Skip to content
Snippets Groups Projects
Commit f0db9bb6 authored by Andrew Lee (李健秋)'s avatar Andrew Lee (李健秋)
Browse files

Make passenger rubyapp runs as obsapi user.

Passenger's default user is nobody:
 https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user

So that we got Passenger and the RubyApp runs as nobody. However,
according to Debian's SystemGroup usage:
  https://wiki.debian.org/SystemGroups



nogroup (user: nobody): Daemons that need not own any files run as user
nobody and group nogroup. Thus, no files on a system should be owned by
this user or group.

So that we should create a new user call 'obapi' and force passenger app
to run as obs-api instead.

And config files should be readable by that obsapi user but usually not
writable.

Signed-off-by: default avatarAndrew Lee (李健秋) <ajqlee@debian.org>
parent dff667d0
No related branches found
No related tags found
2 merge requests!4Merge debian master,!3Sync debian master
...@@ -5,6 +5,7 @@ Listen 82 ...@@ -5,6 +5,7 @@ Listen 82
# Passenger defaults # Passenger defaults
PassengerSpawnMethod "smart" PassengerSpawnMethod "smart"
PassengerMaxPoolSize 20 PassengerMaxPoolSize 20
PassengerDefaultUser obsapi
#RailsEnv "development" #RailsEnv "development"
# allow long request urls and being part of headers # allow long request urls and being part of headers
......
#!/bin/sh -e #!/bin/sh -e
# Add obsapi user and group to run the passenger RubyApp
if ! getent group obsapi > /dev/null; then
addgroup --system --quiet obsapi
fi
if ! getent passwd obsapi > /dev/null; then
adduser --system --quiet \
--ingroup obsapi --shell /bin/false \
--no-create-home --home /nonexistent obsapi
usermod -c "User for build service api/webui" obsapi
fi
# Place api and repo url on index page # Place api and repo url on index page
if [ ! -f /usr/share/obs/overview/index.html ] ; then if [ ! -f /usr/share/obs/overview/index.html ] ; then
FQHOSTNAME=`hostname -f` FQHOSTNAME=`hostname -f`
...@@ -13,13 +24,19 @@ fi ...@@ -13,13 +24,19 @@ fi
if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
rm -f /usr/share/obs/api/config/secret.key rm -f /usr/share/obs/api/config/secret.key
fi fi
SECRET_KEY="/etc/obs/api/config/secret.key" SECRET_KEY="/etc/obs/api/config/secret.key"
if [ ! -e "$SECRET_KEY" ]; then if [ ! -e "$SECRET_KEY" ]; then
( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY ) touch $SECRET_KEY
chmod 0640 $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
fi else
# cope with upgrades here to ensure that obsapi user own the key.
chmod 0640 $SECRET_KEY chmod 0640 $SECRET_KEY
chown nobody:www-data $SECRET_KEY chown obsapi:www-data $SECRET_KEY
fi
# Generate log files # Generate log files
touch /var/log/obs/access.log touch /var/log/obs/access.log
......
...@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then ...@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
# Disable the obs site if not already disabled # Disable the obs site if not already disabled
a2dissite obs.conf > /dev/null || true a2dissite obs.conf > /dev/null || true
fi fi
# Delete obsapi user and group
deluser --system --quiet obsapi || true
delgroup --system --quiet obsapi || true
# Restart Apache to really unload obs.conf # Restart Apache to really unload obs.conf
reload_apache restart reload_apache restart
fi fi
......
...@@ -26,10 +26,10 @@ case "$1" in ...@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log chmod 664 /var/log/obs/*.log
chown nobody:www-data /etc/obs/api/config/database.yml chown obsapi:obsapi /etc/obs/api/config/database.yml
chmod 660 /etc/obs/api/config/database.yml chmod 440 /etc/obs/api/config/database.yml
chown nobody:www-data /var/log/obs/backend_access.log chown obsapi:obsapi /var/log/obs/backend_access.log
chown nobody:www-data /var/log/obs/production.log chown obsapi:obsapi /var/log/obs/production.log
# Generate Gemfile.lock file. # Generate Gemfile.lock file.
cd /usr/share/obs/api cd /usr/share/obs/api
......
...@@ -69,6 +69,9 @@ override_dh_install: ...@@ -69,6 +69,9 @@ override_dh_install:
# Fix Mark scripts as executable until upstream fixes # Fix Mark scripts as executable until upstream fixes
chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t* chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
# Remove useless Gemfile.lock
rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
override_dh_systemd_enable: override_dh_systemd_enable:
dh_systemd_enable -p obs-server \ dh_systemd_enable -p obs-server \
obsrepserver.service \ obsrepserver.service \
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment