From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Thu, 21 Sep 2017 19:07:54 +0200 Subject: [PATCH] Add optional user and group configuration when DEHYDRATED_USER is set, dehydrated will refuse to run as root, and instead launch itself as the user in DEHYDRATED_USER (and DEHYDRATED_GROUP if set). --- dehydrated | 15 +++++++++++++++ docs/examples/config | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/dehydrated b/dehydrated index 8b31ee1..39c717f 100755 --- a/dehydrated +++ b/dehydrated @@ -126,6 +126,8 @@ load_config() { LOCKFILE= OCSP_MUST_STAPLE="no" IP_VERSION= + DEHYDRATED_USER= + DEHYDRATED_GROUP= if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 @@ -159,6 +161,19 @@ load_config() { done fi + # Check if we are running & are allowed to run as root + if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then + if [ ! -z "$DEHYDRATED_GROUP" ]; then + group="-g $DEHYDRATED_GROUP" + fi + echo "# INFO: Running $0 as $DEHYDRATED_USER" + su -c "$0" $group "$DEHYDRATED_USER" + exit + fi + + # Check for missing dependencies + check_dependencies + # Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality. BASEDIR="${BASEDIR%%/}" diff --git a/docs/examples/config b/docs/examples/config index 1b1b3d8..9a890f4 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -10,6 +10,12 @@ # Default values of this config are in comments # ######################################################## +# Which user should dehydrated run as? This will be implictly enforced when running as root +#DEHYDRATED_USER= + +# Which group should dehydrated run as? This will be implictly enforced when running as root +#DEHYDRATED_GROUP= + # Resolve names to addresses of IP version only. (curl) # supported values: 4, 6 # default: -- 2.12.3