Packages: run non-privileged processes under "unit" user.

2020-12-17 14:30:18 +03:00
parent a5fa9673d9
commit 53d847615b
29 changed files with 58 additions and 30 deletions
--- a/pkg/deb/Makefile
+++ b/pkg/deb/Makefile
@@ -157,6 +157,8 @@ CONFIGURE_ARGS=\
 	--pid=/var/run/unit.pid \
 	--log=/var/log/unit.log \
 	--tmp=/var/tmp \
 	--user=unit \
 	--group=unit \
 	--tests \
 	--openssl
--- a/pkg/deb/debian.module/unit.example-go-config
+++ b/pkg/deb/debian.module/unit.example-go-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_go": {
 			"type": "external",
 			"user": "nobody",
 			"executable": "/tmp/go-app"
 		}
 	},
--- a/pkg/deb/debian.module/unit.example-perl-config
+++ b/pkg/deb/debian.module/unit.example-perl-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_perl": {
 			"type": "perl",
 			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"
--- a/pkg/deb/debian.module/unit.example-php-config
+++ b/pkg/deb/debian.module/unit.example-php-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
 			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit-php/examples/phpinfo-app",
 			"index": "index.php"
--- a/pkg/deb/debian.module/unit.example-python-config
+++ b/pkg/deb/debian.module/unit.example-python-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-python2.7-config
+++ b/pkg/deb/debian.module/unit.example-python2.7-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 2.7",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python2.7/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-python3.4-config
+++ b/pkg/deb/debian.module/unit.example-python3.4-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.4",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.4/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-python3.5-config
+++ b/pkg/deb/debian.module/unit.example-python3.5-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.5",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.5/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-python3.6-config
+++ b/pkg/deb/debian.module/unit.example-python3.6-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.6",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.6/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-python3.7-config
+++ b/pkg/deb/debian.module/unit.example-python3.7-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.7",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.7/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-python3.8-config
+++ b/pkg/deb/debian.module/unit.example-python3.8-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.8",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.8/examples/python-app",
 			"module": "wsgi"
--- a/pkg/deb/debian.module/unit.example-ruby-config
+++ b/pkg/deb/debian.module/unit.example-ruby-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_ruby": {
 			"type": "ruby",
 			"user": "nobody",
 			"processes": 2,
 			"script": "/usr/share/doc/unit-ruby/examples/ruby-app.ru"
 		}
--- a/pkg/deb/debian/unit.example.config
+++ b/pkg/deb/debian/unit.example.config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
 			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit/examples/php-app",
 			"index": "index.php"
@@ -10,7 +9,6 @@
 		"example_python": {
 			"type": "python",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit/examples/python-app",
 			"module": "wsgi"
@@ -18,13 +16,11 @@
 		"example_go": {
 			"type": "external",
 			"user": "nobody",
 			"executable": "/tmp/go-app"
 		},
 		"example_perl": {
 			"type": "perl",
 			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"
--- a/pkg/deb/debian/unit.postinst
+++ b/pkg/deb/debian/unit.postinst
@@ -6,6 +6,40 @@ if [ "$1" != "configure" ]; then
    exit 0
 fi
 if [ -n "$2" ]; then
    if dpkg --compare-versions "${2%%-*}" le "1.21.0"; then
      cat <<BANNER
 ----------------------------------------------------------------------
 WARNING:
 Since version 1.22.0, Unit's non-privileged processes run as unit:unit by
 default.  Review your system permissions and Unit configuration so apps and
 routes that relied on these processes running as nobody:nogroup stay working.
 More info: https://unit.nginx.org/installation/#official-packages
 ----------------------------------------------------------------------
 BANNER
    fi
 fi
 if ! getent group unit >/dev/null; then
    addgroup --system unit >/dev/null
 fi
 if ! getent passwd unit >/dev/null; then
    adduser \
      --system \
      --disabled-login \
      --ingroup unit \
      --no-create-home \
      --home /nonexistent \
      --gecos "unit user" \
      --shell /bin/false \
      unit >/dev/null
 fi
 #DEBHELPER#
 exit 0
--- a/pkg/deb/debian/unit.preinst
+++ b/pkg/deb/debian/unit.preinst
@@ -17,6 +17,7 @@ Online documentation is available at https://unit.nginx.org/
 ----------------------------------------------------------------------
 BANNER
        ;;
    upgrade)
        ;;
--- a/pkg/rpm/Makefile
+++ b/pkg/rpm/Makefile
@@ -149,6 +149,8 @@ CONFIGURE_ARGS=\
 	--pid=/var/run/unit/unit.pid \
 	--log=/var/log/unit/unit.log \
 	--tmp=/var/tmp \
 	--user=unit \
 	--group=unit \
 	--tests \
 	--openssl
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-go-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-go-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_go": {
 			"type": "external",
 			"user": "nobody",
 			"executable": "/tmp/go-app"
 		}
 	},
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-perl-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-perl-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_perl": {
 			"type": "perl",
 			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-php-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-php-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
 			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit-php/examples/phpinfo-app",
 			"index": "index.php"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python27-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python27-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 2.7",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python27/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python34-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python34-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.4",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python34/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python35-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python35-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.5",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python35/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python36-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python36-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.6",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python36/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python37-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python37-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.7",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python37/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-python38-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-python38-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.8",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python38/examples/python-app",
 			"module": "wsgi"
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example-ruby-config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example-ruby-config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_ruby": {
 			"type": "ruby",
 			"user": "nobody",
 			"processes": 2,
 			"script": "/usr/share/doc/unit-ruby/examples/ruby-app.ru"
 		}
--- a/pkg/rpm/rpmbuild/SOURCES/unit.example.config
+++ b/pkg/rpm/rpmbuild/SOURCES/unit.example.config
@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
 			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit-php/examples/phpinfo-app",
 			"index": "index.php"
@@ -10,7 +9,6 @@
 		"example_python": {
 			"type": "python",
 			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python/examples/python-app",
 			"module": "wsgi"
@@ -18,13 +16,11 @@
 		"example_go": {
 			"type": "external",
 			"user": "nobody",
 			"executable": "/tmp/go-app"
 		},
 		"example_perl": {
 			"type": "perl",
 			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"
--- a/pkg/rpm/unit.spec.in
+++ b/pkg/rpm/unit.spec.in
@@ -145,6 +145,10 @@ cat /dev/null > debugsourcefiles.list
 %post
 if [ $1 -eq 1 ]; then
    getent group unit >/dev/null || groupadd -r unit
    getent passwd unit >/dev/null || \
        useradd -r -g unit -s /sbin/nologin \
        -d /nonexistent -c "unit user" unit
    /usr/bin/systemctl preset unit.service >/dev/null 2>&1 ||:
    cat <<BANNER
 ----------------------------------------------------------------------
@@ -172,6 +176,21 @@ if [ $1 -ge 1 ]; then
    /usr/bin/systemctl try-restart unit.service >/dev/null 2>&1 ||:
 fi
 %triggerpostun -- unit < 1.22.0
 cat <<BANNER
 ----------------------------------------------------------------------
 WARNING:
 Since version 1.22.0, Unit's non-privileged processes run as unit:unit by
 default.  Review your system permissions and Unit configuration so apps and
 routes that relied on these processes running as nobody:nogroup stay working.
 More info: https://unit.nginx.org/installation/#official-packages
 ----------------------------------------------------------------------
 BANNER
 %files
 %defattr(-,root,root,-)
 %attr(0755,root,root) %{_sbindir}/unitd