From e6a9f109c5349041987e64909917256e9c6e4229 Mon Sep 17 00:00:00 2001
From: Michael Orlitzky <michael@orlitzky.com>
Date: Sun, 15 Jul 2018 14:22:35 -0400
Subject: files/fail2ban-openrc.init: force the socket location in the service
 script.

The socket location needs to be set in the service script for the same
reason that the PID file location does: because the service script is
taking responsibility for ensuring that its parent directory exists
and has the correct permissions. We can't do that if the end user is
allowed to move the PID file or socket somewhere else (without parsing
the config file, which has other security implications).
---
 files/fail2ban-openrc.init | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'files')

diff --git a/files/fail2ban-openrc.init b/files/fail2ban-openrc.init
index 21e251db..8473da26 100755
--- a/files/fail2ban-openrc.init
+++ b/files/fail2ban-openrc.init
@@ -22,11 +22,23 @@ description="Ban hosts that cause multiple authentication errors"
 description_reload="reload configuration"
 extra_started_commands="reload"
 
+# Can't (and shouldn't) be changed by the end-user.
+FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
+FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"
+
+# This should be replaced by the build system, eventually.
+FAIL2BAN_BINDIR="/usr/bin"
+
 # The fail2ban-client program is also capable of starting and stopping
 # the server, but things are simpler if we let start-stop-daemon do it.
-command="/usr/bin/fail2ban-server"
-pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid"
-command_args="${FAIL2BAN_OPTIONS} -p ${pidfile}"
+command="${FAIL2BAN_BINDIR}/fail2ban-server"
+pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"
+
+# We force the pidfile/socket location in this service script because
+# we're taking responsibility for ensuring that their parent directory
+# exists and has the correct permissions (which we can't do if the
+# user is allowed to change them).
+command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
 retry="30"
 
 depend() {
@@ -35,7 +47,7 @@ depend() {
 }
 
 start_pre() {
-	checkpath -d "${pidfile%/*}" || return 1
+	checkpath -d "${FAIL2BAN_RUNDIR}" || return 1
 }
 
 reload() {
@@ -43,6 +55,6 @@ reload() {
 	# the server to reload(), so we have to use it here rather
 	# than e.g. sending a signal to the server daemon.
 	ebegin "Reloading ${RC_SVCNAME}"
-	"${command%/*}/fail2ban-client" ${command_args} reload
+	"${FAIL2BAN_BINDIR}/fail2ban-client" ${command_args} reload
 	eend $? "Failed to reload ${RC_SVCNAME}"
 }
-- 
cgit v1.2.1