contrib/systemd: run as osmocom user

Related: OS#4107
Change-Id: I915f2fc12d0bd905d24636aacb2760a6b72a55e3
---
M contrib/systemd/osmo-ggsn.service
A debian/postinst
2 files changed, 53 insertions(+), 0 deletions(-)

diff --git a/contrib/systemd/osmo-ggsn.service b/contrib/systemd/osmo-ggsn.service
index 1a7acba..cf7b7e6 100644
--- a/contrib/systemd/osmo-ggsn.service
+++ b/contrib/systemd/osmo-ggsn.service
@@ -11,6 +11,10 @@
 ExecStart=/usr/bin/osmo-ggsn -c /etc/osmocom/osmo-ggsn.cfg
 RestartSec=2
 RestartPreventExitStatus=1
+User=osmocom
+Group=osmocom
+# For setting up the gtp0/tun0 devices
+AmbientCapabilities=CAP_NET_ADMIN
 
 [Install]
 WantedBy=multi-user.target
diff --git a/debian/postinst b/debian/postinst
new file mode 100755
index 0000000..9cd0c77
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,39 @@
+#!/bin/sh -e
+case "$1" in
+	configure)
+		# Create the osmocom group and user (if it doesn't exist yet)
+		if ! getent group osmocom >/dev/null; then
+			groupadd --system osmocom
+		fi
+		if ! getent passwd osmocom >/dev/null; then
+			useradd \
+				--system \
+				--gid osmocom \
+				--home-dir /var/lib/osmocom \
+				--shell /sbin/nologin \
+				--comment "Open Source Mobile Communications" \
+				osmocom
+		fi
+
+		# Fix permissions of previous (root-owned) install (OS#4107)
+		if dpkg --compare-versions "$2" le "1.13.0"; then
+			if [ -e /etc/osmocom/osmo-ggsn.cfg ]; then
+				chown -v osmocom:osmocom /etc/osmocom/osmo-ggsn.cfg
+				chmod -v 0660 /etc/osmocom/osmo-ggsn.cfg
+			fi
+
+			if [ -d /etc/osmocom ]; then
+				chown -v root:osmocom /etc/osmocom
+				chmod -v 2775 /etc/osmocom
+			fi
+
+			mkdir -p /var/lib/osmocom
+			chown -R -v osmocom:osmocom /var/lib/osmocom
+		fi
+		;;
+esac
+
+# dh_installdeb(1) will replace this with shell code automatically
+# generated by other debhelper scripts.
+#DEBHELPER#
+

