Run service as separate user
- create user cacert-goocsp in postinst script - use CAP_NET_BIND_SERVICE in systemd unit to allow binding to priviledged ports - change config file path to /etc/goocsp/config.yaml
This commit is contained in:
parent
60430c9720
commit
f6089bac79
4 changed files with 55 additions and 3 deletions
|
@ -76,6 +76,8 @@ nfpms:
|
|||
dst: /usr/share/doc/cacert-goocsp/examples/config-example-openssl-index.yaml
|
||||
- src: docs/cacert-goocsp.service
|
||||
dst: /lib/systemd/system/cacert-goocsp.service
|
||||
scripts:
|
||||
postinstall: ./debian/postinst
|
||||
gitea_urls:
|
||||
api: https://code.cacert.org/api/v1/
|
||||
download: https://code.cacert.org
|
||||
|
|
|
@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
## [Unreleased]
|
||||
### Changed
|
||||
- add changelog to Debian packages
|
||||
- add postinst script to Debian packages and run cacert-goocsp service as a
|
||||
regular system user
|
||||
|
||||
## [0.2.1] - 2022-10-11
|
||||
### Fixed
|
||||
|
|
46
debian/postinst
vendored
Executable file
46
debian/postinst
vendored
Executable file
|
@ -0,0 +1,46 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
case "$1" in
|
||||
configure)
|
||||
[ -f "/etc/default/cacert-goocsp" ] && . /etc/default/cacert-goocsp
|
||||
|
||||
[ -z "$GOOCSP_HOME" ] && GOOCSP_HOME=/var/lib/goocsp
|
||||
[ -z "$GOOCSP_USER" ] && GOOCSP_USER=cacert-goocsp
|
||||
[ -z "$GOOCSP_NAME" ] && GOOCSP_NAME="CAcert OCSP responder"
|
||||
[ -z "$GOOCSP_GROUP" ] && GOOCSP_GROUP=cacert-goocsp
|
||||
|
||||
# create user to avoid running cacert-goocsp as root
|
||||
# 1. create group if not existing
|
||||
if ! getent group | grep -q "^$GOOCSP_GROUP" ; then
|
||||
echo -n "Adding group $GOOCSP_GROUP.."
|
||||
addgroup --quiet --system $GOOCSP_GROUP 2>/dev/null || true
|
||||
echo "..done"
|
||||
fi
|
||||
# 2. create homedir if not existing
|
||||
test -d "$GOOCSP_HOME" || mkdir "$GOOCSP_HOME"
|
||||
# 3. create user if not existing
|
||||
if ! getent passwd | grep -q "^$GOOCSP_USER"; then
|
||||
echo -n "Adding system user $GOOCSP_USER.."
|
||||
adduser --quiet \
|
||||
--system \
|
||||
--ingroup $GOOCSP_GROUP \
|
||||
--no-create-home \
|
||||
--disabled-password \
|
||||
$GOOCSP_USER 2>/dev/null || true
|
||||
echo "..done"
|
||||
fi
|
||||
# 4. adjust passwd entry
|
||||
usermod -c "$GOOCSP_NAME" \
|
||||
-d $GOOCSP_HOME \
|
||||
-g $GOOCSP_GROUP \
|
||||
$GOOCSP_USER || true
|
||||
# 5. adjust file and directory permissions
|
||||
if ! dpkg-statoverride --list $GOOCSP_HOME >/dev/null
|
||||
then
|
||||
chown -R $GOOCSP_USER:adm $GOOCSP_HOME
|
||||
chmod u=rwx,g=rxs,o= $GOOCSP_HOME
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -3,9 +3,11 @@ Description=CAcert OCSP responder service
|
|||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecCondition=/bin/sh -c 'test -f /etc/goocsp-config.yaml'
|
||||
ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp-config.yaml
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
ExecCondition=/bin/sh -c 'test -f /etc/goocsp/config.yaml'
|
||||
ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp/config.yaml
|
||||
StateDirectory=goocsp
|
||||
User=cacert-goocsp
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in a new issue