From ef5bf8b122363d61ae4e258469421ad443c3d636 Mon Sep 17 00:00:00 2001
From: Keenan Brock <keenan@thebrocks.net>
Date: Wed, 28 Jul 2021 18:07:29 -0400
Subject: [PATCH] add prod dirs

These directories are created in the core repo
The rpm is making them writeable by user manageiq so the app
will run fine as a non-root user

add prod dirs

These directories are created in the core repo (via .gitkeep)
no need to create them here.

The rpm is making them writeable by user manageiq so the app
will run fine as a non-root user

No longer locking down the files that are in these directories because
the directories are not accessible by other, therefore files are not either.
---
 rpm_spec/manageiq.spec.in          | 6 ++----
 rpm_spec/subpackages/manageiq-core | 3 +++
 rpm_spec/subpackages/manageiq-ui   | 8 +++++++-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/rpm_spec/manageiq.spec.in b/rpm_spec/manageiq.spec.in
index 55a52831..ebe9d9ad 100644
--- a/rpm_spec/manageiq.spec.in
+++ b/rpm_spec/manageiq.spec.in
@@ -69,11 +69,9 @@ cd %{_builddir}
 %{__mkdir} -p %{buildroot}/etc/httpd/conf.d
 %{__mkdir} -p %{buildroot}%{app_root}/log/apache
 %{__mkdir} -p %{buildroot}%{app_root}/tmp/{,sockets,pids}
-%{__mkdir} -p %{buildroot}%{app_root}/{certs,config}
-%{__mkdir} -p %{buildroot}%{app_root}/public/pictures
-%{__chmod} 4750 %{buildroot}%{app_root}/{log,config,certs}
+%{__chmod} 6750 %{buildroot}%{app_root}/{log,config,certs}
+%{__chmod} 6750 %{buildroot}%{app_root}/data/git_repos
 %{__chmod} 700 %{buildroot}%{app_root}/tmp/{,pids,sockets}
-%{__chmod} 755 %{buildroot}%{app_root}/public/pictures
 
 ### from gemset
 %{__mkdir} -p %{buildroot}%{gemset_root}
diff --git a/rpm_spec/subpackages/manageiq-core b/rpm_spec/subpackages/manageiq-core
index 25653f88..64ac5c49 100644
--- a/rpm_spec/subpackages/manageiq-core
+++ b/rpm_spec/subpackages/manageiq-core
@@ -41,6 +41,7 @@ done
 #  so root and manageiq users can read them.
 %{__chown} manageiq.manageiq %{app_root}/certs/v2_key %{app_root}/log/*.log
 %{__chown} manageiq.manageiq %{app_root}/tmp/pids/*.pid %{app_root}/config/*.yml
+%{__chown} -r manageiq.manageiq %{app_root}/data/git_repos/*
 %{__chmod} o-rw %{app_root}/certs/v2_key
 %{__chmod} o-rw %{app_root}/config/*.yml %{app_root}/tmp/pids/*.pid
 %{__chmod} o-rw %{app_root}/log/*.log
@@ -53,8 +54,10 @@ done
 %attr(-,manageiq,manageiq) %{app_root}/config
 %attr(-,manageiq,manageiq) %{app_root}/log
 %attr(-,manageiq,manageiq) %{app_root}/tmp
+%attr(-,manageiq,manageiq) %{app_root}/data/git_repos
 %exclude %{app_root}/public/pictures
 %exclude %{app_root}/public/assets
 %exclude %{app_root}/public/packs
 %exclude %{app_root}/public/ui
+%exclude %{app_root}/public/upload
 %exclude %{app_root}/log/apache
diff --git a/rpm_spec/subpackages/manageiq-ui b/rpm_spec/subpackages/manageiq-ui
index c99014b5..dc17ab1e 100644
--- a/rpm_spec/subpackages/manageiq-ui
+++ b/rpm_spec/subpackages/manageiq-ui
@@ -7,10 +7,16 @@ Requires: mod_ssl
 %description ui
 %{product_summary} UI
 
+%post ui
+# These files are not owned by the rpm.
+#  For upgrades, ensure they have the correct group privs
+#  so root and manageiq users can read them.
+%{__chown} manageiq.manageiq %{app_root}/public/{pictures,upload}/*
+
 %files ui
 %defattr(-,root,root,-)
 %attr(-,manageiq,manageiq) %{app_root}/public/pictures
-%{app_root}/public/pictures
+%attr(-,manageiq,manageiq) %{app_root}/public/upload
 %{app_root}/public/assets
 %{app_root}/public/packs
 %{app_root}/public/ui