diff options
| author | Michael Orlitzky <michael@orlitzky.com> | 2018-07-15 14:22:35 -0400 |
|---|---|---|
| committer | Michael Orlitzky <michael@orlitzky.com> | 2021-05-14 07:50:28 -0400 |
| commit | e6a9f109c5349041987e64909917256e9c6e4229 (patch) | |
| tree | 652c7d7911473f5aa18448ce55f6b7e3029244eb /files | |
| parent | 4e7419e71f82481d321ac8c1b05ad0175d27e32d (diff) | |
| download | fail2ban-e6a9f109c5349041987e64909917256e9c6e4229.tar.gz | |
files/fail2ban-openrc.init: force the socket location in the service script.
The socket location needs to be set in the service script for the same
reason that the PID file location does: because the service script is
taking responsibility for ensuring that its parent directory exists
and has the correct permissions. We can't do that if the end user is
allowed to move the PID file or socket somewhere else (without parsing
the config file, which has other security implications).
Diffstat (limited to 'files')
| -rwxr-xr-x | files/fail2ban-openrc.init | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/files/fail2ban-openrc.init b/files/fail2ban-openrc.init index 21e251db..8473da26 100755 --- a/files/fail2ban-openrc.init +++ b/files/fail2ban-openrc.init @@ -22,11 +22,23 @@ description="Ban hosts that cause multiple authentication errors" description_reload="reload configuration" extra_started_commands="reload" +# Can't (and shouldn't) be changed by the end-user. +FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}" +FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock" + +# This should be replaced by the build system, eventually. +FAIL2BAN_BINDIR="/usr/bin" + # The fail2ban-client program is also capable of starting and stopping # the server, but things are simpler if we let start-stop-daemon do it. -command="/usr/bin/fail2ban-server" -pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid" -command_args="${FAIL2BAN_OPTIONS} -p ${pidfile}" +command="${FAIL2BAN_BINDIR}/fail2ban-server" +pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid" + +# We force the pidfile/socket location in this service script because +# we're taking responsibility for ensuring that their parent directory +# exists and has the correct permissions (which we can't do if the +# user is allowed to change them). +command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}" retry="30" depend() { @@ -35,7 +47,7 @@ depend() { } start_pre() { - checkpath -d "${pidfile%/*}" || return 1 + checkpath -d "${FAIL2BAN_RUNDIR}" || return 1 } reload() { @@ -43,6 +55,6 @@ reload() { # the server to reload(), so we have to use it here rather # than e.g. sending a signal to the server daemon. ebegin "Reloading ${RC_SVCNAME}" - "${command%/*}/fail2ban-client" ${command_args} reload + "${FAIL2BAN_BINDIR}/fail2ban-client" ${command_args} reload eend $? "Failed to reload ${RC_SVCNAME}" } |