Marcus Rueckert
bae7cb3bbf
- Use /usr/bin/bash directly, rather than via env - Use sudo instead of su to allow for argument handling, also works in all cases when no login shell is assigned to the dehydrated user * updates 0001-Add-optional-user-and-group-configuration.patch OBS-URL: https://build.opensuse.org/request/show/535146 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=17
86 lines
2.5 KiB
Diff
86 lines
2.5 KiB
Diff
From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001
|
|
From: Daniel Molkentin <dmolkentin@suse.com>
|
|
Date: Thu, 21 Sep 2017 19:07:54 +0200
|
|
Subject: [PATCH] Add optional user and group configuration
|
|
|
|
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
|
|
and instead launch itself as the user in DEHYDRATED_USER (and
|
|
DEHYDRATED_GROUP if set).
|
|
|
|
Using sudo has a few practical advantages over su:
|
|
- it doesn't require to specify a login shell when no login shell is set
|
|
for the target user
|
|
- it allows (safe) handling of arguments.
|
|
---
|
|
dehydrated | 22 ++++++++++++++++++++++
|
|
docs/examples/config | 6 ++++++
|
|
2 files changed, 28 insertions(+)
|
|
|
|
diff --git a/dehydrated b/dehydrated
|
|
index 8b31ee1..acca1d0 100755
|
|
--- a/dehydrated
|
|
+++ b/dehydrated
|
|
@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
|
|
|
|
BASEDIR="${SCRIPTDIR}"
|
|
|
|
+ORIGARGS="$@"
|
|
+
|
|
# Create (identifiable) temporary files
|
|
_mktemp() {
|
|
# shellcheck disable=SC2068
|
|
@@ -126,6 +128,8 @@ load_config() {
|
|
LOCKFILE=
|
|
OCSP_MUST_STAPLE="no"
|
|
IP_VERSION=
|
|
+ DEHYDRATED_USER=
|
|
+ DEHYDRATED_GROUP=
|
|
|
|
if [[ -z "${CONFIG:-}" ]]; then
|
|
echo "#" >&2
|
|
@@ -159,6 +163,24 @@ load_config() {
|
|
done
|
|
fi
|
|
|
|
+ # Check if we are running & are allowed to run as root
|
|
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
|
|
+ sudo=`command -v sudo`
|
|
+ if [ -z $sudo ]; then
|
|
+ echo "DEHYDRATED_USER set but sudo not available. Please install sudo."
|
|
+ exit
|
|
+ fi
|
|
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
|
|
+ group="-g $DEHYDRATED_GROUP"
|
|
+ fi
|
|
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
|
|
+ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS
|
|
+ exit
|
|
+ fi
|
|
+
|
|
+ # Check for missing dependencies
|
|
+ check_dependencies
|
|
+
|
|
# Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
|
|
BASEDIR="${BASEDIR%%/}"
|
|
|
|
diff --git a/docs/examples/config b/docs/examples/config
|
|
index 1b1b3d8..9a890f4 100644
|
|
--- a/docs/examples/config
|
|
+++ b/docs/examples/config
|
|
@@ -10,6 +10,12 @@
|
|
# Default values of this config are in comments #
|
|
########################################################
|
|
|
|
+# Which user should dehydrated run as? This will be implictly enforced when running as root
|
|
+#DEHYDRATED_USER=
|
|
+
|
|
+# Which group should dehydrated run as? This will be implictly enforced when running as root
|
|
+#DEHYDRATED_GROUP=
|
|
+
|
|
# Resolve names to addresses of IP version only. (curl)
|
|
# supported values: 4, 6
|
|
# default: <unset>
|
|
--
|
|
2.14.1
|
|
|