From f6089bac79c0856feb46198ca5f9e3b54df0c9fe Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Tue, 11 Oct 2022 19:39:03 +0200 Subject: [PATCH] Run service as separate user - create user cacert-goocsp in postinst script - use CAP_NET_BIND_SERVICE in systemd unit to allow binding to priviledged ports - change config file path to /etc/goocsp/config.yaml --- .goreleaser.yml | 2 ++ changelog.md | 2 ++ debian/postinst | 46 ++++++++++++++++++++++++++++++++++++++ docs/cacert-goocsp.service | 8 ++++--- 4 files changed, 55 insertions(+), 3 deletions(-) create mode 100755 debian/postinst diff --git a/.goreleaser.yml b/.goreleaser.yml index e5d4f03..511ebfe 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -76,6 +76,8 @@ nfpms: dst: /usr/share/doc/cacert-goocsp/examples/config-example-openssl-index.yaml - src: docs/cacert-goocsp.service dst: /lib/systemd/system/cacert-goocsp.service + scripts: + postinstall: ./debian/postinst gitea_urls: api: https://code.cacert.org/api/v1/ download: https://code.cacert.org diff --git a/changelog.md b/changelog.md index 612387b..a126583 100644 --- a/changelog.md +++ b/changelog.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ### Changed - add changelog to Debian packages +- add postinst script to Debian packages and run cacert-goocsp service as a + regular system user ## [0.2.1] - 2022-10-11 ### Fixed diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..98e8572 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + [ -f "/etc/default/cacert-goocsp" ] && . /etc/default/cacert-goocsp + + [ -z "$GOOCSP_HOME" ] && GOOCSP_HOME=/var/lib/goocsp + [ -z "$GOOCSP_USER" ] && GOOCSP_USER=cacert-goocsp + [ -z "$GOOCSP_NAME" ] && GOOCSP_NAME="CAcert OCSP responder" + [ -z "$GOOCSP_GROUP" ] && GOOCSP_GROUP=cacert-goocsp + + # create user to avoid running cacert-goocsp as root + # 1. create group if not existing + if ! getent group | grep -q "^$GOOCSP_GROUP" ; then + echo -n "Adding group $GOOCSP_GROUP.." + addgroup --quiet --system $GOOCSP_GROUP 2>/dev/null || true + echo "..done" + fi + # 2. create homedir if not existing + test -d "$GOOCSP_HOME" || mkdir "$GOOCSP_HOME" + # 3. create user if not existing + if ! getent passwd | grep -q "^$GOOCSP_USER"; then + echo -n "Adding system user $GOOCSP_USER.." + adduser --quiet \ + --system \ + --ingroup $GOOCSP_GROUP \ + --no-create-home \ + --disabled-password \ + $GOOCSP_USER 2>/dev/null || true + echo "..done" + fi + # 4. adjust passwd entry + usermod -c "$GOOCSP_NAME" \ + -d $GOOCSP_HOME \ + -g $GOOCSP_GROUP \ + $GOOCSP_USER || true + # 5. adjust file and directory permissions + if ! dpkg-statoverride --list $GOOCSP_HOME >/dev/null + then + chown -R $GOOCSP_USER:adm $GOOCSP_HOME + chmod u=rwx,g=rxs,o= $GOOCSP_HOME + fi + ;; +esac diff --git a/docs/cacert-goocsp.service b/docs/cacert-goocsp.service index 1706f42..0b502d2 100644 --- a/docs/cacert-goocsp.service +++ b/docs/cacert-goocsp.service @@ -3,9 +3,11 @@ Description=CAcert OCSP responder service After=network.target [Service] -ExecCondition=/bin/sh -c 'test -f /etc/goocsp-config.yaml' -ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp-config.yaml +AmbientCapabilities=CAP_NET_BIND_SERVICE +ExecCondition=/bin/sh -c 'test -f /etc/goocsp/config.yaml' +ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp/config.yaml StateDirectory=goocsp +User=cacert-goocsp [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target