From c73b9e1c09116ed92340dd150b64f2195ee47851 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Fri, 20 Oct 2023 07:28:42 +0200
Subject: [PATCH] Use freed user when running CMS

---
 debian/argeo-freed-cms.preinst        | 63 +++++++++++++++++++++++++++
 usr/lib/systemd/system/argeo@.service |  4 +-
 2 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100755 debian/argeo-freed-cms.preinst

diff --git a/debian/argeo-freed-cms.preinst b/debian/argeo-freed-cms.preinst
new file mode 100755
index 0000000..e10b722
--- /dev/null
+++ b/debian/argeo-freed-cms.preinst
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+# see https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html
+
+case "$1" in
+  install|upgrade)
+
+  # If the package has default file it could be sourced, so that
+  # the local admin can overwrite the defaults
+
+  [ -f "/etc/default/freed" ] && . /etc/default/freed
+
+  # Sane defaults:
+
+  [ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/freed
+  [ -z "$SERVER_USER" ] && SERVER_USER=freed
+  [ -z "$SERVER_NAME" ] && SERVER_NAME="FREEd Apps"
+  [ -z "$SERVER_GROUP" ] && SERVER_GROUP=freed
+
+  # Groups that the user will be added to, if undefined, then none.
+  ADDGROUP=""
+
+  # create user to avoid running server as root
+  # 1. create group if not existing
+  if ! getent group | grep -q "^$SERVER_GROUP:" ; then
+     echo -n "Adding group $SERVER_GROUP.."
+     addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true
+     echo "..done"
+  fi
+  # 2. create homedir if not existing
+  test -d $SERVER_HOME || mkdir $SERVER_HOME
+  # 3. create user if not existing
+  if ! getent passwd | grep -q "^$SERVER_USER:"; then
+    echo -n "Adding system user $SERVER_USER.."
+    adduser --quiet \
+            --system \
+            --ingroup $SERVER_GROUP \
+            --no-create-home \
+            --disabled-password \
+            $SERVER_USER 2>/dev/null || true
+    echo "..done"
+  fi
+  # 4. adjust passwd entry
+  usermod -c "$SERVER_NAME" \
+          -d $SERVER_HOME   \
+          -g $SERVER_GROUP  \
+             $SERVER_USER
+  # 5. adjust file and directory permissions
+  if ! dpkg-statoverride --list $SERVER_HOME >/dev/null
+  then
+      chown -R $SERVER_USER:adm $SERVER_HOME
+      chmod u=rwx,g=rxs,o= $SERVER_HOME
+  fi
+  # 6. Add the user to the ADDGROUP group
+  if test -n $ADDGROUP
+  then
+      if ! groups $SERVER_USER | cut -d: -f2 | \
+         grep -qw $ADDGROUP; then
+           adduser $SERVER_USER $ADDGROUP
+      fi
+  fi
+  ;;
+  configure)
\ No newline at end of file
diff --git a/usr/lib/systemd/system/argeo@.service b/usr/lib/systemd/system/argeo@.service
index 1c5532f..a4ccef7 100644
--- a/usr/lib/systemd/system/argeo@.service
+++ b/usr/lib/systemd/system/argeo@.service
@@ -6,8 +6,8 @@ Wants=postgresql.service
 [Service]
 Type=simple
 
-User=daemon
-Group=daemon
+User=freed
+Group=freed
 
 StateDirectory=argeo.d/%I
 LogsDirectory=argeo.d/%I
-- 
2.30.2