[SCM] Debian packaging for the 2.0 Apache Shibboleth SP branch, debian, updated. upstream/2.2.1+dfsg-123-g245f2b9

Ferenc Wagner wferi at niif.hu
Fri Sep 18 15:54:07 UTC 2009 

The following commit has been merged in the debian branch:
commit 245f2b9793cd1abb7d3013433f71f9d9a6102536
Author: Ferenc Wagner <wferi at niif.hu>
Date:   Fri Sep 18 13:05:09 2009 +0200

    Run shibd as non-root
    On installation, create a new system user (_shibd) and run
    shibd as this user if possible.

diff --git a/configs/shibd-debian.in b/configs/shibd-debian.in
index 889372d..b57f8b3 100644
--- a/configs/shibd-debian.in
+++ b/configs/shibd-debian.in
@@ -29,6 +29,7 @@ DAEMON=@-PREFIX-@/sbin/$NAME
 SCRIPTNAME=/etc/init.d/$NAME
 PIDFILE=@-PKGRUNDIR-@/$NAME.pid
 DAEMON_OPTS=""
+DAEMON_USER=_shibd
 
 # Force removal of socket
 DAEMON_OPTS="$DAEMON_OPTS -f"
@@ -48,18 +49,39 @@ DAEMON_OPTS="$DAEMON_OPTS -p $PIDFILE"
 # Get the setting of VERBOSE and other rcS variables.
 [ -f /etc/default/rcS ] && . /etc/default/rcS
 
-case "$1" in
-start)
+prepare_environment () {
     # Ensure @-PKGRUNDIR-@ exists.  /var/run may be on a tmpfs file system.
     [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
 
+    if [ -n "$DAEMON_USER" ]; then
+        if DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null); then
+            # openssl errstr 200100D (hex for 33558541) says:
+            # error:0200100D:system library:fopen:Permission denied
+            if  echo "$DIAG" | fgrep -q 'ERROR OpenSSL : error code: 33558541 '; then
+                unset DAEMON_USER
+                echo "$NAME warning: file permissions require running as root"
+            else
+                chown -R "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
+            fi
+        else
+            unset DAEMON_USER
+            echo "$NAME error: unable to run config check as user $DAEMON_USER"
+        fi
+        unset DIAG
+    fi
+}
+
+case "$1" in
+start)
+    prepare_environment
+
     # Don't start shibd if NO_START is set.
     if [ "$NO_START" = 1 ] ; then
         echo "Not starting $DESC (see /etc/default/$NAME)"
         exit 0
     fi
     echo -n "Starting $DESC: "
-    start-stop-daemon --start --quiet \
+    start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
         --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
     echo "$NAME."
     ;;
@@ -70,14 +92,13 @@ stop)
     echo "$NAME."
     ;;
 restart|force-reload)
-    # Ensure @-PKGRUNDIR-@ exists.  /var/run may be on a tmpfs file system.
-    [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
+    prepare_environment
 
     echo -n "Restarting $DESC: "
     start-stop-daemon --stop --quiet --pidfile $PIDFILE \
         --exec $DAEMON
     sleep 1
-    start-stop-daemon --start --quiet \
+    start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
         --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
     echo "$NAME."
     ;;
diff --git a/debian/changelog b/debian/changelog
index c3f2f84..04e1ea7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+shibboleth-sp2 (2.2.1+dfsg-3) unstable; urgency=low
+
+  * Run shibd as non-root.
+
+ -- Ferenc Wagner <wferi at niif.hu>  Fri, 18 Sep 2009 17:52:07 +0200
+
 shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low
 
   * Change the libapache2-mod-shib2 section to httpd, matching override.
diff --git a/debian/control b/debian/control
index a5c744a..1ec8cf9 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Vcs-Browser: http://git.debian.org/?p=pkg-shibboleth/shibboleth-sp2.git
 Package: libapache2-mod-shib2
 Section: httpd
 Architecture: any
-Depends: ${shlibs:Depends}
+Depends: adduser, ${shlibs:Depends}
 Recommends: apache2, openssl
 Conflicts: libapache2-mod-shib
 Description: Federated web single sign-on system (Apache module)
diff --git a/debian/libapache2-mod-shib2.postinst b/debian/libapache2-mod-shib2.postinst
index 12594d1..9cd4ce7 100755
--- a/debian/libapache2-mod-shib2.postinst
+++ b/debian/libapache2-mod-shib2.postinst
@@ -24,6 +24,12 @@ if [ "$1" = "configure" ] ; then
     if [ -z "$2" ] ; then
         a2dismod shib 2>/dev/null || true
     fi
+
+    if ! getent passwd _shibd > /dev/null ; then
+        echo 'Adding system-user for Shibboleth daemon' 1>&2
+        adduser --system --group --quiet --home /var/log/shibboleth \
+            --no-create-home --disabled-login --force-badname _shibd
+    fi
 fi
 
 #DEBHELPER#

-- 
Debian packaging for the 2.0 Apache Shibboleth SP

More information about the Pkg-shibboleth-devel mailing list