dehydrated/0001-Add-optional-user-and-group-configuration.patch
Marcus Rueckert bae7cb3bbf Accepting request 535146 from home:dmolkentin:branches:security:dehydrated
- Use /usr/bin/bash directly, rather than via env 

- Use sudo instead of su to allow for argument handling, also
  works in all cases when no login shell is assigned to the
  dehydrated user
  * updates 0001-Add-optional-user-and-group-configuration.patch

OBS-URL: https://build.opensuse.org/request/show/535146
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=17
2017-10-20 09:54:53 +00:00

86 lines
2.5 KiB
Diff

From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <dmolkentin@suse.com>
Date: Thu, 21 Sep 2017 19:07:54 +0200
Subject: [PATCH] Add optional user and group configuration
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
and instead launch itself as the user in DEHYDRATED_USER (and
DEHYDRATED_GROUP if set).
Using sudo has a few practical advantages over su:
- it doesn't require to specify a login shell when no login shell is set
for the target user
- it allows (safe) handling of arguments.
---
dehydrated | 22 ++++++++++++++++++++++
docs/examples/config | 6 ++++++
2 files changed, 28 insertions(+)
diff --git a/dehydrated b/dehydrated
index 8b31ee1..acca1d0 100755
--- a/dehydrated
+++ b/dehydrated
@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
BASEDIR="${SCRIPTDIR}"
+ORIGARGS="$@"
+
# Create (identifiable) temporary files
_mktemp() {
# shellcheck disable=SC2068
@@ -126,6 +128,8 @@ load_config() {
LOCKFILE=
OCSP_MUST_STAPLE="no"
IP_VERSION=
+ DEHYDRATED_USER=
+ DEHYDRATED_GROUP=
if [[ -z "${CONFIG:-}" ]]; then
echo "#" >&2
@@ -159,6 +163,24 @@ load_config() {
done
fi
+ # Check if we are running & are allowed to run as root
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
+ sudo=`command -v sudo`
+ if [ -z $sudo ]; then
+ echo "DEHYDRATED_USER set but sudo not available. Please install sudo."
+ exit
+ fi
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
+ group="-g $DEHYDRATED_GROUP"
+ fi
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
+ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS
+ exit
+ fi
+
+ # Check for missing dependencies
+ check_dependencies
+
# Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
BASEDIR="${BASEDIR%%/}"
diff --git a/docs/examples/config b/docs/examples/config
index 1b1b3d8..9a890f4 100644
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -10,6 +10,12 @@
# Default values of this config are in comments #
########################################################
+# Which user should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_USER=
+
+# Which group should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_GROUP=
+
# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
--
2.14.1