[Slackbuilds-users] Amendments to syncthing scripts to accommodate running as non-root user

Mon Jun 8 12:39:54 UTC 2015

2015-06-08 14:34 GMT+02:00 Sebastian Arcus <s.arcus at open-t.co.uk>:
> As per my previous post to the SBo list, syncthing developers recommend that
> it should never be run as root - even when run as a demon - as it has not
> been designed with that level of security in mind.
>
> As the uid:gid 307 has been approved for the syncthing user/group on SBo,
> may I suggest the patches below to accommodate this user/group in the
> scripts provided with syncthing on SBo. The patches do the following:
>
> 1. Amend rc.syncthing to start syncthing as "syncthing" user.
> 2. Provide a configurable location for the home/config directory under
> /var/lib - as it is the custom for data owned by demons (as opposed to real
> human users) under Linux.
> 3. Amend syncthing.Slackbuild script to request the creation of the
> syncthing user/group, if it doesn't exit.
> 4. Amend the syncthing.Slackbuild script to create the following dirs and
> set their permissions accordingly: /var/lib/syncthing/config and
> /var/run/syncthing
>
> I hope the above makes sense. If any of it is incorrect or unsuitable, could
> you please suggest alternatives.
>
> ##############################################
>
> --- syncthing.SlackBuild        2015-06-08 13:03:54.758485646 +0100
> +++ syncthing.SlackBuild.new    2015-06-08 13:18:32.529446783 +0100
> @@ -49,6 +49,14 @@
>
>  set -e
>
> +# Check if the syncthing user and group exist. If not, then bail.
> +if [ "$(id -g syncthing 2> /dev/null)" != "307" -o "$(id -u syncthing 2>
> /dev/null)" != "307" ]; then
> +  echo "  You must have an 'syncthing' user and group to run this script."
> +  echo "    # groupadd -g 307 exim"
> +  echo "    # useradd -d /var/lib/syncthing -g syncthing -s /bin/bash -u
> 307 syncthing"
> +  exit 1
> +fi
> +
>  rm -rf $PKG
>  mkdir -p $TMP $PKG $OUTPUT
>  cd $TMP
> @@ -72,8 +80,9 @@
>  mkdir -p $PKG/etc/rc.d
>  cat $CWD/rc.syncthing > $PKG/etc/rc.d/rc.syncthing.new
>
> -mkdir -p $PKG/var/lib/syncthing
> +mkdir -p $PKG/var/lib/syncthing/config
>  mkdir -p $PKG/var/run/syncthing
> +chown -R syncthing.syncthing /var/{lib,run}/syncthing
>
>  mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
>  cp -a *.txt *.pdf $PKG/usr/doc/$PRGNAM-$VERSION
>
>
> ########################################################
>
> --- rc.syncthing        2015-06-08 13:04:20.237858026 +0100
> +++ rc.syncthing.new    2015-06-08 13:09:14.033831997 +0100
> @@ -2,6 +2,9 @@
>  #
>  # syncthing start script
>
> +$ST_USER="syncthing"
> +$CONFDIR="/var/lib/syncthing/config"
> +
>  case "$1" in
>         stop)
>                 PID=/var/run/syncthing/syncthing.pid
> @@ -15,7 +18,7 @@
>                 ;;
>         start)
>                 echo "Start Syncthing..."
> -               /usr/bin/syncthing
> +                su - $ST_USER -c "$SYNCTHING -home=$CONFDIR" &
>                 ;;
>         restart)
>                 $0 stop

I reserved the 307 uid/gid for syncthing as you asked, but I thought
you already contacted the maintainer about it first: I think he has
the last word on this.

Matteo