From 30c2de8e0f6b6944cfc7a577064e3f2bf4692060 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Mon, 10 Jan 2022 08:41:33 -0500 Subject: [PATCH] TT#157800 run rtpengine as non-root *) Create dedicated rtpengine user in postinst and remove it in postrm. *) Use RuntimeDirectory= systemd unit config. *) Use dedicated user for /proc interface and set file umask to hide it from other users. *) Set owner and permissions on default directories used for call recording. Change-Id: I8e225b36d065d46da2489fb8286916371950f490 --- debian/ngcp-rtpengine-daemon.default | 7 ++++--- debian/ngcp-rtpengine-daemon.postinst | 6 ++++++ debian/ngcp-rtpengine-daemon.postrm | 13 +++++++++++++ debian/ngcp-rtpengine-daemon.service | 13 +++++++++---- debian/ngcp-rtpengine-recording-daemon.default | 2 +- debian/ngcp-rtpengine-recording-daemon.postinst | 16 ++++++++++++++++ debian/ngcp-rtpengine-recording-daemon.service | 8 ++++++-- 7 files changed, 55 insertions(+), 10 deletions(-) create mode 100644 debian/ngcp-rtpengine-daemon.postrm create mode 100644 debian/ngcp-rtpengine-recording-daemon.postinst diff --git a/debian/ngcp-rtpengine-daemon.default b/debian/ngcp-rtpengine-daemon.default index 153217f37..705b9e853 100644 --- a/debian/ngcp-rtpengine-daemon.default +++ b/debian/ngcp-rtpengine-daemon.default @@ -1,6 +1,7 @@ CONFIG_FILE=/etc/rtpengine/rtpengine.conf # CONFIG_SECTION=rtpengine -PIDFILE=/run/ngcp-rtpengine-daemon.pid +PIDFILE=/run/rtpengine/ngcp-rtpengine-daemon.pid MANAGE_IPTABLES=yes -#SET_USER=root -#SET_GROUP=root # GROUP only needs to be set if USER is not set or if the user isn't in the group +SET_USER=rtpengine +#SET_GROUP=rtpengine # GROUP only needs to be set if USER is not set or if the user isn't in the group +SET_MASK=0x7 diff --git a/debian/ngcp-rtpengine-daemon.postinst b/debian/ngcp-rtpengine-daemon.postinst index 5fe2ac8ff..aebf1b426 100644 --- a/debian/ngcp-rtpengine-daemon.postinst +++ b/debian/ngcp-rtpengine-daemon.postinst @@ -32,6 +32,12 @@ else fi fi +if [ "$1" = configure ]; then + adduser --system --home /nonexistent --gecos rtpengine \ + --no-create-home --disabled-password \ + --group --quiet rtpengine || true +fi + #DEBHELPER# exit 0 diff --git a/debian/ngcp-rtpengine-daemon.postrm b/debian/ngcp-rtpengine-daemon.postrm new file mode 100644 index 000000000..1826fe80b --- /dev/null +++ b/debian/ngcp-rtpengine-daemon.postrm @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +if [ "$1" = purge ]; then + deluser --quiet --system rtpengine > /dev/null || true + delgroup --quiet --system rtpengine > /dev/null || true +fi + +#DEBHELPER# + +exit 0 + diff --git a/debian/ngcp-rtpengine-daemon.service b/debian/ngcp-rtpengine-daemon.service index b4838768c..be9b324ce 100644 --- a/debian/ngcp-rtpengine-daemon.service +++ b/debian/ngcp-rtpengine-daemon.service @@ -7,10 +7,15 @@ Requires=network-online.target [Service] Type=notify EnvironmentFile=/etc/default/ngcp-rtpengine-daemon -PIDFile=/run/ngcp-rtpengine-daemon.pid -ExecStartPre=/usr/sbin/ngcp-rtpengine-iptables-setup start -ExecStart=/usr/sbin/rtpengine -f -E --no-log-timestamps --pidfile /run/ngcp-rtpengine-daemon.pid --config-file /etc/rtpengine/rtpengine.conf -ExecStopPost=/usr/sbin/ngcp-rtpengine-iptables-setup stop +RuntimeDirectory=rtpengine +PIDFile=/run/rtpengine/ngcp-rtpengine-daemon.pid +User=rtpengine +Group=rtpengine +AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE +LimitNOFILE=150000 +ExecStartPre=+/usr/sbin/ngcp-rtpengine-iptables-setup start +ExecStart=/usr/sbin/rtpengine -f -E --no-log-timestamps --pidfile /run/rtpengine/ngcp-rtpengine-daemon.pid --config-file /etc/rtpengine/rtpengine.conf +ExecStopPost=+/usr/sbin/ngcp-rtpengine-iptables-setup stop [Install] WantedBy=multi-user.target diff --git a/debian/ngcp-rtpengine-recording-daemon.default b/debian/ngcp-rtpengine-recording-daemon.default index 230e36b5c..dfa78d817 100644 --- a/debian/ngcp-rtpengine-recording-daemon.default +++ b/debian/ngcp-rtpengine-recording-daemon.default @@ -1,6 +1,6 @@ CONFIG_FILE=/etc/rtpengine/rtpengine-recording.conf # CONFIG_SECTION=rtpengine-recording -PIDFILE=/run/ngcp-rtpengine-recording-daemon.pid +PIDFILE=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid #SET_USER=root #SET_GROUP=root # GROUP only needs to be set if USER is not set or if the user isn't in the group # diff --git a/debian/ngcp-rtpengine-recording-daemon.postinst b/debian/ngcp-rtpengine-recording-daemon.postinst new file mode 100644 index 000000000..a85dbebdb --- /dev/null +++ b/debian/ngcp-rtpengine-recording-daemon.postinst @@ -0,0 +1,16 @@ +#!/bin/sh + +set -e + +if [ "$1" = configure ]; then + for DIR in /var/lib/rtpengine-recording /var/spool/rtpengine; do + if ! dpkg-statoverride --list "$DIR" > /dev/null 2>&1; then + chown rtpengine:rtpengine "$DIR" + chmod 0770 "$DIR" + fi + done +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/ngcp-rtpengine-recording-daemon.service b/debian/ngcp-rtpengine-recording-daemon.service index 3f6b98435..f4bca109d 100644 --- a/debian/ngcp-rtpengine-recording-daemon.service +++ b/debian/ngcp-rtpengine-recording-daemon.service @@ -9,8 +9,12 @@ Requires=ngcp-rtpengine-recording-nfs-mount.service [Service] Type=notify LimitNOFILE=100000 -PIDFile=/run/ngcp-rtpengine-recording-daemon.pid -ExecStart=/usr/sbin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf +RuntimeDirectory=rtpengine-recording +PIDFile=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid +AmbientCapabilities=CAP_NET_ADMIN +User=rtpengine +Group=rtpengine +ExecStart=/usr/sbin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf [Install] WantedBy=multi-user.target