From 50740ea949dd7d88223d3b30e1345a408275b771 Mon Sep 17 00:00:00 2001 From: Martin Mares Date: Sun, 19 Nov 2017 14:54:41 +0100 Subject: [PATCH] Run under a non-privileged user --- Makefile | 2 +- debian/changelog | 6 ++++++ debian/subauth.postinst | 13 +++++++++++++ debian/subauth.postrm | 11 +++++++++++ debian/subauth.service | 4 ++++ etc/subauthd | 6 +++--- server/Makefile | 1 + 7 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 debian/subauth.postinst create mode 100644 debian/subauth.postrm diff --git a/Makefile b/Makefile index ddeede4..a949a80 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ ifdef BUILDSYS # We will use the libucw build system include $(BUILDSYS)/Maketop -EXTRA_RUNDIRS=run share/man/man1 share/man/man8 +EXTRA_RUNDIRS=run/subauthd lib/subauthd share/man/man1 share/man/man8 # Add the detected flags to all the global flags CFLAGS+=$(LIBUCW_CFLAGS) $(LIBUCW_JSON_CFLAGS) diff --git a/debian/changelog b/debian/changelog index 69930d7..0963c45 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +subauth (1.0) stable; urgency=medium + + * Released the first stable version. + + -- Martin Mares Sun, 19 Nov 2017 14:54:17 +0100 + subauth (0.9) unstable; urgency=low * Initial Release. diff --git a/debian/subauth.postinst b/debian/subauth.postinst new file mode 100644 index 0000000..b426a6d --- /dev/null +++ b/debian/subauth.postinst @@ -0,0 +1,13 @@ +#!/bin/sh -e + +if [ "$1" = configure ] ; then + if ! getent passwd subauthd >/dev/null ; then + adduser --system --group --disabled-login --gecos 'Sub-authentication daemon' subauthd + fi + chown subauthd.subauthd /var/lib/subauthd + chmod 700 /var/lib/subauthd +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/subauth.postrm b/debian/subauth.postrm new file mode 100644 index 0000000..4f35e82 --- /dev/null +++ b/debian/subauth.postrm @@ -0,0 +1,11 @@ +#!/bin/sh -e + +#DEBHELPER# + +if [ "$1" = purge ] ; then + rm -f /var/lib/subauthd/subauthd.db + rm -f /var/lib/subauthd/temp-key + deluser --quiet --system subauthd >/dev/null || true +fi + +exit 0 diff --git a/debian/subauth.service b/debian/subauth.service index 1fb5913..2c6814b 100644 --- a/debian/subauth.service +++ b/debian/subauth.service @@ -3,6 +3,10 @@ Description=Sub-authentication daemon [Service] ExecStart=/usr/sbin/subauthd +User=subauthd +Group=subauthd +RuntimeDirectory=subauthd +RuntimeDirectoryMode=755 [Install] WantedBy=multi-user.target diff --git a/etc/subauthd b/etc/subauthd index 8268151..ffa946a 100644 --- a/etc/subauthd +++ b/etc/subauthd @@ -1,14 +1,14 @@ SubauthD { # Path to local socket over which clients communicate with the daemon - SocketPath @INSTALL_RUN_DIR@/subauthd.socket + SocketPath @INSTALL_RUN_DIR@/subauthd/subauthd.socket # Path to database of users and accounts - Database @INSTALL_STATE_DIR@/subauthd.db + Database @INSTALL_STATE_DIR@/subauthd/subauthd.db # An optional path to a key for signing temporary tokens. # If it is defined, temporary tokens survive daemon restart. Otherwise, # the daemon creates a new key on every startup. - TempKeyFile @INSTALL_STATE_DIR@/subauthd-temp-key + TempKeyFile @INSTALL_STATE_DIR@/subauthd/temp-key # Maximum number of simultaneous client connections MaxConnections 1000 diff --git a/server/Makefile b/server/Makefile index 7c544cb..7385525 100644 --- a/server/Makefile +++ b/server/Makefile @@ -14,3 +14,4 @@ install-server: install -m 755 $(o)/server/subauthd $(DESTDIR)$(INSTALL_SBIN_DIR) install -m 644 run/etc/subauthd $(DESTDIR)$(INSTALL_CONFIG_DIR) install -m 644 run/share/man/man8/subauthd.8 $(DESTDIR)$(INSTALL_MAN_DIR)/man8 + install -d -m 750 $(DESTDIR)$(INSTALL_STATE_DIR)/subauthd -- 2.39.2