osmith has submitted this change. ( https://gerrit.osmocom.org/c/osmo-pcap/+/29724?usp=email )

Change subject: contrib/systemd: run as osmocom user ......................................................................

contrib/systemd: run as osmocom user

Related: OS#4107 Co-Developed-By: Oliver Smith osmith@sysmocom.de Change-Id: Iccea921f0d3e92dd7ca2f4810932568121260a2a --- M contrib/osmo-pcap.spec.in M contrib/systemd/osmo-pcap-client.service M contrib/systemd/osmo-pcap-server.service A debian/osmo-pcap-client.postinst A debian/osmo-pcap-server.postinst 5 files changed, 98 insertions(+), 3 deletions(-)

Approvals: fixeria: Looks good to me, approved Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve

diff --git a/contrib/osmo-pcap.spec.in b/contrib/osmo-pcap.spec.in index 0aa079a..c7c0d19 100644 --- a/contrib/osmo-pcap.spec.in +++ b/contrib/osmo-pcap.spec.in @@ -62,6 +62,9 @@ %service_del_postun osmo-pcap-client.service osmo-pcap-server.service

%pre +getent group osmocom >/dev/null || groupadd --system osmocom +getent passwd osmocom >/dev/null || useradd --system --gid osmocom --home-dir /var/lib/osmocom \ + --shell /sbin/nologin --comment "Open Source Mobile Communications" osmocom %service_add_pre osmo-pcap-client.service osmo-pcap-server.service

%post @@ -75,13 +78,13 @@ %license COPYING %doc AUTHORS %doc %{_docdir}/%{name}/examples -%dir %{_sysconfdir}/osmocom +%dir %attr(2775, root, osmocom) %{_sysconfdir}/osmocom %config(noreplace) %{_sysconfdir}/osmocom/osmo-pcap-client.cfg %config(noreplace) %{_sysconfdir}/osmocom/osmo-pcap-server.cfg %{_bindir}/osmo-pcap-client %{_bindir}/osmo-pcap-server -%{_unitdir}/osmo-pcap-client.service -%{_unitdir}/osmo-pcap-server.service +%attr(0660, osmocom, osmocom) %{_unitdir}/osmo-pcap-client.service +%attr(0660, osmocom, osmocom) %{_unitdir}/osmo-pcap-server.service %dir %{_datadir}/%{name} %{_datadir}/%{name}/osmo_pcap_clean_old

diff --git a/contrib/systemd/osmo-pcap-client.service b/contrib/systemd/osmo-pcap-client.service index c79fafc..85e6592 100644 --- a/contrib/systemd/osmo-pcap-client.service +++ b/contrib/systemd/osmo-pcap-client.service @@ -8,8 +8,11 @@ Restart=always StateDirectory=osmocom WorkingDirectory=%S/osmocom +User=osmocom +Group=osmocom ExecStart=/usr/bin/osmo-pcap-client -c /etc/osmocom/osmo-pcap-client.cfg RestartSec=2 +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW

[Install] WantedBy=multi-user.target diff --git a/contrib/systemd/osmo-pcap-server.service b/contrib/systemd/osmo-pcap-server.service index a6b6822..a35cb3e 100644 --- a/contrib/systemd/osmo-pcap-server.service +++ b/contrib/systemd/osmo-pcap-server.service @@ -8,6 +8,8 @@ Restart=always StateDirectory=osmocom WorkingDirectory=%S/osmocom +User=osmocom +Group=osmocom ExecStart=/usr/bin/osmo-pcap-server -c /etc/osmocom/osmo-pcap-server.cfg RestartSec=2

diff --git a/debian/osmo-pcap-client.postinst b/debian/osmo-pcap-client.postinst new file mode 100755 index 0000000..ba0182d --- /dev/null +++ b/debian/osmo-pcap-client.postinst @@ -0,0 +1,38 @@ +#!/bin/sh -e +case "$1" in + configure) + # Create the osmocom group and user (if it doesn't exist yet) + if ! getent group osmocom >/dev/null; then + groupadd --system osmocom + fi + if ! getent passwd osmocom >/dev/null; then + useradd \ + --system \ + --gid osmocom \ + --home-dir /var/lib/osmocom \ + --shell /sbin/nologin \ + --comment "Open Source Mobile Communications" \ + osmocom + fi + + # Fix permissions of previous (root-owned) install (OS#4107) + if dpkg --compare-versions "$2" le "0.4.3"; then + if [ -e /etc/osmocom/osmo-pcap-client.cfg ]; then + chown -v osmocom:osmocom /etc/osmocom/osmo-pcap-client.cfg + chmod -v 0660 /etc/osmocom/osmo-pcap-client.cfg + fi + + if [ -d /etc/osmocom ]; then + chown -v root:osmocom /etc/osmocom + chmod -v 2775 /etc/osmocom + fi + + mkdir -p /var/lib/osmocom + chown -R -v osmocom:osmocom /var/lib/osmocom + fi + ;; +esac + +# dh_installdeb(1) will replace this with shell code automatically +# generated by other debhelper scripts. +#DEBHELPER# diff --git a/debian/osmo-pcap-server.postinst b/debian/osmo-pcap-server.postinst new file mode 100755 index 0000000..56d2b49 --- /dev/null +++ b/debian/osmo-pcap-server.postinst @@ -0,0 +1,38 @@ +#!/bin/sh -e +case "$1" in + configure) + # Create the osmocom group and user (if it doesn't exist yet) + if ! getent group osmocom >/dev/null; then + groupadd --system osmocom + fi + if ! getent passwd osmocom >/dev/null; then + useradd \ + --system \ + --gid osmocom \ + --home-dir /var/lib/osmocom \ + --shell /sbin/nologin \ + --comment "Open Source Mobile Communications" \ + osmocom + fi + + # Fix permissions of previous (root-owned) install (OS#4107) + if dpkg --compare-versions "$2" le "0.4.3"; then + if [ -e /etc/osmocom/osmo-pcap-server.cfg ]; then + chown -v osmocom:osmocom /etc/osmocom/osmo-pcap-server.cfg + chmod -v 0660 /etc/osmocom/osmo-pcap-server.cfg + fi + + if [ -d /etc/osmocom ]; then + chown -v root:osmocom /etc/osmocom + chmod -v 2775 /etc/osmocom + fi + + mkdir -p /var/lib/osmocom + chown -R -v osmocom:osmocom /var/lib/osmocom + fi + ;; +esac + +# dh_installdeb(1) will replace this with shell code automatically +# generated by other debhelper scripts. +#DEBHELPER#