Make passenger rubyapp runs as obsapi user.

Passenger's default user is nobody:
 https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user

So that we got Passenger and the RubyApp runs as nobody. However,
according to Debian's SystemGroup usage:
  https://wiki.debian.org/SystemGroups

nogroup (user: nobody): Daemons that need not own any files run as user
nobody and group nogroup. Thus, no files on a system should be owned by
this user or group.

So that we should create a new user call 'obapi' and force passenger app
to run as obs-api instead.

And config files should be readable by that obsapi user but usually not
writable.
Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

debian/obs-apache2.conf

@@ -5,6 +5,7 @@ Listen 82
 # Passenger defaults
 PassengerSpawnMethod "smart"
 PassengerMaxPoolSize 20
+PassengerDefaultUser obsapi
 #RailsEnv "development"
 
 # allow long request urls and being part of headers

debian/obs-api.postinst

 #!/bin/sh -e
 
+# Add obsapi user and group to run the passenger RubyApp
+if ! getent group obsapi > /dev/null; then
+            addgroup --system --quiet obsapi
+fi
+if ! getent passwd obsapi > /dev/null; then
+    adduser --system --quiet \
+        --ingroup obsapi --shell /bin/false \
+        --no-create-home --home /nonexistent obsapi
+    usermod -c "User for build service api/webui" obsapi
+fi
+
 # Place api and repo url on index page
 if [ ! -f /usr/share/obs/overview/index.html ] ; then
   FQHOSTNAME=`hostname -f`
@@ -13,13 +24,19 @@ fi
 if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
   rm -f /usr/share/obs/api/config/secret.key
 fi
+
 SECRET_KEY="/etc/obs/api/config/secret.key"
 if [ ! -e "$SECRET_KEY" ]; then
-    ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
+  touch $SECRET_KEY
+  chmod 0640 $SECRET_KEY
+  chown obsapi:www-data $SECRET_KEY
+    ( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
     ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
-fi
+else
+  # cope with upgrades here to ensure that obsapi user own the key.
   chmod 0640 $SECRET_KEY
-  chown nobody:www-data $SECRET_KEY
+  chown obsapi:www-data $SECRET_KEY
+fi
 
 # Generate log files
   touch /var/log/obs/access.log

debian/obs-api.postrm

@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
     # Disable the obs site if not already disabled
         a2dissite obs.conf	> /dev/null || true
     fi
+    # Delete obsapi user and group
+    deluser --system --quiet obsapi || true
+    delgroup --system --quiet obsapi || true
     # Restart Apache to really unload obs.conf
     reload_apache restart
 fi

debian/rake-tasks.sh

@@ -26,10 +26,10 @@ case "$1" in
 	chown -R www-data:www-data /usr/share/obs/api/public
 	chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
 	chmod 664 /var/log/obs/*.log
-	chown nobody:www-data /etc/obs/api/config/database.yml
-	chmod 660 /etc/obs/api/config/database.yml
-	chown nobody:www-data /var/log/obs/backend_access.log
-	chown nobody:www-data /var/log/obs/production.log
+	chown obsapi:obsapi /etc/obs/api/config/database.yml
+	chmod 440 /etc/obs/api/config/database.yml
+	chown obsapi:obsapi /var/log/obs/backend_access.log
+	chown obsapi:obsapi /var/log/obs/production.log
 
 	# Generate Gemfile.lock file.
 	cd /usr/share/obs/api

debian/rules

@@ -69,6 +69,9 @@ override_dh_install:
 	# Fix Mark scripts as executable until upstream fixes
 	chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
 
+	# Remove useless Gemfile.lock
+	rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
+
 override_dh_systemd_enable:
 	dh_systemd_enable -p obs-server \
 		obsrepserver.service \