Switch rpki-rtr sockets directory from being owned by "nobody" to

being owned by another userid we invented, so kickme works right when
not running --cronjob as root.  See #557.  May need more testing as I
am committing this in haste at NRT RedRug and testing on VMs while in
transit....

svn path=/trunk/; revision=5426

2 files changed, 53 insertions, 22 deletions

diff --git a/buildtools/debian-skeleton/rpki-rp.postinst b/buildtools/debian-skeleton/rpki-rp.postinst
index 46ef8b97..ef45c861 100644
--- a/buildtools/debian-skeleton/rpki-rp.postinst
+++ b/buildtools/debian-skeleton/rpki-rp.postinst
@@ -5,26 +5,36 @@
 
 set -e
 
-setup_rcynic_ownership() {
-    install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr /var/rcynic/rpki-rtr
-    if test -d /var/www
+setup_groups() {
+    if ! getent group rcynic >/dev/null
     then
-	install -o rcynic -g rcynic -d /var/www/rcynic
+	groupadd rcynic
+    fi
+    if ! getent group rpkirtr >/dev/null
+    then
+	groupadd rpkirtr
     fi
 }
 
-setup_rcynic_user() {
+setup_users() {
     if ! getent passwd rcynic >/dev/null
     then
 	useradd -g rcynic -M -N -d /var/rcynic -s /sbin/nologin -c "RPKI validation system" rcynic
     fi
+    if ! getent passwd rpkirtr >/dev/null
+    then
+	useradd -g rpkirtr -M -N -d /var/rcynic/rpki-rtr -s /sbin/nologin -c "RPKI router server" rpkirtr
+    fi
+    usermod -a -G rpkirtr rcynic
 }
 
-setup_rcynic_group() {
-    if ! getent group rcynic >/dev/null
+setup_directories() {
+    install -o rcynic -g rcynic -d /var/rcynic/data /var/rcynic/rpki-rtr
+    if test -d /var/www
     then
-	groupadd rcynic
+	install -o rcynic -g rcynic -d /var/www/rcynic
     fi
+    install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
 }
 
 # We want to pick a *random* minute for rcynic to run, to spread load
@@ -39,7 +49,7 @@ setup_rcynic_cron() {
     fi
 }
 
-setup_rpki_rtr_listener() {
+setup_rpkirtr_listener() {
     if test -f /var/run/xinetd.pid
     then
 	kill -HUP `cat /var/run/xinetd.pid`
@@ -61,11 +71,11 @@ setup_rpki_rtr_listener() {
 
 case "$1" in
     configure)
-	setup_rcynic_group
-	setup_rcynic_user
-	setup_rcynic_ownership
+	setup_groups
+	setup_users
+	setup_directories
 	setup_rcynic_cron
-	setup_rpki_rtr_listener
+	setup_rpkirtr_listener
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/buildtools/freebsd-skeleton/rpki-rp/pkg-install b/buildtools/freebsd-skeleton/rpki-rp/pkg-install
index 90abb8f2..3a8d960e 100644
--- a/buildtools/freebsd-skeleton/rpki-rp/pkg-install
+++ b/buildtools/freebsd-skeleton/rpki-rp/pkg-install
@@ -25,6 +25,28 @@ PRE-INSTALL)
         echo "Please create it, then try again."
         exit 1
     fi
+    if /usr/sbin/pw groupshow "rpkirtr" 2>/dev/null
+    then
+        echo "You already have a group \"rpkirtr\", so I will use it."
+    elif /usr/sbin/pw groupadd rpkirtr
+    then
+        echo "Added group \"rpkirtr\"."
+    else
+        echo "Adding group \"rpkirtr\" failed..."
+        echo "Please create it, then try again."
+        exit 1
+    fi
+    if /usr/sbin/pw usershow "rpkirtr" 2>/dev/null
+    then
+        echo "You already have a user \"rpkirtr\", so I will use it."
+    elif /usr/sbin/pw useradd rpkirtr -g rpkirtr -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI router server"
+    then
+        echo "Added user \"rpkirtr\"."
+    else
+        echo "Adding user \"rpkirtr\" failed..."
+        echo "Please create it, then try again."
+        exit 1
+    fi
     ;;
 
 POST-INSTALL)
@@ -41,6 +63,11 @@ POST-INSTALL)
 	    /usr/bin/install -o rcynic -g rcynic -d /var/rcynic
 	fi
     done
+    if ! test -d /var/rcynic/rpki-rtr/sockets
+    then
+	echo "Creating /var/rcynic/rpki-rtr/sockets"
+	/usr/bin/install -o rpkirtr -g rcynic -m 775 -d /var/rcynic/rpki-rtr/sockets
+    fi
     if test ! -f /usr/local/etc/rcynic.conf
     then
 	/bin/cp -p /usr/local/etc/rcynic.conf.sample /usr/local/etc/rcynic.conf
@@ -51,13 +78,7 @@ POST-INSTALL)
         echo "Creating $htmldir"
         /usr/bin/install -o rcynic -g rcynic -d $htmldir
     fi
-    sockdir=/var/rcynic/rpki-rtr/sockets
-    if ! test -d $sockdir
-    then
-        echo "Creating $sockdir"
-        /usr/bin/install -o nobody -g rcynic -d $sockdir
-    fi
-    if test "X`/usr/bin/crontab -l -u ${RCYNIC_CRON_USER} 2>/dev/null`" != "X"
+    if test "X`/usr/bin/crontab -l -u rcynic 2>/dev/null`" != "X"
     then
 	echo "rcynic user already has a crontab, leaving it alone"
     else
@@ -80,7 +101,7 @@ POST-INSTALL)
     if /usr/bin/egrep -q "rpki-rtr[ 	]+stream[ 	]+tcp[ 	]" /etc/inetd.conf
     then
         echo "You already have an inetd.conf entry for rpki-rtr on TCPv4, so I will use it."
-    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp	nowait	nobody	/usr/local/bin/rtr-origin	rtr-origin --server /var/rcynic/rpki-rtr"
+    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp	nowait	rpkirtr	/usr/local/bin/rtr-origin	rtr-origin --server /var/rcynic/rpki-rtr"
     then
         echo "Added rpki-rtr for TCPv4 to /etc/inetd.conf."
     else
@@ -90,7 +111,7 @@ POST-INSTALL)
     if /usr/bin/egrep -q "rpki-rtr[ 	]+stream[ 	]+tcp6[ 	]" /etc/inetd.conf
     then
         echo "You already have an inetd.conf entry for rpki-rtr on TCPv6, so I will use it."
-    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp6	nowait	nobody	/usr/local/bin/rtr-origin	rtr-origin --server /var/rcynic/rpki-rtr"
+    elif echo >>/etc/inetd.conf "rpki-rtr	stream	tcp6	nowait	rpkirtr	/usr/local/bin/rtr-origin	rtr-origin --server /var/rcynic/rpki-rtr"
     then
         echo "Added rpki-rtr for TCPv6 to /etc/inetd.conf."
     else