ENT-5986: LMDB files are now created with correct permissions and group ownership (3.15)

libpromises/conversion.c

@@ -1190,10 +1190,9 @@ gid_t Str2Gid(const char *gidbuff, char *groupcopy, const Promise *pp)
         }
         else if ((gr = getgrnam(gidbuff)) == NULL)
         {
-            Log(LOG_LEVEL_INFO, "Unknown group '%s' in promise", gidbuff);
-
             if (pp)
             {
+                Log(LOG_LEVEL_INFO, "Unknown group '%s' in promise", gidbuff);
                 PromiseRef(LOG_LEVEL_INFO, pp);
             }
 

libpromises/dbm_lmdb.c

@@ -34,6 +34,7 @@
 #include <file_lib.h>
 #include <known_dirs.h>
 #include <bootstrap.h>
+#include <conversion.h>
 
 #ifdef LMDB
 
@@ -558,7 +559,30 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id)
     open_flags |= MDB_WRITEMAP;
 #endif
 
-    rc = LmdbEnvOpen(db->env, dbpath, open_flags, 0644);
+#ifndef __MINGW32__
+    // If effective user is root then change to system group for lmdb files
+    // otherwise leave group as-is.
+    uid_t p_euid = geteuid();
+    gid_t current_gid = getgid();
+    if (p_euid == 0)
+    {
+        gid_t system_gid = Str2Gid(CF_SYSTEM_GROUP, NULL /* no groupcopy */, NULL /* no Promise */);
+        if (system_gid == CF_SAME_GROUP || system_gid == CF_UNKNOWN_GROUP)
+        {
+            Log(LOG_LEVEL_ERR, "Could not get gid_t for CF_SYSTEM_GROUP('%s'), got %d", CF_SYSTEM_GROUP, system_gid);
+            goto err;
+        }
+        else
+        {
+            rc = setgid(system_gid);
+            if (rc)
+            {
+                Log(LOG_LEVEL_WARNING, "Could not set system group. setgid(%d): %s", system_gid, strerror(errno));
+            }
+        }
+    }
+#endif
+    rc = LmdbEnvOpen(db->env, dbpath, open_flags, CF_PERMS_DEFAULT);
     if (rc)
     {
         Log(LOG_LEVEL_ERR, "Could not open database %s: %s",
@@ -569,6 +593,17 @@ DBPriv *DBPrivOpenDB(const char *const dbpath, const dbid id)
         }
         goto err;
     }
+#ifndef __MINGW32__
+    if (p_euid == 0)
+    {
+        rc = setgid(current_gid);
+        if (rc)
+        {
+            Log(LOG_LEVEL_ERR, "Could not set group id back to previous value.");
+            goto err;
+        }
+    }
+#endif
     if (DB_MAX_READERS > 0)
     {
         int max_readers;

tests/load/Makefile.am

@@ -50,7 +50,7 @@ check_PROGRAMS = db_load lastseen_load lastseen_threaded_load
 
 
 db_load_SOURCES = db_load.c
-db_load_LDADD = ../unit/libdb.la
+db_load_LDADD = ../unit/libdb.la ../../libpromises/libpromises.la
 
 
 lastseen_load_SOURCES = lastseen_load.c \

tests/unit/Makefile.am

@@ -264,7 +264,7 @@ db_test_LDADD = libtest.la ../../libpromises/libpromises.la
 
 db_concurrent_test_SOURCES = db_concurrent_test.c
 #db_concurrent_test_CPPFLAGS = $(libdb_la_CPPFLAGS)
-db_concurrent_test_LDADD = libdb.la
+db_concurrent_test_LDADD = libdb.la ../../libpromises/libpromises.la
 
 lastseen_test_SOURCES = lastseen_test.c \
 	../../libpromises/item_lib.c \