osmith submitted this change.

View Change


Approvals: fixeria: Looks good to me, approved Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve 
contrib/systemd: run as osmocom user

Related: OS#4107
Co-Developed-By: Oliver Smith <osmith@sysmocom.de>
Change-Id: Iccea921f0d3e92dd7ca2f4810932568121260a2a
---
M contrib/osmo-pcap.spec.in
M contrib/systemd/osmo-pcap-client.service
M contrib/systemd/osmo-pcap-server.service
A debian/osmo-pcap-client.postinst
A debian/osmo-pcap-server.postinst
5 files changed, 98 insertions(+), 3 deletions(-)

diff --git a/contrib/osmo-pcap.spec.in b/contrib/osmo-pcap.spec.in
index 0aa079a..c7c0d19 100644
--- a/contrib/osmo-pcap.spec.in
+++ b/contrib/osmo-pcap.spec.in
@@ -62,6 +62,9 @@
 %service_del_postun osmo-pcap-client.service osmo-pcap-server.service
 
 %pre
+getent group osmocom >/dev/null || groupadd --system osmocom
+getent passwd osmocom >/dev/null || useradd --system --gid osmocom --home-dir /var/lib/osmocom \
+                                            --shell /sbin/nologin --comment "Open Source Mobile Communications" osmocom
 %service_add_pre osmo-pcap-client.service osmo-pcap-server.service
 
 %post
@@ -75,13 +78,13 @@
 %license COPYING
 %doc AUTHORS
 %doc %{_docdir}/%{name}/examples
-%dir %{_sysconfdir}/osmocom
+%dir %attr(2775, root, osmocom) %{_sysconfdir}/osmocom
 %config(noreplace) %{_sysconfdir}/osmocom/osmo-pcap-client.cfg
 %config(noreplace) %{_sysconfdir}/osmocom/osmo-pcap-server.cfg
 %{_bindir}/osmo-pcap-client
 %{_bindir}/osmo-pcap-server
-%{_unitdir}/osmo-pcap-client.service
-%{_unitdir}/osmo-pcap-server.service
+%attr(0660, osmocom, osmocom) %{_unitdir}/osmo-pcap-client.service
+%attr(0660, osmocom, osmocom) %{_unitdir}/osmo-pcap-server.service
 %dir %{_datadir}/%{name}
 %{_datadir}/%{name}/osmo_pcap_clean_old
 
diff --git a/contrib/systemd/osmo-pcap-client.service b/contrib/systemd/osmo-pcap-client.service
index c79fafc..85e6592 100644
--- a/contrib/systemd/osmo-pcap-client.service
+++ b/contrib/systemd/osmo-pcap-client.service
@@ -8,8 +8,11 @@
 Restart=always
 StateDirectory=osmocom
 WorkingDirectory=%S/osmocom
+User=osmocom
+Group=osmocom
 ExecStart=/usr/bin/osmo-pcap-client -c /etc/osmocom/osmo-pcap-client.cfg
 RestartSec=2
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
 
 [Install]
 WantedBy=multi-user.target
diff --git a/contrib/systemd/osmo-pcap-server.service b/contrib/systemd/osmo-pcap-server.service
index a6b6822..a35cb3e 100644
--- a/contrib/systemd/osmo-pcap-server.service
+++ b/contrib/systemd/osmo-pcap-server.service
@@ -8,6 +8,8 @@
 Restart=always
 StateDirectory=osmocom
 WorkingDirectory=%S/osmocom
+User=osmocom
+Group=osmocom
 ExecStart=/usr/bin/osmo-pcap-server -c /etc/osmocom/osmo-pcap-server.cfg
 RestartSec=2
 
diff --git a/debian/osmo-pcap-client.postinst b/debian/osmo-pcap-client.postinst
new file mode 100755
index 0000000..ba0182d
--- /dev/null
+++ b/debian/osmo-pcap-client.postinst
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+case "$1" in
+	configure)
+		# Create the osmocom group and user (if it doesn't exist yet)
+		if ! getent group osmocom >/dev/null; then
+			groupadd --system osmocom
+		fi
+		if ! getent passwd osmocom >/dev/null; then
+			useradd \
+				--system \
+				--gid osmocom \
+				--home-dir /var/lib/osmocom \
+				--shell /sbin/nologin \
+				--comment "Open Source Mobile Communications" \
+				osmocom
+		fi
+
+		# Fix permissions of previous (root-owned) install (OS#4107)
+		if dpkg --compare-versions "$2" le "0.4.3"; then
+			if [ -e /etc/osmocom/osmo-pcap-client.cfg ]; then
+				chown -v osmocom:osmocom /etc/osmocom/osmo-pcap-client.cfg
+				chmod -v 0660 /etc/osmocom/osmo-pcap-client.cfg
+			fi
+
+			if [ -d /etc/osmocom ]; then
+				chown -v root:osmocom /etc/osmocom
+				chmod -v 2775 /etc/osmocom
+			fi
+
+			mkdir -p /var/lib/osmocom
+			chown -R -v osmocom:osmocom /var/lib/osmocom
+		fi
+		;;
+esac
+
+# dh_installdeb(1) will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
diff --git a/debian/osmo-pcap-server.postinst b/debian/osmo-pcap-server.postinst
new file mode 100755
index 0000000..56d2b49
--- /dev/null
+++ b/debian/osmo-pcap-server.postinst
@@ -0,0 +1,38 @@
+#!/bin/sh -e
+case "$1" in
+	configure)
+		# Create the osmocom group and user (if it doesn't exist yet)
+		if ! getent group osmocom >/dev/null; then
+			groupadd --system osmocom
+		fi
+		if ! getent passwd osmocom >/dev/null; then
+			useradd \
+				--system \
+				--gid osmocom \
+				--home-dir /var/lib/osmocom \
+				--shell /sbin/nologin \
+				--comment "Open Source Mobile Communications" \
+				osmocom
+		fi
+
+		# Fix permissions of previous (root-owned) install (OS#4107)
+		if dpkg --compare-versions "$2" le "0.4.3"; then
+			if [ -e /etc/osmocom/osmo-pcap-server.cfg ]; then
+				chown -v osmocom:osmocom /etc/osmocom/osmo-pcap-server.cfg
+				chmod -v 0660 /etc/osmocom/osmo-pcap-server.cfg
+			fi
+
+			if [ -d /etc/osmocom ]; then
+				chown -v root:osmocom /etc/osmocom
+				chmod -v 2775 /etc/osmocom
+			fi
+
+			mkdir -p /var/lib/osmocom
+			chown -R -v osmocom:osmocom /var/lib/osmocom
+		fi
+		;;
+esac
+
+# dh_installdeb(1) will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#

To view, visit change 29724. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: osmo-pcap
Gerrit-Branch: master
Gerrit-Change-Id: Iccea921f0d3e92dd7ca2f4810932568121260a2a
Gerrit-Change-Number: 29724
Gerrit-PatchSet: 6
Gerrit-Owner: msuraev <msuraev@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: osmith <osmith@sysmocom.de>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>
Gerrit-MessageType: merged