From 5d212a7c3282fdb2b876766bb509ca203e62a249 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Mon, 11 Aug 2025 16:21:07 -0500 Subject: [PATCH 1/2] Aligned Hub package perms for share/GUI on EL and Debian platforms with the MPF The MPF enforces permissions of 400 and group and user ownership of root. While the mis-alignment stabilizes, it does cause verification errors for RPM packages that persists. This change brings the packaged permissions of share/GUI in alignment with the MPF. Ticket: ENT-13161 Changelog: Title (cherry picked from commit 1456c53d6d951826dfff7691f0a500fa9ffed589) --- packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in | 8 ++++---- packaging/cfengine-nova-hub/debian/rules | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index e19862ec8..2babc488a 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -368,12 +368,12 @@ exit 0 # ENT-2708, ENT-2846 %defattr(600,root,root,700) -%prefix/share/GUI/application/config/*.php -%prefix/share/GUI/phpcfenginenova/*.sql -%prefix/share/GUI/phpcfenginenova/migrations -%prefix/share/GUI/phpcfenginenova/migrations/*.sql %prefix/share/db/*.sql +# No-one should need access to anything under share/GUI +%defattr(400,root,root,400) +%prefix/share/GUI + # Base policy %defattr(644,root,root,755) %prefix/share/NovaBase diff --git a/packaging/cfengine-nova-hub/debian/rules b/packaging/cfengine-nova-hub/debian/rules index 07d456a76..df4044aec 100755 --- a/packaging/cfengine-nova-hub/debian/rules +++ b/packaging/cfengine-nova-hub/debian/rules @@ -98,6 +98,13 @@ install: build # cf-enterprise-support cp $(BASEDIR)/nova/misc/cf-support-nova-hub.sh $(CURDIR)/debian/tmp$(PREFIX)/share/ +execute_after_dh_fixperms: +# No-one should need access to anything under share/GUI + chmod 400 -R $(CURDIR)/debian/tmp$(PREFIX)/share/ + chmod 700 $(CURDIR)/debian/tmp$(PREFIX)/ppkeys/ + chmod 700 $(CURDIR)/debian/tmp$(PREFIX)/outputs/ + chmod 700 $(CURDIR)/debian/tmp$(PREFIX)/inputs/ + chmod 700 $(CURDIR)/debian/tmp$(PREFIX)/state/ binary-indep: build install From 0e932ab7a1de025128648c6d7dfeeeb638c680a6 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 20 Feb 2025 14:07:14 -0600 Subject: [PATCH 2/2] Marked config.php files in share/GUI folder as configuration files in packages To change the port, masterfiles can change these files which are distributed as part of the package so we must mark them as configuration files. https://github.com/cfengine/masterfiles/pull/2987 Ticket: ENT-12658 Changelog: none (cherry picked from commit 46ba4115745a045f72d5046ff6c1aec29ec2822c) --- packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in | 3 +++ packaging/cfengine-nova-hub/debian/conffiles | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 packaging/cfengine-nova-hub/debian/conffiles diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index 2babc488a..7cebfe01c 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -372,6 +372,9 @@ exit 0 # No-one should need access to anything under share/GUI %defattr(400,root,root,400) +# We can change these configuration files as part of masterfiles policy so need to mark as configs +%config(noreplace) %prefix/share/GUI/application/config/config.php +%config(noreplace) %prefix/share/GUI/api/modules/inventory/config/config.php %prefix/share/GUI # Base policy diff --git a/packaging/cfengine-nova-hub/debian/conffiles b/packaging/cfengine-nova-hub/debian/conffiles new file mode 100644 index 000000000..887c97b90 --- /dev/null +++ b/packaging/cfengine-nova-hub/debian/conffiles @@ -0,0 +1,2 @@ +/var/cfengine/share/GUI/application/config/config.php +/var/cfengine/share/GUI/api/modules/inventory/config/config.php