goocsp/debian/postinst
Jan Dittberner f6089bac79 Run service as separate user
- create user cacert-goocsp in postinst script
- use CAP_NET_BIND_SERVICE in systemd unit to allow binding to
  priviledged ports
- change config file path to /etc/goocsp/config.yaml
2022-10-11 19:39:03 +02:00

46 lines
1.4 KiB
Bash
Executable file

#!/bin/sh
set -e
case "$1" in
configure)
[ -f "/etc/default/cacert-goocsp" ] && . /etc/default/cacert-goocsp
[ -z "$GOOCSP_HOME" ] && GOOCSP_HOME=/var/lib/goocsp
[ -z "$GOOCSP_USER" ] && GOOCSP_USER=cacert-goocsp
[ -z "$GOOCSP_NAME" ] && GOOCSP_NAME="CAcert OCSP responder"
[ -z "$GOOCSP_GROUP" ] && GOOCSP_GROUP=cacert-goocsp
# create user to avoid running cacert-goocsp as root
# 1. create group if not existing
if ! getent group | grep -q "^$GOOCSP_GROUP" ; then
echo -n "Adding group $GOOCSP_GROUP.."
addgroup --quiet --system $GOOCSP_GROUP 2>/dev/null || true
echo "..done"
fi
# 2. create homedir if not existing
test -d "$GOOCSP_HOME" || mkdir "$GOOCSP_HOME"
# 3. create user if not existing
if ! getent passwd | grep -q "^$GOOCSP_USER"; then
echo -n "Adding system user $GOOCSP_USER.."
adduser --quiet \
--system \
--ingroup $GOOCSP_GROUP \
--no-create-home \
--disabled-password \
$GOOCSP_USER 2>/dev/null || true
echo "..done"
fi
# 4. adjust passwd entry
usermod -c "$GOOCSP_NAME" \
-d $GOOCSP_HOME \
-g $GOOCSP_GROUP \
$GOOCSP_USER || true
# 5. adjust file and directory permissions
if ! dpkg-statoverride --list $GOOCSP_HOME >/dev/null
then
chown -R $GOOCSP_USER:adm $GOOCSP_HOME
chmod u=rwx,g=rxs,o= $GOOCSP_HOME
fi
;;
esac