Marcus Rueckert
fc9dddc9f9
- Add man page - Ensure dehydrated is always run as designated user * adds 0001-Add-optional-user-and-group-configuration.patch - Introduce config.d directory for user configuration - Avoid warning about empty config.d directory * adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch - Fix sed warning about unescaped curly braces in regex - Use timer instead of cron for systemd-enabled distros Note: Timer must be explicitly enabled! OBS-URL: https://build.opensuse.org/request/show/528299 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=11
67 lines
1.9 KiB
Diff
67 lines
1.9 KiB
Diff
From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Molkentin <dmolkentin@suse.com>
|
|
Date: Thu, 21 Sep 2017 19:07:54 +0200
|
|
Subject: [PATCH] Add optional user and group configuration
|
|
|
|
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
|
|
and instead launch itself as the user in DEHYDRATED_USER (and
|
|
DEHYDRATED_GROUP if set).
|
|
---
|
|
dehydrated | 15 +++++++++++++++
|
|
docs/examples/config | 6 ++++++
|
|
2 files changed, 21 insertions(+)
|
|
|
|
diff --git a/dehydrated b/dehydrated
|
|
index 8b31ee1..39c717f 100755
|
|
--- a/dehydrated
|
|
+++ b/dehydrated
|
|
@@ -126,6 +126,8 @@ load_config() {
|
|
LOCKFILE=
|
|
OCSP_MUST_STAPLE="no"
|
|
IP_VERSION=
|
|
+ DEHYDRATED_USER=
|
|
+ DEHYDRATED_GROUP=
|
|
|
|
if [[ -z "${CONFIG:-}" ]]; then
|
|
echo "#" >&2
|
|
@@ -159,6 +161,19 @@ load_config() {
|
|
done
|
|
fi
|
|
|
|
+ # Check if we are running & are allowed to run as root
|
|
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
|
|
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
|
|
+ group="-g $DEHYDRATED_GROUP"
|
|
+ fi
|
|
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
|
|
+ su -c "$0" $group "$DEHYDRATED_USER"
|
|
+ exit
|
|
+ fi
|
|
+
|
|
+ # Check for missing dependencies
|
|
+ check_dependencies
|
|
+
|
|
# Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
|
|
BASEDIR="${BASEDIR%%/}"
|
|
|
|
diff --git a/docs/examples/config b/docs/examples/config
|
|
index 1b1b3d8..9a890f4 100644
|
|
--- a/docs/examples/config
|
|
+++ b/docs/examples/config
|
|
@@ -10,6 +10,12 @@
|
|
# Default values of this config are in comments #
|
|
########################################################
|
|
|
|
+# Which user should dehydrated run as? This will be implictly enforced when running as root
|
|
+#DEHYDRATED_USER=
|
|
+
|
|
+# Which group should dehydrated run as? This will be implictly enforced when running as root
|
|
+#DEHYDRATED_GROUP=
|
|
+
|
|
# Resolve names to addresses of IP version only. (curl)
|
|
# supported values: 4, 6
|
|
# default: <unset>
|
|
--
|
|
2.12.3
|
|
|