From: David Turner <dturner@rsglab.com>
Date: Tue, 10 Nov 2020 19:31:35 +0000 (-0500)
Subject: rpm,deb: change sudoers file mode to 440
X-Git-Tag: v14.2.17~69^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=53a4e0f3183997fb9d64ebf03c5811afb48c7c68;p=ceph.git

rpm,deb: change sudoers file mode to 440

change sudoers file mode to 440 to match recommended defaults.

From the sudoers man page.

> the default file mode is 0440 (read‐able by owner and group, writable
by none).
> The default mode may be changed via the “sudoers_mode” option to the
sudoers
>  Plugin line in the sudo.conf(5) file.

Fixes: https://tracker.ceph.com/issues/48169
Signed-off-by: David Turner <drakonstein@gmail.com>
(cherry picked from commit 1de14c7f9bcaf94152c62b50c37f4a44b6445f58)

Conflicts:
	debian/rules
- ignored extra lines introduced post-nautilus
---

diff --git a/ceph.spec.in b/ceph.spec.in
index 8fcb7488f68c..87e1a3e6cb4a 100644
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -1297,7 +1297,7 @@ ln -sf %{_sbindir}/mount.ceph %{buildroot}/sbin/mount.ceph
 install -m 0644 -D udev/50-rbd.rules %{buildroot}%{_udevrulesdir}/50-rbd.rules
 
 # sudoers.d
-install -m 0600 -D sudoers.d/ceph-osd-smartctl %{buildroot}%{_sysconfdir}/sudoers.d/ceph-osd-smartctl
+install -m 0440 -D sudoers.d/ceph-osd-smartctl %{buildroot}%{_sysconfdir}/sudoers.d/ceph-osd-smartctl
 
 %if 0%{?rhel} >= 8
 pathfix.py -pni "%{__python3} %{py3_shbang_opts}" %{buildroot}%{_bindir}/*
diff --git a/debian/rules b/debian/rules
index 8579f42613f3..70355c9870b1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -54,7 +54,7 @@ override_dh_auto_install:
 	install -D -m 644 udev/50-rbd.rules $(DESTDIR)/lib/udev/rules.d/50-rbd.rules
 	install -D -m 644 src/etc-rbdmap $(DESTDIR)/etc/ceph/rbdmap
 	install -D -m 644 etc/sysctl/90-ceph-osd.conf $(DESTDIR)/etc/sysctl.d/30-ceph-osd.conf
-	install -D -m 600 sudoers.d/ceph-osd-smartctl $(DESTDIR)/etc/sudoers.d/ceph-osd-smartctl
+	install -D -m 440 sudoers.d/ceph-osd-smartctl $(DESTDIR)/etc/sudoers.d/ceph-osd-smartctl
 
 # doc/changelog is a directory, which confuses dh_installchangelogs
 override_dh_installchangelogs: