Run service as separate user

- create user cacert-goocsp in postinst script
- use CAP_NET_BIND_SERVICE in systemd unit to allow binding to
  priviledged ports
- change config file path to /etc/goocsp/config.yaml

.goreleaser.yml

@@ -76,6 +76,8 @@ nfpms:
         dst: /usr/share/doc/cacert-goocsp/examples/config-example-openssl-index.yaml
       - src: docs/cacert-goocsp.service
         dst: /lib/systemd/system/cacert-goocsp.service
+    scripts:
+      postinstall: ./debian/postinst
 gitea_urls:
   api: https://code.cacert.org/api/v1/
   download: https://code.cacert.org

changelog.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Changed
 - add changelog to Debian packages
+- add postinst script to Debian packages and run cacert-goocsp service as a
+  regular system user
 
 ## [0.2.1] - 2022-10-11
 ### Fixed

debian/postinst

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+  configure)
+    [ -f "/etc/default/cacert-goocsp" ] && . /etc/default/cacert-goocsp
+
+    [ -z "$GOOCSP_HOME" ] && GOOCSP_HOME=/var/lib/goocsp
+    [ -z "$GOOCSP_USER" ] && GOOCSP_USER=cacert-goocsp
+    [ -z "$GOOCSP_NAME" ] && GOOCSP_NAME="CAcert OCSP responder"
+    [ -z "$GOOCSP_GROUP" ] && GOOCSP_GROUP=cacert-goocsp
+
+    # create user to avoid running cacert-goocsp as root
+    # 1. create group if not existing
+    if ! getent group | grep -q "^$GOOCSP_GROUP" ; then
+      echo -n "Adding group $GOOCSP_GROUP.."
+      addgroup --quiet --system $GOOCSP_GROUP 2>/dev/null || true
+      echo "..done"
+    fi
+    # 2. create homedir if not existing
+    test -d "$GOOCSP_HOME" || mkdir "$GOOCSP_HOME"
+    # 3. create user if not existing
+    if ! getent passwd | grep -q "^$GOOCSP_USER"; then
+      echo -n "Adding system user $GOOCSP_USER.."
+      adduser --quiet \
+              --system \
+              --ingroup $GOOCSP_GROUP \
+              --no-create-home \
+              --disabled-password \
+              $GOOCSP_USER 2>/dev/null || true
+      echo "..done"
+    fi
+    # 4. adjust passwd entry
+    usermod -c "$GOOCSP_NAME" \
+            -d $GOOCSP_HOME \
+            -g $GOOCSP_GROUP \
+               $GOOCSP_USER || true
+    # 5. adjust file and directory permissions
+    if ! dpkg-statoverride --list $GOOCSP_HOME >/dev/null
+    then
+      chown -R $GOOCSP_USER:adm $GOOCSP_HOME
+      chmod u=rwx,g=rxs,o= $GOOCSP_HOME
+    fi
+    ;;
+esac

docs/cacert-goocsp.service

@@ -3,9 +3,11 @@ Description=CAcert OCSP responder service
 After=network.target
 
 [Service]
-ExecCondition=/bin/sh -c 'test -f /etc/goocsp-config.yaml'
-ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp-config.yaml
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+ExecCondition=/bin/sh -c 'test -f /etc/goocsp/config.yaml'
+ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp/config.yaml
 StateDirectory=goocsp
+User=cacert-goocsp
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target