[Slackbuilds-users] Amendments to syncthing scripts to accommodate running as non-root user

Sebastian Arcus s.arcus at open-t.co.uk
Fri Jun 12 23:42:16 UTC 2015


On 08/06/15 13:39, Matteo Bernardini wrote:
> 2015-06-08 14:34 GMT+02:00 Sebastian Arcus <s.arcus at open-t.co.uk>:
>> As per my previous post to the SBo list, syncthing developers recommend that
>> it should never be run as root - even when run as a demon - as it has not
>> been designed with that level of security in mind.
>>
>> As the uid:gid 307 has been approved for the syncthing user/group on SBo,
>> may I suggest the patches below to accommodate this user/group in the
>> scripts provided with syncthing on SBo. The patches do the following:
>>
>> 1. Amend rc.syncthing to start syncthing as "syncthing" user.
>> 2. Provide a configurable location for the home/config directory under
>> /var/lib - as it is the custom for data owned by demons (as opposed to real
>> human users) under Linux.
>> 3. Amend syncthing.Slackbuild script to request the creation of the
>> syncthing user/group, if it doesn't exit.
>> 4. Amend the syncthing.Slackbuild script to create the following dirs and
>> set their permissions accordingly: /var/lib/syncthing/config and
>> /var/run/syncthing
>>
>> I hope the above makes sense. If any of it is incorrect or unsuitable, could
>> you please suggest alternatives.
>>
>> ##############################################
>>
>> --- syncthing.SlackBuild        2015-06-08 13:03:54.758485646 +0100
>> +++ syncthing.SlackBuild.new    2015-06-08 13:18:32.529446783 +0100
>> @@ -49,6 +49,14 @@
>>
>>   set -e
>>
>> +# Check if the syncthing user and group exist. If not, then bail.
>> +if [ "$(id -g syncthing 2> /dev/null)" != "307" -o "$(id -u syncthing 2>
>> /dev/null)" != "307" ]; then
>> +  echo "  You must have an 'syncthing' user and group to run this script."
>> +  echo "    # groupadd -g 307 exim"
>> +  echo "    # useradd -d /var/lib/syncthing -g syncthing -s /bin/bash -u
>> 307 syncthing"
>> +  exit 1
>> +fi
>> +
>>   rm -rf $PKG
>>   mkdir -p $TMP $PKG $OUTPUT
>>   cd $TMP
>> @@ -72,8 +80,9 @@
>>   mkdir -p $PKG/etc/rc.d
>>   cat $CWD/rc.syncthing > $PKG/etc/rc.d/rc.syncthing.new
>>
>> -mkdir -p $PKG/var/lib/syncthing
>> +mkdir -p $PKG/var/lib/syncthing/config
>>   mkdir -p $PKG/var/run/syncthing
>> +chown -R syncthing.syncthing /var/{lib,run}/syncthing
>>
>>   mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
>>   cp -a *.txt *.pdf $PKG/usr/doc/$PRGNAM-$VERSION
>>
>>
>> ########################################################
>>
>> --- rc.syncthing        2015-06-08 13:04:20.237858026 +0100
>> +++ rc.syncthing.new    2015-06-08 13:09:14.033831997 +0100
>> @@ -2,6 +2,9 @@
>>   #
>>   # syncthing start script
>>
>> +$ST_USER="syncthing"
>> +$CONFDIR="/var/lib/syncthing/config"
>> +
>>   case "$1" in
>>          stop)
>>                  PID=/var/run/syncthing/syncthing.pid
>> @@ -15,7 +18,7 @@
>>                  ;;
>>          start)
>>                  echo "Start Syncthing..."
>> -               /usr/bin/syncthing
>> +                su - $ST_USER -c "$SYNCTHING -home=$CONFDIR" &
>>                  ;;
>>          restart)
>>                  $0 stop
> I reserved the 307 uid/gid for syncthing as you asked, but I thought
> you already contacted the maintainer about it first: I think he has
> the last word on this.
I haven't yet had any reply to my suggestions from the maintainer of the 
syncthing SBo package, on or off the list. Is there anything else that 
could be done about this? (unless the maintainer disagrees with my 
proposed changes - which is always a possibility)

Sebastian


More information about the SlackBuilds-users mailing list