Make passenger rubyapp runs as obsapi user.

Passenger's default user is nobody:
 https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user

So that we got Passenger and the RubyApp runs as nobody. However,
according to Debian's SystemGroup usage:
  https://wiki.debian.org/SystemGroups

nogroup (user: nobody): Daemons that need not own any files run as user
nobody and group nogroup. Thus, no files on a system should be owned by
this user or group.

So that we should create a new user call 'obapi' and force passenger app
to run as obs-api instead.

And config files should be readable by that obsapi user but usually not
writable.
Signed-off-by: Andrew Lee (李健秋)'s avatarAndrew Lee (李健秋) <ajqlee@debian.org>
parent dff667d0
......@@ -5,6 +5,7 @@ Listen 82
# Passenger defaults
PassengerSpawnMethod "smart"
PassengerMaxPoolSize 20
PassengerDefaultUser obsapi
#RailsEnv "development"
# allow long request urls and being part of headers
......
#!/bin/sh -e
# Add obsapi user and group to run the passenger RubyApp
if ! getent group obsapi > /dev/null; then
addgroup --system --quiet obsapi
fi
if ! getent passwd obsapi > /dev/null; then
adduser --system --quiet \
--ingroup obsapi --shell /bin/false \
--no-create-home --home /nonexistent obsapi
usermod -c "User for build service api/webui" obsapi
fi
# Place api and repo url on index page
if [ ! -f /usr/share/obs/overview/index.html ] ; then
FQHOSTNAME=`hostname -f`
......@@ -13,13 +24,19 @@ fi
if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
rm -f /usr/share/obs/api/config/secret.key
fi
SECRET_KEY="/etc/obs/api/config/secret.key"
if [ ! -e "$SECRET_KEY" ]; then
( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
touch $SECRET_KEY
chmod 0640 $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\ -f 1 >$SECRET_KEY )
ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
fi
else
# cope with upgrades here to ensure that obsapi user own the key.
chmod 0640 $SECRET_KEY
chown nobody:www-data $SECRET_KEY
chown obsapi:www-data $SECRET_KEY
fi
# Generate log files
touch /var/log/obs/access.log
......
......@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
# Disable the obs site if not already disabled
a2dissite obs.conf > /dev/null || true
fi
# Delete obsapi user and group
deluser --system --quiet obsapi || true
delgroup --system --quiet obsapi || true
# Restart Apache to really unload obs.conf
reload_apache restart
fi
......
......@@ -26,10 +26,10 @@ case "$1" in
chown -R www-data:www-data /usr/share/obs/api/public
chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
chmod 664 /var/log/obs/*.log
chown nobody:www-data /etc/obs/api/config/database.yml
chmod 660 /etc/obs/api/config/database.yml
chown nobody:www-data /var/log/obs/backend_access.log
chown nobody:www-data /var/log/obs/production.log
chown obsapi:obsapi /etc/obs/api/config/database.yml
chmod 440 /etc/obs/api/config/database.yml
chown obsapi:obsapi /var/log/obs/backend_access.log
chown obsapi:obsapi /var/log/obs/production.log
# Generate Gemfile.lock file.
cd /usr/share/obs/api
......
......@@ -69,6 +69,9 @@ override_dh_install:
# Fix Mark scripts as executable until upstream fixes
chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
# Remove useless Gemfile.lock
rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
override_dh_systemd_enable:
dh_systemd_enable -p obs-server \
obsrepserver.service \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment