Run under a non-privileged user

diff --git a/Makefile b/Makefile
index ddeede469a4f8d8d04ea6a854f5960144096dfa1..a949a80b4c039cb53cab67161cc869e9e02e391e 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -14,7 +14,7 @@ ifdef BUILDSYS
 # We will use the libucw build system
 include $(BUILDSYS)/Maketop
 
-EXTRA_RUNDIRS=run share/man/man1 share/man/man8
+EXTRA_RUNDIRS=run/subauthd lib/subauthd share/man/man1 share/man/man8
 
 # Add the detected flags to all the global flags
 CFLAGS+=$(LIBUCW_CFLAGS) $(LIBUCW_JSON_CFLAGS)

diff --git a/debian/changelog b/debian/changelog
index 69930d71f37a882f8a86339979a8dd78169f369f..0963c459bc9b9848b283fdf955f8e4fac392cd6b 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+subauth (1.0) stable; urgency=medium
+
+  * Released the first stable version.
+
+ -- Martin Mares <mj@ucw.cz>  Sun, 19 Nov 2017 14:54:17 +0100
+
 subauth (0.9) unstable; urgency=low
 
   * Initial Release.

diff --git a/debian/subauth.postinst b/debian/subauth.postinst
new file mode 100644 (file)
index 0000000..b426a6d
--- /dev/null
+++ b/debian/subauth.postinst
@@ -0,0 +1,13 @@
+#!/bin/sh -e
+
+if [ "$1" = configure ] ; then
+       if ! getent passwd subauthd >/dev/null ; then
+               adduser --system --group --disabled-login --gecos 'Sub-authentication daemon' subauthd
+       fi
+       chown subauthd.subauthd /var/lib/subauthd
+       chmod 700 /var/lib/subauthd
+fi
+
+#DEBHELPER#
+
+exit 0

diff --git a/debian/subauth.postrm b/debian/subauth.postrm
new file mode 100644 (file)
index 0000000..4f35e82
--- /dev/null
+++ b/debian/subauth.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+if [ "$1" = purge ] ; then
+       rm -f /var/lib/subauthd/subauthd.db
+       rm -f /var/lib/subauthd/temp-key
+       deluser --quiet --system subauthd >/dev/null || true
+fi
+
+exit 0

diff --git a/debian/subauth.service b/debian/subauth.service
index 1fb5913a599032e736bc3eb5967e034aaaf38ac4..2c6814b31e034448eb3702b65c1e4d4332b224ea 100644 (file)
--- a/debian/subauth.service
+++ b/debian/subauth.service
@@ -3,6 +3,10 @@ Description=Sub-authentication daemon
 
 [Service]
 ExecStart=/usr/sbin/subauthd
+User=subauthd
+Group=subauthd
+RuntimeDirectory=subauthd
+RuntimeDirectoryMode=755
 
 [Install]
 WantedBy=multi-user.target

diff --git a/etc/subauthd b/etc/subauthd
index 8268151ddcbb8372a626fce43ea4083e6caee0ec..ffa946a13b0ac4b69d1af0d018c11d607c2fb543 100644 (file)
--- a/etc/subauthd
+++ b/etc/subauthd
@@ -1,14 +1,14 @@
 SubauthD {
        # Path to local socket over which clients communicate with the daemon
-       SocketPath      @INSTALL_RUN_DIR@/subauthd.socket
+       SocketPath      @INSTALL_RUN_DIR@/subauthd/subauthd.socket
 
        # Path to database of users and accounts
-       Database        @INSTALL_STATE_DIR@/subauthd.db
+       Database        @INSTALL_STATE_DIR@/subauthd/subauthd.db
 
        # An optional path to a key for signing temporary tokens.
        # If it is defined, temporary tokens survive daemon restart. Otherwise,
        # the daemon creates a new key on every startup.
-       TempKeyFile     @INSTALL_STATE_DIR@/subauthd-temp-key
+       TempKeyFile     @INSTALL_STATE_DIR@/subauthd/temp-key
 
        # Maximum number of simultaneous client connections
        MaxConnections  1000

diff --git a/server/Makefile b/server/Makefile
index 7c544cba21f8a255c8465508953564051e60f28c..73855254fb7244f26c2d8fda88aaaf0afd546d04 100644 (file)
--- a/server/Makefile
+++ b/server/Makefile
@@ -14,3 +14,4 @@ install-server:
        install -m 755 $(o)/server/subauthd $(DESTDIR)$(INSTALL_SBIN_DIR)
        install -m 644 run/etc/subauthd $(DESTDIR)$(INSTALL_CONFIG_DIR)
        install -m 644 run/share/man/man8/subauthd.8 $(DESTDIR)$(INSTALL_MAN_DIR)/man8
+       install -d -m 750 $(DESTDIR)$(INSTALL_STATE_DIR)/subauthd