From 61e4ad1347f51a84400cbf87633cc99f657f9ad7 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 20:28:46 +0100
Subject: Make unprivileged user/group for the internal client resp. webserver
 configurable.

---
 Changelog         |  2 ++
 Makefile          | 12 +++++++++++-
 config/lacme.conf | 20 ++++++++++----------
 lacme             |  8 ++++----
 lacme.8.md        | 22 ++++++++++------------
 5 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/Changelog b/Changelog
index f94e81e..a9f137e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,7 @@
 lacme (0.7.1) upstream;
 
+ * Unprivileged user/group for the internal client resp. webserver are
+   now configurable at install time.
  - lacme: delay webserver socket shutdown to after the process has
    terminated.
  - documentation: suggest to generate private key material with
diff --git a/Makefile b/Makefile
index a4098de..afc5c71 100644
--- a/Makefile
+++ b/Makefile
@@ -35,6 +35,11 @@ mandir ?= $(datarootdir)/man
 man1dir ?= $(mandir)/man1
 man8dir ?= $(mandir)/man8
 
+lacme_www_user ?= www-data
+lacme_www_group ?= www-data
+lacme_client_user ?= nobody
+lacme_client_group ?= nogroup
+
 $(BUILDDIR)/%: %
 	mkdir -pv -- $(dir $@)
 	cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@"
@@ -43,7 +48,12 @@ $(BUILDDIR)/%: %
 	        s#@@libexecdir@@#$(libexecdir)#g; \
 	        s#@@datadir@@#$(datadir)#g; \
 	        s#@@runstatedir@@#$(runstatedir)#g; \
-	        s#@@sysconfdir@@#$(sysconfdir)#g;" -- "$@"
+	        s#@@sysconfdir@@#$(sysconfdir)#g; \
+	        s#@@lacme_www_user@@#$(lacme_www_user)#g; \
+	        s#@@lacme_www_group@@#$(lacme_www_group)#g; \
+	        s#@@lacme_client_user@@#$(lacme_client_user)#g; \
+	        s#@@lacme_client_group@@#$(lacme_client_group)#g;" \
+	        -- "$@"
 
 install: all
 	install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
diff --git a/config/lacme.conf b/config/lacme.conf
index 9f4db72..cc8488d 100644
--- a/config/lacme.conf
+++ b/config/lacme.conf
@@ -19,15 +19,15 @@
 #socket =
 
 # username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#user = nobody
+#user = @@lacme_client_user@@
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#group = nogroup
+#group = @@lacme_client_group@@
 
 # Path to the ACME client executable.
 #
@@ -72,15 +72,15 @@
 #challenge-directory =
 
 # username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#user = www-data
+#user = @@lacme_www_user@@
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
+# Skip privilege drop if the value is empty (not recommended).
 #
-#group = www-data
+#group = @@lacme_www_group@@
 
 # Path to the ACME webserver executable.
 #
@@ -99,13 +99,13 @@
 # an existing lacme-accountd(1) process via a UNIX-domain socket.
 
 # username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
 #
 #user =
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty.
+# Skip privilege drop if the value is empty.
 #
 #group =
 
diff --git a/lacme b/lacme
index 088e393..e4b8e01 100755
--- a/lacme
+++ b/lacme
@@ -91,8 +91,8 @@ do {
     my %valid = (
         client => {
             socket  => (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef),
-            user    => 'nobody',
-            group   => 'nogroup',
+            user    => '@@lacme_client_user@@',
+            group   => '@@lacme_client_group@@',
             command => '@@libexecdir@@/lacme/client',
             # the rest is for the ACME client
             map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/
@@ -100,8 +100,8 @@ do {
         webserver => {
             listen                => '@@runstatedir@@/lacme-www.socket',
             'challenge-directory' => undef,
-            user                  => 'www-data',
-            group                 => 'www-data',
+            user                  => '@@lacme_www_user@@',
+            group                 => '@@lacme_www_group@@',
             command               => '@@libexecdir@@/lacme/webserver',
             iptables              => 'No'
 
diff --git a/lacme.8.md b/lacme.8.md
index 3840455..ecf87c3 100644
--- a/lacme.8.md
+++ b/lacme.8.md
@@ -168,17 +168,16 @@ of [ACME] commands and dialogues with the remote [ACME] server).
 *user*
 
 :   The username to drop privileges to (setting both effective and real
-    uid).  Preserve root privileges if the value is empty (not
-    recommended).
-    Default: `nobody`.
+    uid).  Skip privilege drop if the value is empty (not recommended).
+    Default: `@@lacme_client_user@@`.
 
 *group*
 
 :   The groupname to drop privileges to (setting both effective and real
     gid, and also setting the list of supplementary gids to that single
-    group).  Preserve root privileges if the value is empty (not
+    group).  Skip privilege drop if the value is empty (not
     recommended).
-    Default: `nogroup`.
+    Default: `@@lacme_client_group@@`.
 
 *command*
 
@@ -245,17 +244,16 @@ served during certificate issuance.
 *user*
 
 :   The username to drop privileges to (setting both effective and real
-    uid).  Preserve root privileges if the value is empty (not
-    recommended).
-    Default: `www-data`.
+    uid).  Skip privilege drop if the value is empty (not recommended).
+    Default: `@@lacme_www_user@@`.
 
 *group*
 
 :   The groupname to drop privileges to (setting both effective and real
     gid, and also setting the list of supplementary gids to that single
-    group).  Preserve root privileges if the value is empty (not
+    group).  Skip privilege drop if the value is empty (not
     recommended).
-    Default: `www-data`.
+    Default: `@@lacme_www_group@@`.
 
 *command*
 
@@ -283,13 +281,13 @@ UNIX-domain socket.
 *user*
 
 :   The username to drop privileges to (setting both effective and real
-    uid).  Preserve root privileges if the value is empty.
+    uid).  Skip privilege drop if the value is empty.
 
 *group*
 
 :   The groupname to drop privileges to (setting both effective and real
     gid, and also setting the list of supplementary gids to that single
-    group).  Preserve root privileges if the value is empty.
+    group).  Skip privilege drop if the value is empty.
 
 *command*
 
-- 
cgit v1.2.3