From a321c90db4a6d323f1a9bc06c4d861cee8868664 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@debian.org>
Date: Mon, 15 Feb 2021 00:32:29 +0100
Subject: Use dedicated system users for internal components.

  * The internal webserver now runs as a dedicated system user _lacme-www
    (and group nogroup) instead of www-data:www-data.  This is configurable
    in the [webserver] section of the lacme(8) configuration file.
  * The internal ACME client now runs as a dedicated system user _lacme-client
    (and group nogroup) instead of nobody:nogroup.  This is configurable in
    the [client] section of the lacme(8) configuration file.
  * The _lacme-www and _lacme-client system users are created automatically by
    lacme.postinst (hence a new Depends: adduser), and deleted on purge.  (So
    make sure not to chown any file to these internal users.)
---
 debian/lacme.postinst | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100755 debian/lacme.postinst

(limited to 'debian/lacme.postinst')

diff --git a/debian/lacme.postinst b/debian/lacme.postinst
new file mode 100755
index 0000000..536e37f
--- /dev/null
+++ b/debian/lacme.postinst
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "configure" ]; then
+    if ! getent passwd _lacme-www >/dev/null; then
+	    adduser --force-badname --system \
+            --home /nonexistent --no-create-home \
+            --gecos "lacme www user" \
+            --quiet _lacme-www || true
+    fi
+    if ! getent passwd _lacme-client >/dev/null; then
+	    adduser --force-badname --system \
+            --home /nonexistent --no-create-home \
+            --gecos "lacme client user" \
+            --quiet _lacme-client || true
+    fi
+fi
+
+#DEBHELPER#
+exit 0
-- 
cgit v1.2.3