[Slackbuilds-users] Amendments to syncthing scripts to accommodate running as non-root user
Sebastian Arcus
s.arcus at open-t.co.uk
Mon Jun 8 12:59:15 UTC 2015
On 08/06/15 13:39, Matteo Bernardini wrote:
> 2015-06-08 14:34 GMT+02:00 Sebastian Arcus <s.arcus at open-t.co.uk>:
>> As per my previous post to the SBo list, syncthing developers recommend that
>> it should never be run as root - even when run as a demon - as it has not
>> been designed with that level of security in mind.
>>
>> As the uid:gid 307 has been approved for the syncthing user/group on SBo,
>> may I suggest the patches below to accommodate this user/group in the
>> scripts provided with syncthing on SBo. The patches do the following:
>>
>> 1. Amend rc.syncthing to start syncthing as "syncthing" user.
>> 2. Provide a configurable location for the home/config directory under
>> /var/lib - as it is the custom for data owned by demons (as opposed to real
>> human users) under Linux.
>> 3. Amend syncthing.Slackbuild script to request the creation of the
>> syncthing user/group, if it doesn't exit.
>> 4. Amend the syncthing.Slackbuild script to create the following dirs and
>> set their permissions accordingly: /var/lib/syncthing/config and
>> /var/run/syncthing
>>
>> I hope the above makes sense. If any of it is incorrect or unsuitable, could
>> you please suggest alternatives.
>>
>> ##############################################
>>
>> --- syncthing.SlackBuild 2015-06-08 13:03:54.758485646 +0100
>> +++ syncthing.SlackBuild.new 2015-06-08 13:18:32.529446783 +0100
>> @@ -49,6 +49,14 @@
>>
>> set -e
>>
>> +# Check if the syncthing user and group exist. If not, then bail.
>> +if [ "$(id -g syncthing 2> /dev/null)" != "307" -o "$(id -u syncthing 2>
>> /dev/null)" != "307" ]; then
>> + echo " You must have an 'syncthing' user and group to run this script."
>> + echo " # groupadd -g 307 exim"
>> + echo " # useradd -d /var/lib/syncthing -g syncthing -s /bin/bash -u
>> 307 syncthing"
>> + exit 1
>> +fi
>> +
>> rm -rf $PKG
>> mkdir -p $TMP $PKG $OUTPUT
>> cd $TMP
>> @@ -72,8 +80,9 @@
>> mkdir -p $PKG/etc/rc.d
>> cat $CWD/rc.syncthing > $PKG/etc/rc.d/rc.syncthing.new
>>
>> -mkdir -p $PKG/var/lib/syncthing
>> +mkdir -p $PKG/var/lib/syncthing/config
>> mkdir -p $PKG/var/run/syncthing
>> +chown -R syncthing.syncthing /var/{lib,run}/syncthing
>>
>> mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
>> cp -a *.txt *.pdf $PKG/usr/doc/$PRGNAM-$VERSION
>>
>>
>> ########################################################
>>
>> --- rc.syncthing 2015-06-08 13:04:20.237858026 +0100
>> +++ rc.syncthing.new 2015-06-08 13:09:14.033831997 +0100
>> @@ -2,6 +2,9 @@
>> #
>> # syncthing start script
>>
>> +$ST_USER="syncthing"
>> +$CONFDIR="/var/lib/syncthing/config"
>> +
>> case "$1" in
>> stop)
>> PID=/var/run/syncthing/syncthing.pid
>> @@ -15,7 +18,7 @@
>> ;;
>> start)
>> echo "Start Syncthing..."
>> - /usr/bin/syncthing
>> + su - $ST_USER -c "$SYNCTHING -home=$CONFDIR" &
>> ;;
>> restart)
>> $0 stop
> I reserved the 307 uid/gid for syncthing as you asked, but I thought
> you already contacted the maintainer about it first: I think he has
> the last word on this.
>
Hi Matteo. I've cc'd the maintainer as well in the email above. I wasn't
sure what the correct procedure is, so I thought I would arrange with
SBo for the user/group to be available first, then suggest the changes
to the scripts to the maintainer - to make the job easier for the
maintainer. I've sent the email above both to the list and the
maintainer directly - as in the past emails sent only to maintainers
seem to disappear on occasion and remain unanswered. I hope I didn't
cause any problems.
More information about the SlackBuilds-users
mailing list