From 4530666292506054d5e3949119eaf6ea186b4bf2 Mon Sep 17 00:00:00 2001 From: Faustin Lammler Date: Mon, 16 Jan 2023 16:09:15 +0100 Subject: [PATCH] Running daemon under nobody user is not recommended (Closes: #970045) Create a galera user that will run the daemon instead. See: https://github.com/systemd/systemd/blob/v246/NEWS#L106-L113 --- debian/galera-4.preinst | 11 +++++++++++ garb/files/garb.service | 2 +- garb/files/garb.sh | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 debian/galera-4.preinst diff --git a/debian/galera-4.preinst b/debian/galera-4.preinst new file mode 100644 index 000000000..c8aebb94c --- /dev/null +++ b/debian/galera-4.preinst @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +set -o posix + +# creating galera user +getent passwd galera >/dev/null 2>&1 || + adduser --system --no-create-home --home /nonexistent \ + --disabled-password --disabled-login galera diff --git a/garb/files/garb.service b/garb/files/garb.service index 926cf5789..73293d12f 100644 --- a/garb/files/garb.service +++ b/garb/files/garb.service @@ -11,7 +11,7 @@ WantedBy=multi-user.target Alias=garbd.service [Service] -User=nobody +User=galera ExecStart=/usr/bin/garb-systemd start # Use SIGINT because with the default SIGTERM diff --git a/garb/files/garb.sh b/garb/files/garb.sh index e35c520b8..b1e3a7466 100755 --- a/garb/files/garb.sh +++ b/garb/files/garb.sh @@ -49,7 +49,7 @@ program_start() { local rcode if [ -f /etc/redhat-release ]; then echo -n $"Starting $prog: " - daemon --user nobody $prog "$@" >/dev/null + daemon --user galera $prog "$@" >/dev/null rcode=$? if [ $rcode -eq 0 ]; then pidof $prog > $PIDFILE || rcode=$?