From 0ac0675deaff79db48aaa2a4f29fc9a3882852b2 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Mon, 15 Jun 2026 18:01:19 +0200 Subject: [PATCH] fix(iso): harden colibri rc.conf host + service dir perms (Sam & Hermes/Claude) Two minor polish items from the rc.d/release-gate audit: - build.sh wrote `colibri_daemon_host="$(hostname)"` to rc.conf with a bare command; use `$(/bin/hostname)` to match the rc.d default and rc.conf.sample, avoiding a PATH-dependent lookup at early boot. - The colibri service dirs (/var/db, /var/run, /var/log/colibri) shipped at 0755; the rc.d prestart creates them 0750. Ship 0750 so the image doesn't start world-readable before first boot corrects it. Checks: sh -n build.sh. Co-Authored-By: Claude Opus 4.8 --- build.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/build.sh b/build.sh index 66213a50..e1d4cd31 100755 --- a/build.sh +++ b/build.sh @@ -883,7 +883,10 @@ install_colibri_service() { /var/db/colibri \ /var/run/colibri \ /var/log/colibri - chmod 0755 \ + # 0750 matches the rc.d prestart (install -d -m 0750); the daemon dirs hold + # the SQLite DB and logs and should not be world-readable. The operator + # reaches them via the colibri group, not "other". + chmod 0750 \ "${MOUNT_POINT}/var/db/colibri" \ "${MOUNT_POINT}/var/run/colibri" \ "${MOUNT_POINT}/var/log/colibri" @@ -902,7 +905,7 @@ install_colibri_service() { set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_db_path="/var/db/colibri/colibri.sqlite"' set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_logfile="/var/log/colibri/daemon.log"' set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_provider_env="/usr/local/etc/colibri/provider.env"' - set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(hostname)"' + set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(/bin/hostname)"' set_config_line "${MOUNT_POINT}/etc/rc.conf" "colibri_daemon_cost_mode=\"${COLIBRI_COST_MODE:-smart}\"" if [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri-daemon" ] || \