[packages/ddclient] run as unprivileged user

glen glen at pld-linux.org
Wed Sep 23 08:01:06 CEST 2015 

commit c7c8689f57878ab6501f215a06f2d30ed85bced5
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Wed Sep 23 08:45:38 2015 +0300

    run as unprivileged user

 config.patch  | 11 +++++++----
 ddclient.init | 10 ++++++----
 ddclient.spec | 33 ++++++++++++++++++++++++++++++---
 3 files changed, 43 insertions(+), 11 deletions(-)
---
diff --git a/ddclient.spec b/ddclient.spec
index 5413969..8ca46d2 100644
--- a/ddclient.spec
+++ b/ddclient.spec
@@ -18,7 +18,15 @@ Patch0:		config.patch
 URL:		http://ddclient.sourceforge.net/
 BuildRequires:	rpm-perlprov
 BuildRequires:	rpmbuild(macros) >= 1.268
+Provides:	group(ddclient)
+Provides:	user(ddclient)
 Requires(post,preun):	/sbin/chkconfig
+Requires(postun):	/usr/sbin/groupdel
+Requires(postun):	/usr/sbin/userdel
+Requires(pre):	/bin/id
+Requires(pre):	/usr/bin/getgid
+Requires(pre):	/usr/sbin/groupadd
+Requires(pre):	/usr/sbin/useradd
 Requires:	rc-scripts
 # for freedns: Digest::SHA1, IO::Socket::SSL
 Suggests:	perl-Digest-SHA1
@@ -28,6 +36,9 @@ Suggests:	perl-JSON-Any
 BuildArch:	noarch
 BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
 
+%define		cachedir	%{_localstatedir}/cache/ddclient
+%define		rundir		%{_localstatedir}/run/ddclient
+
 %description
 DDclient is a small full featured client with FULL DynDNS NIC2
 support, requiring only Perl and no additional modules. It runs under
@@ -73,16 +84,23 @@ cp -p sample-etc_ddclient.conf %{name}.conf
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sysconfdir}/ddclient,/etc/{rc.d/init.d,sysconfig,NetworkManager/dispatcher.d},%{_sbindir},%{_var}/cache/%{name}}
+install -d $RPM_BUILD_ROOT{%{_sysconfdir}/%{name},/etc/{rc.d/init.d,sysconfig,NetworkManager/dispatcher.d}} \
+	$RPM_BUILD_ROOT{%{_sbindir},%{cachedir},%{rundir}}
+
 cp -p %{name}.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{name}
 install -p %{name} $RPM_BUILD_ROOT%{_sbindir}
 install -p %{SOURCE1} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
 cp -p %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/%{name}
 install -p %{SOURCE3} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/50-%{name}
+touch $RPM_BUILD_ROOT%{cachedir}/%{name}.cache
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%pre
+%groupadd -g 325 ddclient
+%useradd -u 525 -d /var/run/%{name} -g ddclient -c "ddclient user" ddclient
+
 %post
 /sbin/chkconfig --add %{name}
 %service %{name} restart "%{name} daemon"
@@ -93,6 +111,12 @@ if [ "$1" = "0" ]; then
 	/sbin/chkconfig --del %{name}
 fi
 
+%postun
+if [ "$1" = "0" ]; then
+	%userremove ddclient
+	%groupremove ddclient
+fi
+
 %triggerpostun -- ddclient < 1:3.6.4
 if [ -f /etc/ddclient.conf.rpmsave ]; then
 	echo "Moving config to new location /etc/ddclient"
@@ -106,8 +130,11 @@ fi
 %doc ChangeLog Changelog.old README*
 %attr(755,root,root) %{_sbindir}/ddclient
 %dir %{_sysconfdir}/%{name}
-%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/%{name}.conf
+%attr(640,root,ddclient) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/%{name}.conf
 %attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/ddclient
 %attr(754,root,root) /etc/rc.d/init.d/%{name}
-%dir %{_var}/cache/%{name}
 %attr(755,root,root) /etc/NetworkManager/dispatcher.d/50-%{name}
+
+%dir %attr(770,root,ddclient) %{cachedir}
+%ghost %attr(600,ddclient,ddclient) %ghost %{cachedir}/%{name}.cache
+%dir %attr(770,root,ddclient) %{rundir}
diff --git a/config.patch b/config.patch
index b48d611..66ba3cd 100644
--- a/config.patch
+++ b/config.patch
@@ -1,11 +1,14 @@
---- ddclient-3.8.3/ddclient.conf	2015-09-23 08:29:05.051308301 +0300
-+++ ddclient-3.8.3/ddclient.conf	2015-05-30 12:37:38.000000000 +0300
-@@ -20,7 +20,7 @@
+--- ddclient-3.8.3/ddclient.conf	2015-05-30 12:37:38.000000000 +0300
++++ ddclient-3.8.3/ddclient.conf	2015-09-23 08:33:27.228276894 +0300
+@@ -20,9 +20,9 @@
  ######################################################################
  daemon=300				# check every 300 seconds
  syslog=yes				# log update msgs to syslog
 -mail=root				# mail all msgs to root
 +#mail=root				# mail all msgs to root
  mail-failure=root			# mail failed update msgs to root
- pid=/var/run/ddclient.pid		# record PID in file.
+-pid=/var/run/ddclient.pid		# record PID in file.
++pid=/var/run/ddclient/ddclient.pid		# record PID in file.
  ssl=yes					# use ssl-support.  Works with
+ 					# ssl-library
+ # postscript=script			# run script after updating.  The
diff --git a/ddclient.init b/ddclient.init
index 8ba3ac6..3726da0 100755
--- a/ddclient.init
+++ b/ddclient.init
@@ -17,6 +17,8 @@
 DDCLIENT_OPTIONS="-daemon 300"
 [ -f /etc/sysconfig/ddclient ] && . /etc/sysconfig/ddclient
 
+pidfile=/var/run/ddclient/ddclient.pid
+
 # Check that networking is up.
 if is_yes "${NETWORKING}"; then
 	if [ ! -f /var/lock/subsys/network -a "$1" != stop -a "$1" != status ]; then
@@ -35,7 +37,7 @@ start() {
 	fi
 
 	msg_starting "Dynamic DNS Client"
-	daemon /usr/sbin/ddclient $DDCLIENT_OPTIONS
+	daemon --user ddclient /usr/sbin/ddclient $DDCLIENT_OPTIONS
 	RETVAL=$?
 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ddclient
 }
@@ -47,8 +49,8 @@ stop() {
 	fi
 
 	msg_stopping "Dynamic DNS Client"
-	killproc ddclient
-	rm -f /var/run/ddclient.pid /var/lock/subsys/ddclient >/dev/null 2>&1
+	killproc ddclient --pidfile $pidfile
+	rm -f $pidfile /var/lock/subsys/ddclient >/dev/null 2>&1
 }
 
 reload() {
@@ -80,7 +82,7 @@ case "$1" in
 	reload
 	;;
   status)
-	status ddclient
+	status --pidfile $pidfile ddclient
 	exit $?
 	;;
   *)
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/ddclient.git/commitdiff/91cda60246362580eb17efdb7ad7e0c6c434307c

More information about the pld-cvs-commit mailing list