From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Thu, 21 Sep 2017 19:07:54 +0200 Subject: [PATCH] Add optional user and group configuration when DEHYDRATED_USER is set, dehydrated will refuse to run as root, and instead launch itself as the user in DEHYDRATED_USER (and DEHYDRATED_GROUP if set). Using sudo has a few practical advantages over su: - it doesn't require to specify a login shell when no login shell is set for the target user - it allows (safe) handling of arguments. --- dehydrated | 22 ++++++++++++++++++++++ docs/examples/config | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/dehydrated b/dehydrated index 8b31ee1..acca1d0 100755 --- a/dehydrated +++ b/dehydrated @@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" BASEDIR="${SCRIPTDIR}" +ORIGARGS="$@" + # Create (identifiable) temporary files _mktemp() { # shellcheck disable=SC2068 @@ -126,6 +128,8 @@ load_config() { LOCKFILE= OCSP_MUST_STAPLE="no" IP_VERSION= + DEHYDRATED_USER= + DEHYDRATED_GROUP= if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 @@ -159,6 +163,24 @@ load_config() { done fi + # Check if we are running & are allowed to run as root + if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then + sudo=`command -v sudo` + if [ -z $sudo ]; then + echo "DEHYDRATED_USER set but sudo not available. Please install sudo." + exit + fi + if [ ! -z "$DEHYDRATED_GROUP" ]; then + group="-g $DEHYDRATED_GROUP" + fi + echo "# INFO: Running $0 as $DEHYDRATED_USER" + $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS + exit + fi + + # Check for missing dependencies + check_dependencies + # Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality. BASEDIR="${BASEDIR%%/}" diff --git a/docs/examples/config b/docs/examples/config index 1b1b3d8..9a890f4 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -10,6 +10,12 @@ # Default values of this config are in comments # ######################################################## +# Which user should dehydrated run as? This will be implictly enforced when running as root +#DEHYDRATED_USER= + +# Which group should dehydrated run as? This will be implictly enforced when running as root +#DEHYDRATED_GROUP= + # Resolve names to addresses of IP version only. (curl) # supported values: 4, 6 # default: -- 2.14.1