dehydrated/0001-Add-optional-user-and-group-configuration.patch

From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001
From: Daniel Molkentin <dmolkentin@suse.com>
Date: Thu, 21 Sep 2017 19:07:54 +0200
Subject: [PATCH] Add optional user and group configuration

when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
and instead launch itself as the user in DEHYDRATED_USER (and
DEHYDRATED_GROUP if set).
---
 dehydrated           | 15 +++++++++++++++
 docs/examples/config |  6 ++++++
 2 files changed, 21 insertions(+)

diff --git a/dehydrated b/dehydrated
index 8b31ee1..39c717f 100755
--- a/dehydrated
+++ b/dehydrated
@@ -126,6 +126,8 @@ load_config() {
   LOCKFILE=
   OCSP_MUST_STAPLE="no"
   IP_VERSION=
+  DEHYDRATED_USER=
+  DEHYDRATED_GROUP=
 
   if [[ -z "${CONFIG:-}" ]]; then
     echo "#" >&2
@@ -159,6 +161,19 @@ load_config() {
    done
   fi
 
+  # Check if we are running & are allowed to run as root
+  if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
+    if [ ! -z "$DEHYDRATED_GROUP" ]; then
+        group="-g $DEHYDRATED_GROUP"
+    fi
+    echo "# INFO: Running $0 as $DEHYDRATED_USER"
+    su -c "$0" $group "$DEHYDRATED_USER"
+    exit
+  fi
+
+  # Check for missing dependencies
+  check_dependencies
+
   # Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
   BASEDIR="${BASEDIR%%/}"
 
diff --git a/docs/examples/config b/docs/examples/config
index 1b1b3d8..9a890f4 100644
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -10,6 +10,12 @@
 # Default values of this config are in comments        #
 ########################################################
 
+# Which user should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_USER=
+
+# Which group should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_GROUP=
+
 # Resolve names to addresses of IP version only. (curl)
 # supported values: 4, 6
 # default: <unset>
-- 
2.12.3
Accepting request 528299 from home:dmolkentin:branches:security:dehydrated - Add man page - Ensure dehydrated is always run as designated user * adds 0001-Add-optional-user-and-group-configuration.patch - Introduce config.d directory for user configuration - Avoid warning about empty config.d directory * adds 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch - Fix sed warning about unescaped curly braces in regex - Use timer instead of cron for systemd-enabled distros Note: Timer must be explicitly enabled! OBS-URL: https://build.opensuse.org/request/show/528299 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=11 2017-09-22 15:35:31 +02:00			`From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001`
			`From: Daniel Molkentin <dmolkentin@suse.com>`
			`Date: Thu, 21 Sep 2017 19:07:54 +0200`
			`Subject: [PATCH] Add optional user and group configuration`

			`when DEHYDRATED_USER is set, dehydrated will refuse to run as root,`
			`and instead launch itself as the user in DEHYDRATED_USER (and`
			`DEHYDRATED_GROUP if set).`
			`---`
			`dehydrated \| 15 +++++++++++++++`
			`docs/examples/config \| 6 ++++++`
			`2 files changed, 21 insertions(+)`

			`diff --git a/dehydrated b/dehydrated`
			`index 8b31ee1..39c717f 100755`
			`--- a/dehydrated`
			`+++ b/dehydrated`
			`@@ -126,6 +126,8 @@ load_config() {`
			`LOCKFILE=`
			`OCSP_MUST_STAPLE="no"`
			`IP_VERSION=`
			`+ DEHYDRATED_USER=`
			`+ DEHYDRATED_GROUP=`

			`if [[ -z "${CONFIG:-}" ]]; then`
			`echo "#" >&2`
			`@@ -159,6 +161,19 @@ load_config() {`
			`done`
			`fi`

			`+ # Check if we are running & are allowed to run as root`
			`+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then`
			`+ if [ ! -z "$DEHYDRATED_GROUP" ]; then`
			`+ group="-g $DEHYDRATED_GROUP"`
			`+ fi`
			`+ echo "# INFO: Running $0 as $DEHYDRATED_USER"`
			`+ su -c "$0" $group "$DEHYDRATED_USER"`
			`+ exit`
			`+ fi`
			`+`
			`+ # Check for missing dependencies`
			`+ check_dependencies`
			`+`
			`# Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.`
			`BASEDIR="${BASEDIR%%/}"`

			`diff --git a/docs/examples/config b/docs/examples/config`
			`index 1b1b3d8..9a890f4 100644`
			`--- a/docs/examples/config`
			`+++ b/docs/examples/config`
			`@@ -10,6 +10,12 @@`
			`# Default values of this config are in comments #`
			`########################################################`

			`+# Which user should dehydrated run as? This will be implictly enforced when running as root`
			`+#DEHYDRATED_USER=`
			`+`
			`+# Which group should dehydrated run as? This will be implictly enforced when running as root`
			`+#DEHYDRATED_GROUP=`
			`+`
			`# Resolve names to addresses of IP version only. (curl)`
			`# supported values: 4, 6`
			`# default: <unset>`
			`--`
			`2.12.3`