dev-db/pgagent: new revision with a dedicated "pgagent" user.

The pgagent daemon used to run as root, which can be dangerous. That
system user is used to execute the database jobs, meaning that a
non-root user with permission to schedule pgagent jobs could gain
root. This new revision creates a dedicated "pgagent" system user,
and the new init script launches the daemon as that user.

An ewarn lets users know that some migration work may be needed.

Gentoo-Bug: 537264

Package-Manager: Portage-2.3.6, Repoman-2.3.1

1 files changed, 31 insertions, 0 deletions

diff --git a/dev-db/pgagent/files/pgagent.initd-r1 b/dev-db/pgagent/files/pgagent.initd-r1
new file mode 100644
index 000000000000..a555006d3bd2
--- /dev/null
+++ b/dev-db/pgagent/files/pgagent.initd-r1
@@ -0,0 +1,31 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/usr/bin/pgagent"
+command_user="pgagent"
+
+# If pgagent daemonizes itself, it won't write a PID file and
+# we have to work a little harder to stop() it. So let it run
+# in the foreground, and have OpenRC manage its PID file.
+command_args="-f
+              -t ${PGA_POLL}
+              -r ${PGA_RETRY}
+              -s ${PGA_LOG}
+              -l ${PGA_LEVEL}
+              hostaddr=${PG_HOST}
+              dbname=${PG_DBNAME}
+              user=${PG_USER}"
+
+command_background="true"
+pidfile="/run/pgagent.pid"
+
+depend() {
+    use net
+    need postgresql
+}
+
+start_pre() {
+    # The log file needs to be writable by the daemon user.
+    checkpath --file --owner root:pgagent --mode 0660 "${PGA_LOG}"
+}