summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorC0rn3j2020-05-27 14:28:36 +0200
committerC0rn3j2020-05-27 14:28:36 +0200
commit99383c4d8709dbbf5a3bd3f5085bfba13a4cbbaf (patch)
treefdc90047cec34b73378a11ec23ee1e52bf6bfb46
parent854b01fcece6985045004b2e59a5365bbda606d2 (diff)
downloadaur-99383c4d8709dbbf5a3bd3f5085bfba13a4cbbaf.tar.gz
do not use a root user
-rw-r--r--.SRCINFO6
-rw-r--r--.gitignore2
-rw-r--r--PKGBUILD32
-rw-r--r--jicofo.service17
-rw-r--r--sysusers.conf2
-rw-r--r--tmpfiles.conf2
6 files changed, 46 insertions, 15 deletions
diff --git a/.SRCINFO b/.SRCINFO
index ac1b7077388..91bb2cc75ef 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -17,10 +17,14 @@ pkgbase = jicofo-git
source = jicofo.conf
source = jicofo.service
source = sip-communicator.properties
+ source = sysusers.conf
+ source = tmpfiles.conf
sha256sums = SKIP
sha256sums = 3a558324a17011cf48e033ce265d45cc06a0b53e009984e841496f1cd4d7519d
- sha256sums = a28d21abcbb58ac50c974aba04360c3307a37074b420e40abd016e9d9adddd85
+ sha256sums = 82937c73200a38326e4362fcf0cbc27ad710a0c0c5708e5f84815d10dfd86a86
sha256sums = ed3a2c91d3f6c92f3aeae4dd852f04196ed57cc0c8a33da3bae6c1fb26b88294
+ sha256sums = 0681e97ca1e06d8ea7bdec0a874c6fc7a6ea84628923005130cd444547a1b440
+ sha256sums = b4ed1528f804056b43d47a8214f2ed853b31a8cedbafb96c26fae556df554be8
pkgname = jicofo-git
diff --git a/.gitignore b/.gitignore
index a3580d3d958..5aaf857cbe9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@
!jicofo.service
!jicofo.conf
!sip-communicator.properties
+!sysusers.conf
+!tmpfiles.conf
diff --git a/PKGBUILD b/PKGBUILD
index a30cac301a6..68feed64281 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -23,29 +23,35 @@ changelog=
source=($pkgname::git+https://github.com/jitsi/jicofo
jicofo.conf
jicofo.service
- sip-communicator.properties)
+ sip-communicator.properties
+ sysusers.conf
+ tmpfiles.conf)
noextract=()
sha256sums=('SKIP'
'3a558324a17011cf48e033ce265d45cc06a0b53e009984e841496f1cd4d7519d'
- 'a28d21abcbb58ac50c974aba04360c3307a37074b420e40abd016e9d9adddd85'
- 'ed3a2c91d3f6c92f3aeae4dd852f04196ed57cc0c8a33da3bae6c1fb26b88294')
+ '82937c73200a38326e4362fcf0cbc27ad710a0c0c5708e5f84815d10dfd86a86'
+ 'ed3a2c91d3f6c92f3aeae4dd852f04196ed57cc0c8a33da3bae6c1fb26b88294'
+ '0681e97ca1e06d8ea7bdec0a874c6fc7a6ea84628923005130cd444547a1b440'
+ 'b4ed1528f804056b43d47a8214f2ed853b31a8cedbafb96c26fae556df554be8')
validpgpkeys=()
pkgver() {
- cd "$pkgname"
- printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+ cd "$pkgname"
+ printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
}
build() {
- cd "${srcdir}/${pkgname}"
- mvn package -DskipTests -Dassembly.skipAssembly=false
- unzip -o target/jicofo-1.1-SNAPSHOT-archive.zip
+ cd "${srcdir}/${pkgname}"
+ mvn package -DskipTests -Dassembly.skipAssembly=false
+ unzip -o target/jicofo-1.1-SNAPSHOT-archive.zip
}
package() {
- install -d "${pkgdir}/usr/share"
- cp -R "${srcdir}/jicofo-git/jicofo-1.1-SNAPSHOT/" "${pkgdir}/usr/share/jicofo"
- install -Dm644 jicofo.service "$pkgdir"/usr/lib/systemd/system/jicofo.service
- install -Dm644 jicofo.conf "$pkgdir"/etc/jitsi/jicofo/jicofo.conf
- install -Dm644 sip-communicator.properties "${pkgdir}"/etc/jitsi/jicofo/sip-communicator.properties
+ install -d "${pkgdir}/usr/share"
+ cp -R "${srcdir}/jicofo-git/jicofo-1.1-SNAPSHOT/" "${pkgdir}/usr/share/jicofo"
+ install -Dm644 jicofo.conf "$pkgdir/etc/jitsi/jicofo/jicofo.conf"
+ install -Dm644 jicofo.service "$pkgdir/usr/lib/systemd/system/jicofo.service"
+ install -Dm644 sip-communicator.properties "${pkgdir}/etc/jitsi/jicofo/sip-communicator.properties"
+ install -Dm644 sysusers.conf "${pkgdir}/usr/lib/sysusers.d/jicofo.conf"
+ install -Dm644 tmpfiles.conf "${pkgdir}/usr/lib/tmpfiles.d/jicofo.conf"
}
diff --git a/jicofo.service b/jicofo.service
index 788f19552fc..d540b247494 100644
--- a/jicofo.service
+++ b/jicofo.service
@@ -1,13 +1,28 @@
[Unit]
-Description=Jicofo
+Description=JItsi COnference FOcus
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
EnvironmentFile=/etc/jitsi/jicofo/jicofo.conf
+User=jicofo
ExecStart=/usr/share/jicofo/jicofo.sh --host=${JICOFO_HOST} --domain=${JICOFO_HOSTNAME} --port=${JICOFO_PORT} --secret=${JICOFO_SECRET} --user_name=${JICOFO_AUTH_USER} --user_domain=${JICOFO_AUTH_DOMAIN} --user_password=${JICOFO_AUTH_PASSWORD} ${JICOFO_OPTS}
+WorkingDirectory=~
+StateDirectory=jicofo
+StateDirectoryMode=0750
+LogsDirectory=jicofo
+LogsDirectoryMode=0750
Restart=on-failure
+# Hardening
+#NoNewPrivileges=yes
+#PrivateTmp=yes
+#PrivateDevices=yes
+#ProtectHome=yes
+#ProtectKernelTunables=yes
+#ProtectControlGroups=yes
+#ProtectSystem=strict
+
[Install]
WantedBy=multi-user.target
diff --git a/sysusers.conf b/sysusers.conf
new file mode 100644
index 00000000000..9991955c9e4
--- /dev/null
+++ b/sysusers.conf
@@ -0,0 +1,2 @@
+g jitsi
+u jicofo -:jitsi - /var/lib/jicofo
diff --git a/tmpfiles.conf b/tmpfiles.conf
new file mode 100644
index 00000000000..e06fe710b8d
--- /dev/null
+++ b/tmpfiles.conf
@@ -0,0 +1,2 @@
+Z /etc/jitsi/jicofo 0640 jicofo jitsi
+z /etc/jitsi/jicofo 0750 jicofo jitsi