Jan Dittberner
f6089bac79
- create user cacert-goocsp in postinst script - use CAP_NET_BIND_SERVICE in systemd unit to allow binding to priviledged ports - change config file path to /etc/goocsp/config.yaml
46 lines
1.4 KiB
Bash
Executable file
46 lines
1.4 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
case "$1" in
|
|
configure)
|
|
[ -f "/etc/default/cacert-goocsp" ] && . /etc/default/cacert-goocsp
|
|
|
|
[ -z "$GOOCSP_HOME" ] && GOOCSP_HOME=/var/lib/goocsp
|
|
[ -z "$GOOCSP_USER" ] && GOOCSP_USER=cacert-goocsp
|
|
[ -z "$GOOCSP_NAME" ] && GOOCSP_NAME="CAcert OCSP responder"
|
|
[ -z "$GOOCSP_GROUP" ] && GOOCSP_GROUP=cacert-goocsp
|
|
|
|
# create user to avoid running cacert-goocsp as root
|
|
# 1. create group if not existing
|
|
if ! getent group | grep -q "^$GOOCSP_GROUP" ; then
|
|
echo -n "Adding group $GOOCSP_GROUP.."
|
|
addgroup --quiet --system $GOOCSP_GROUP 2>/dev/null || true
|
|
echo "..done"
|
|
fi
|
|
# 2. create homedir if not existing
|
|
test -d "$GOOCSP_HOME" || mkdir "$GOOCSP_HOME"
|
|
# 3. create user if not existing
|
|
if ! getent passwd | grep -q "^$GOOCSP_USER"; then
|
|
echo -n "Adding system user $GOOCSP_USER.."
|
|
adduser --quiet \
|
|
--system \
|
|
--ingroup $GOOCSP_GROUP \
|
|
--no-create-home \
|
|
--disabled-password \
|
|
$GOOCSP_USER 2>/dev/null || true
|
|
echo "..done"
|
|
fi
|
|
# 4. adjust passwd entry
|
|
usermod -c "$GOOCSP_NAME" \
|
|
-d $GOOCSP_HOME \
|
|
-g $GOOCSP_GROUP \
|
|
$GOOCSP_USER || true
|
|
# 5. adjust file and directory permissions
|
|
if ! dpkg-statoverride --list $GOOCSP_HOME >/dev/null
|
|
then
|
|
chown -R $GOOCSP_USER:adm $GOOCSP_HOME
|
|
chmod u=rwx,g=rxs,o= $GOOCSP_HOME
|
|
fi
|
|
;;
|
|
esac
|