Run service as separate user

- create user cacert-goocsp in postinst script
- use CAP_NET_BIND_SERVICE in systemd unit to allow binding to
  priviledged ports
- change config file path to /etc/goocsp/config.yaml
This commit is contained in:
Jan Dittberner 2022-10-11 19:39:03 +02:00
parent 60430c9720
commit f6089bac79
4 changed files with 55 additions and 3 deletions

View file

@ -76,6 +76,8 @@ nfpms:
dst: /usr/share/doc/cacert-goocsp/examples/config-example-openssl-index.yaml dst: /usr/share/doc/cacert-goocsp/examples/config-example-openssl-index.yaml
- src: docs/cacert-goocsp.service - src: docs/cacert-goocsp.service
dst: /lib/systemd/system/cacert-goocsp.service dst: /lib/systemd/system/cacert-goocsp.service
scripts:
postinstall: ./debian/postinst
gitea_urls: gitea_urls:
api: https://code.cacert.org/api/v1/ api: https://code.cacert.org/api/v1/
download: https://code.cacert.org download: https://code.cacert.org

View file

@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
### Changed ### Changed
- add changelog to Debian packages - add changelog to Debian packages
- add postinst script to Debian packages and run cacert-goocsp service as a
regular system user
## [0.2.1] - 2022-10-11 ## [0.2.1] - 2022-10-11
### Fixed ### Fixed

46
debian/postinst vendored Executable file
View file

@ -0,0 +1,46 @@
#!/bin/sh
set -e
case "$1" in
configure)
[ -f "/etc/default/cacert-goocsp" ] && . /etc/default/cacert-goocsp
[ -z "$GOOCSP_HOME" ] && GOOCSP_HOME=/var/lib/goocsp
[ -z "$GOOCSP_USER" ] && GOOCSP_USER=cacert-goocsp
[ -z "$GOOCSP_NAME" ] && GOOCSP_NAME="CAcert OCSP responder"
[ -z "$GOOCSP_GROUP" ] && GOOCSP_GROUP=cacert-goocsp
# create user to avoid running cacert-goocsp as root
# 1. create group if not existing
if ! getent group | grep -q "^$GOOCSP_GROUP" ; then
echo -n "Adding group $GOOCSP_GROUP.."
addgroup --quiet --system $GOOCSP_GROUP 2>/dev/null || true
echo "..done"
fi
# 2. create homedir if not existing
test -d "$GOOCSP_HOME" || mkdir "$GOOCSP_HOME"
# 3. create user if not existing
if ! getent passwd | grep -q "^$GOOCSP_USER"; then
echo -n "Adding system user $GOOCSP_USER.."
adduser --quiet \
--system \
--ingroup $GOOCSP_GROUP \
--no-create-home \
--disabled-password \
$GOOCSP_USER 2>/dev/null || true
echo "..done"
fi
# 4. adjust passwd entry
usermod -c "$GOOCSP_NAME" \
-d $GOOCSP_HOME \
-g $GOOCSP_GROUP \
$GOOCSP_USER || true
# 5. adjust file and directory permissions
if ! dpkg-statoverride --list $GOOCSP_HOME >/dev/null
then
chown -R $GOOCSP_USER:adm $GOOCSP_HOME
chmod u=rwx,g=rxs,o= $GOOCSP_HOME
fi
;;
esac

View file

@ -3,9 +3,11 @@ Description=CAcert OCSP responder service
After=network.target After=network.target
[Service] [Service]
ExecCondition=/bin/sh -c 'test -f /etc/goocsp-config.yaml' AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp-config.yaml ExecCondition=/bin/sh -c 'test -f /etc/goocsp/config.yaml'
ExecStart=/usr/bin/cacert-goocsp -serverAddr ":80" -configFile /etc/goocsp/config.yaml
StateDirectory=goocsp StateDirectory=goocsp
User=cacert-goocsp
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target