From: Ward Vandewege <ward@curii.com>
Date: Mon, 9 Nov 2020 18:23:35 +0000 (-0500)
Subject: 16306: Make sure that the non-passenger nginx process runs as the
X-Git-Tag: 2.2.0~141^2~42
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/0b6013ac5520b7508474705d654f1384994d10e5

16306: Make sure that the non-passenger nginx process runs as the
www-data user, not the default 'nobody' user. Make sure that process
uses the wwwtmp directory as its temp directory. Make sure that
arvados-boot in production mode uses /etc/arvados/config.yml.

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
---

diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go
index b11d9fd49d..07ff1fc1d3 100644
--- a/lib/boot/nginx.go
+++ b/lib/boot/nginx.go
@@ -37,7 +37,7 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
 		"SSLKEY":     filepath.Join(super.tempdir, "server.key"),
 		"ACCESSLOG":  filepath.Join(super.tempdir, "nginx_access.log"),
 		"ERRORLOG":   filepath.Join(super.tempdir, "nginx_error.log"),
-		"TMPDIR":     super.tempdir,
+		"TMPDIR":     super.wwwtempdir,
 	}
 	for _, cmpt := range []struct {
 		varname string
@@ -105,7 +105,7 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
 		defer super.waitShutdown.Done()
 		fail(super.RunProgram(ctx, ".", nil, nil, nginx,
 			"-g", "error_log stderr info;",
-			"-g", "pid "+filepath.Join(super.tempdir, "nginx.pid")+";",
+			"-g", "user www-data; pid "+filepath.Join(super.wwwtempdir, "nginx.pid")+";",
 			"-c", conffile))
 	}()
 	// Choose one of the ports where Nginx should listen, and wait
diff --git a/lib/boot/supervisor.go b/lib/boot/supervisor.go
index 51f5c8bfd2..417f09d23f 100644
--- a/lib/boot/supervisor.go
+++ b/lib/boot/supervisor.go
@@ -143,6 +143,7 @@ func (super *Supervisor) run(cfg *arvados.Config) error {
 		super.tempdir = "/var/lib/arvados/tmp"
 		super.wwwtempdir = "/var/lib/arvados/wwwtmp"
 		super.bindir = "/var/lib/arvados/bin"
+		super.configfile = "/etc/arvados/config.yml"
 	} else {
 		super.tempdir, err = ioutil.TempDir("", "arvados-server-boot-")
 		if err != nil {
@@ -154,28 +155,28 @@ func (super *Supervisor) run(cfg *arvados.Config) error {
 		if err := os.Mkdir(super.bindir, 0755); err != nil {
 			return err
 		}
-	}
 
-	// Fill in any missing config keys, and write the resulting
-	// config in the temp dir for child services to use.
-	err = super.autofillConfig(cfg)
-	if err != nil {
-		return err
-	}
-	conffile, err := os.OpenFile(filepath.Join(super.tempdir, "config.yml"), os.O_CREATE|os.O_WRONLY, 0644)
-	if err != nil {
-		return err
-	}
-	defer conffile.Close()
-	err = json.NewEncoder(conffile).Encode(cfg)
-	if err != nil {
-		return err
-	}
-	err = conffile.Close()
-	if err != nil {
-		return err
+		// Fill in any missing config keys, and write the resulting
+		// config in the temp dir for child services to use.
+		err = super.autofillConfig(cfg)
+		if err != nil {
+			return err
+		}
+		conffile, err := os.OpenFile(filepath.Join(super.tempdir, "config.yml"), os.O_CREATE|os.O_WRONLY, 0644)
+		if err != nil {
+			return err
+		}
+		defer conffile.Close()
+		err = json.NewEncoder(conffile).Encode(cfg)
+		if err != nil {
+			return err
+		}
+		err = conffile.Close()
+		if err != nil {
+			return err
+		}
+		super.configfile = conffile.Name()
 	}
-	super.configfile = conffile.Name()
 
 	super.environ = os.Environ()
 	super.cleanEnv([]string{"ARVADOS_"})