Merge pull request #8 from jirihnidek/daemon_user

Use non-root user for runnig daemon
jirihnidek · Sep 29, 2021 · b98a336 · b98a336
2 parents 2cef188 + bf0094c
commit b98a336
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 7 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -37,6 +37,12 @@ set (DAEMON_CONF_DIR "/etc/daemon")
 # Directory with systemd unit files
 set (SYSTEMD_UNIT_DIR "/usr/lib/systemd/system/")
 
+# Default directory for log file
+set (DAEMON_LOG_DIR "/var/log/daemon")
+
+# Default directory for PID file
+set (DAEMON_PID_DIR "/run/daemon")
+
 # Macro for installing configuration files
 function(install_conf src dest)
  if(NOT IS_ABSOLUTE "${src}")
@@ -69,3 +75,9 @@ install_conf (./daemon.conf ${DAEMON_CONF_DIR})
 # Install systemd unit files 
 install_conf (./simple-daemon.service ${SYSTEMD_UNIT_DIR})
 install_conf (./forking-daemon.service ${SYSTEMD_UNIT_DIR})
+
+# Create empty directory for default log file
+install(DIRECTORY DESTINATION ${DAEMON_LOG_DIR})
+
+# Create empty directory for default PID file
+install(DIRECTORY DESTINATION ${DAEMON_PID_DIR})
diff --git a/daemon.spec b/daemon.spec
@@ -1,3 +1,8 @@
+%global groupname daemoner
+%global username daemoner
+%global homedir /
+
+
 Name: daemon
 Version: 0.1
 Release: 1%{?dist}
@@ -7,6 +12,8 @@ License: GPL
 URL: https://github.com/jirihnidek/daemon
 Source0: %{name}-%{version}.tar.gz
 
+Requires(pre): shadow-utils
+
 BuildRequires: gcc
 BuildRequires: make
 BuildRequires: cmake
@@ -16,6 +23,14 @@ BuildRequires: cmake
 This package contains example of simple UNIX daemon
 
 
+%pre
+getent group %{groupname} >/dev/null || groupadd -r %{groupname}
+getent passwd %{username} >/dev/null || \
+ useradd -r -g %{groupname} -d %{homedir} -s /sbin/nologin \
+ -c "User used for running example of daemon" %{username}
+exit 0
+
+
 # Section for preparation of build
 %prep
 
@@ -49,15 +64,24 @@ rm -rf $RPM_BUILD_ROOT
 
 
 # This is special section again. You have to list here all files
-# that are part of final RPM package.
+# that are part of final RPM package. You can specify owner of
+# files and permissions to files
 %files
 
+# Files and directories owned by root:root
 %attr(755,root,root) %{_bindir}/daemon
 %attr(755,root,root) %dir %{_sysconfdir}/daemon
-%attr(750,root,root) %{_sysconfdir}/daemon/daemon.conf
 %attr(644,root,root) %{_unitdir}/simple-daemon.service
 %attr(644,root,root) %{_unitdir}/forking-daemon.service
 
+# File owned by root, but group can read it
+%attr(640,root,%{groupname}) %{_sysconfdir}/daemon/daemon.conf
+
+# Files and directories owned by daemoner:daemoner user
+%attr(755,%{username},%{groupname}) %{_var}/log/daemon
+%attr(755,%{username},%{groupname}) %{_rundir}/daemon
+
+
 
 # This is section, where you should describe all important changes
 # in RPM

diff --git a/forking-daemon.service b/forking-daemon.service
@@ -3,12 +3,13 @@ Description=Example of forking daemon program
 
 [Service]
 Type=forking
-PIDFile=/var/run/daemon.pid
+PIDFile=/run/daemon/daemon.pid
 ExecStart=/usr/bin/daemon \
  --conf_file /etc/daemon/daemon.conf \
- --log_file /var/log/daemon.log \
- --pid_file /var/run/daemon.pid \
+ --log_file /var/log/daemon/daemon.log \
+ --pid_file /run/daemon/daemon.pid \
  --daemon
+User=daemoner
 ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]

diff --git a/simple-daemon.service b/simple-daemon.service
@@ -5,8 +5,8 @@ Description=Example of simple daemon program
 Type=simple
 ExecStart=/usr/bin/daemon \
  --conf_file /etc/daemon/daemon.conf \
- --log_file /var/log/daemon.log
-User=root
+ --log_file /var/log/daemon/daemon.log
+User=daemoner
 ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]