format: `latest-(DB_TYPE)-(DB_NAME)-(DB_HOST)` | `TRUE` | | `DB01_FILESYSTEM_PATH` | Directory where the database dumps are kept. | `/backup` | | `DB01_FILESYSTEM_ARCHIVE_PATH` | Optional Directory where the database dumps archives are kept | `${DB01_FILESYSTEM_PATH/archive/` | -| `DB01_FILESYSTEM_PERMISSION` | Directory and File permissions to apply to files. | `700` | +| `DB01_FILESYSTEM_PERMISSION` | Directory and File permissions to apply to files. | `600` | ###### S3 diff --git a/install/assets/defaults/10-db-backup b/install/assets/defaults/10-db-backup index 4f2b465..9b60ab8 100644 --- a/install/assets/defaults/10-db-backup +++ b/install/assets/defaults/10-db-backup @@ -1,6 +1,8 @@ #!/command/with-contenv bash BACKUP_JOB_CONCURRENCY=${BACKUP_JOB_CONCURRENCY:-"1"} +DBBACKUP_USER=${DBBACKUP_USER:-"dbbackup"} +DBBACKUP_GROUP=${DBBACKUP_USER:-"${DBBACKUP_USER}"} # Must go after DBBACKUP_USER DEFAULT_BACKUP_BEGIN=${DEFAULT_BACKUP_BEGIN:-+0} DEFAULT_BACKUP_INTERVAL=${DEFAULT_BACKUP_INTERVAL:-1440} DEFAULT_BACKUP_INTERVAL=${DEFAULT_BACKUP_INTERVAL:-1440} @@ -13,7 +15,7 @@ DEFAULT_CREATE_LATEST_SYMLINK=${DEFAULT_CREATE_LATEST_SYMLINK:-"TRUE"} DEFAULT_ENABLE_PARALLEL_COMPRESSION=${DEFAULT_ENABLE_PARALLEL_COMPRESSION:-"TRUE"} DEFAULT_ENCRYPT=${DEFAULT_ENCRYPT:-"FALSE"} DEFAULT_FILESYSTEM_PATH=${DEFAULT_FILESYSTEM_PATH:-"/backup"} -DEFAULT_FILESYSTEM_PERMISSION=${DEFAULT_FILESYSTEM_PERMISSION:-"700"} +DEFAULT_FILESYSTEM_PERMISSION=${DEFAULT_FILESYSTEM_PERMISSION:-"600"} DEFAULT_FILESYSTEM_ARCHIVE_PATH=${DEFAULT_FILESYSTEM_ARCHIVE_PATH:-"${DEFAULT_FILESYSTEM_PATH}/archive/"} DEFAULT_LOG_LEVEL=${DEFAULT_LOG_LEVEL:-"notice"} DEFAULT_MYSQL_ENABLE_TLS=${DEFAULT_MYSQL_ENABLE_TLS:-"FALSE"} diff --git a/install/assets/functions/10-db-backup b/install/assets/functions/10-db-backup index fe49376..9ed8de0 100644 --- a/install/assets/functions/10-db-backup +++ b/install/assets/functions/10-db-backup @@ -5,11 +5,11 @@ bootstrap_filesystem() { if [ ! -d "${backup_job_filesystem_path}" ]; then mkdir -p "${backup_job_filesystem_path}" fi - if [ "$(stat -c %U "${backup_job_filesystem_path}")" != "dbbackup" ] ; then chown -R dbbackup:dbbackup "${backup_job_filesystem_path}" ; fi + if [ "$(stat -c %U "${backup_job_filesystem_path}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${backup_job_filesystem_path}" ; fi if [ "$(stat -c %a "${backup_job_filesystem_path}")" != "${backup_job_filesystem_permission}" ] ; then chmod -R "${backup_job_filesystem_permission}" "${backup_job_filesystem_path}" ; fi if [ -d "${backup_job_filesystem_archive_path}" ]; then - if [ "$(stat -c %U "${backup_job_filesystem_archive_path}")" != "dbbackup" ] ; then chown -R dbbackup:dbbackup "${backup_job_filesystem_archive_path}" ; fi + if [ "$(stat -c %U "${backup_job_filesystem_archive_path}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${backup_job_filesystem_archive_path}" ; fi if [ "$(stat -c %a "${backup_job_filesystem_archive_path}")" != "${backup_job_filesystem_permission}" ] ; then chmod -R "${backup_job_filesystem_permission}" "${backup_job_filesystem_archive_path}" ; fi fi @@ -17,14 +17,14 @@ bootstrap_filesystem() { mkdir -p "${LOG_PATH}" fi - if [ "$(stat -c %U "${LOG_PATH}")" != "dbbackup" ] ; then chown dbbackup:dbbackup "${LOG_PATH}" ; fi + if [ "$(stat -c %U "${LOG_PATH}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${LOG_PATH}" ; fi if [ ! -d "${LOG_PATH}"/"$(date +'%Y%m%d')" ]; then run_as_user mkdir -p "${LOG_PATH}"/"$(date +'%Y%m%d')"; fi if [ "$(stat -c %a "${LOG_PATH}")" != "755" ] ; then chmod -R 755 "${LOG_PATH}" ; fi if [ ! -d "${TEMP_PATH}" ]; then mkdir -p "${TEMP_PATH}" fi - if [ "$(stat -c %U "${TEMP_PATH}")" != "dbbackup" ] ; then chown -R dbbackup:dbbackup "${TEMP_PATH}" ; fi + if [ "$(stat -c %U "${TEMP_PATH}")" != "${DBBACKUP_USER}" ] ; then chown -R "${DBBACKUP_USER}":"${DBBACKUP_GROUP}" "${TEMP_PATH}" ; fi if var_true "${DEBUG_BOOTSTRAP_FILESYSTEM}" ; then debug off; fi } @@ -1648,7 +1648,7 @@ process_limiter() { } run_as_user() { - s6-setuidgid dbbackup $@ + s6-setuidgid "${DBBACKUP_USER}" $@ } setup_mode() {