starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-04-17 14:09:42 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Add optional user and group configuration (fixes #434)

Browse Source
This commit is contained in:
Lukas Schauer
2017-12-18 00:26:01 +01:00
parent f35aed6ae6
commit 2adc57791c
3 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@@ -12,6 +12,7 @@ This file contains a log of major changes in dehydrated
- Allow automatic cleanup on exit (AUTO_CLEANUP) - Allow automatic cleanup on exit (AUTO_CLEANUP)
- Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH) - Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation) - Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
- Allow dehydrated to run as specified user (/group)
## [0.4.0] - 2017-02-05 ## [0.4.0] - 2017-02-05
## Changed ## Changed

29
dehydrated
View File

@@ -25,6 +25,7 @@ done
SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
BASEDIR="${SCRIPTDIR}" BASEDIR="${SCRIPTDIR}"
ORIGARGS="$@"
# Create (identifiable) temporary files # Create (identifiable) temporary files
_mktemp() { _mktemp() {
@@ -135,6 +136,8 @@ load_config() {
IP_VERSION= IP_VERSION=
CHAINCACHE= CHAINCACHE=
AUTO_CLEANUP="no" AUTO_CLEANUP="no"
DEHYDRATED_USER=
DEHYDRATED_GROUP=
if [[ -z "${CONFIG:-}" ]]; then if [[ -z "${CONFIG:-}" ]]; then
echo "#" >&2 echo "#" >&2
@@ -165,6 +168,32 @@ load_config() {
done done
fi fi
# Check if we are running & are allowed to run as root
if [[ -n "$DEHYDRATED_USER" ]]; then
command -v sudo > /dev/null 2>&1 || _exiterr "DEHYDRATED_USER set but sudo not available. Please install sudo."
command -v getent > /dev/null 2>&1 || _exiterr "DEHYDRATED_USER set but getent not available. Please install getent."
TARGET_UID="$(getent passwd "${DEHYDRATED_USER}" | cut -d':' -f3)"
if [[ -z "${DEHYDRATED_GROUP}" ]]; then
if [[ "${EUID}" != "${TARGET_UID}" ]]; then
echo "# INFO: Running $0 as ${DEHYDRATED_USER}"
exec sudo -u "${DEHYDRATED_USER}" "${0}" ${ORIGARGS}
fi
else
TARGET_GID="$(getent group "${DEHYDRATED_GROUP}" | cut -d':' -f3)"
if [[ -z "${EGID:-}" ]]; then
command -v id > /dev/null 2>&1 || _exiterr "DEHYDRATED_GROUP set, don't know current gid and 'id' not available... Please provide 'id' binary."
EGID="$(id -g)"
fi
if [[ "${EUID}" != "${TARGET_UID}" ]] || [[ "${EGID}" != "${TARGET_GID}" ]]; then
echo "# INFO: Running $0 as ${DEHYDRATED_USER}/${DEHYDRATED_GROUP}"
exec sudo -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" ${ORIGARGS}
fi
fi
elif [[ -n "${DEHYDRATED_GROUP}" ]]; then
_exiterr "DEHYDRATED_GROUP can only be used in combination with DEHYDRATED_USER."
fi
# Check for missing dependencies # Check for missing dependencies
check_dependencies check_dependencies

6
docs/examples/config
View File

@@ -10,6 +10,12 @@
# Default values of this config are in comments # # Default values of this config are in comments #
######################################################## ########################################################
# Which user should dehydrated run as? This will be implictly enforced when running as root
#DEHYDRATED_USER=
# Which group should dehydrated run as? This will be implictly enforced when running as root
#DEHYDRATED_GROUP=
# Resolve names to addresses of IP version only. (curl) # Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6 # supported values: 4, 6
# default: <unset> # default: <unset>