Packages: run non-privileged processes under "unit" user.

pkg/deb/Makefile

@@ -157,6 +157,8 @@ CONFIGURE_ARGS=\
 	--pid=/var/run/unit.pid \
 	--log=/var/log/unit.log \
 	--tmp=/var/tmp \
+	--user=unit \
+	--group=unit \
 	--tests \
 	--openssl
 

pkg/deb/debian.module/unit.example-go-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_go": {
 			"type": "external",
-			"user": "nobody",
 			"executable": "/tmp/go-app"
 		}
 	},

pkg/deb/debian.module/unit.example-perl-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_perl": {
 			"type": "perl",
-			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"

pkg/deb/debian.module/unit.example-php-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
-			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit-php/examples/phpinfo-app",
 			"index": "index.php"

pkg/deb/debian.module/unit.example-python-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-python2.7-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 2.7",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python2.7/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-python3.4-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.4",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.4/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-python3.5-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.5",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.5/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-python3.6-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.6",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.6/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-python3.7-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.7",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.7/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-python3.8-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.8",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python3.8/examples/python-app",
 			"module": "wsgi"

pkg/deb/debian.module/unit.example-ruby-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_ruby": {
 			"type": "ruby",
-			"user": "nobody",
 			"processes": 2,
 			"script": "/usr/share/doc/unit-ruby/examples/ruby-app.ru"
 		}

pkg/deb/debian/unit.example.config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
-			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit/examples/php-app",
 			"index": "index.php"
@@ -10,7 +9,6 @@
 
 		"example_python": {
 			"type": "python",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit/examples/python-app",
 			"module": "wsgi"
@@ -18,13 +16,11 @@
 
 		"example_go": {
 			"type": "external",
-			"user": "nobody",
 			"executable": "/tmp/go-app"
 		},
 
 		"example_perl": {
 			"type": "perl",
-			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"

pkg/deb/debian/unit.postinst

@@ -6,6 +6,40 @@ if [ "$1" != "configure" ]; then
     exit 0
 fi
 
+if [ -n "$2" ]; then
+    if dpkg --compare-versions "${2%%-*}" le "1.21.0"; then
+      cat <<BANNER
+----------------------------------------------------------------------
+
+WARNING:
+
+Since version 1.22.0, Unit's non-privileged processes run as unit:unit by
+default.  Review your system permissions and Unit configuration so apps and
+routes that relied on these processes running as nobody:nogroup stay working.
+
+More info: https://unit.nginx.org/installation/#official-packages
+
+----------------------------------------------------------------------
+BANNER
+    fi
+fi
+
+if ! getent group unit >/dev/null; then
+    addgroup --system unit >/dev/null
+fi
+
+if ! getent passwd unit >/dev/null; then
+    adduser \
+      --system \
+      --disabled-login \
+      --ingroup unit \
+      --no-create-home \
+      --home /nonexistent \
+      --gecos "unit user" \
+      --shell /bin/false \
+      unit >/dev/null
+fi
+
 #DEBHELPER#
 
 exit 0

pkg/deb/debian/unit.preinst

@@ -17,6 +17,7 @@ Online documentation is available at https://unit.nginx.org/
 ----------------------------------------------------------------------
 BANNER
         ;;
+
     upgrade)
         ;;
 

pkg/rpm/Makefile

@@ -149,6 +149,8 @@ CONFIGURE_ARGS=\
 	--pid=/var/run/unit/unit.pid \
 	--log=/var/log/unit/unit.log \
 	--tmp=/var/tmp \
+	--user=unit \
+	--group=unit \
 	--tests \
 	--openssl
 

pkg/rpm/rpmbuild/SOURCES/unit.example-go-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_go": {
 			"type": "external",
-			"user": "nobody",
 			"executable": "/tmp/go-app"
 		}
 	},

pkg/rpm/rpmbuild/SOURCES/unit.example-perl-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_perl": {
 			"type": "perl",
-			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"

pkg/rpm/rpmbuild/SOURCES/unit.example-php-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
-			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit-php/examples/phpinfo-app",
 			"index": "index.php"

pkg/rpm/rpmbuild/SOURCES/unit.example-python-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-python27-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 2.7",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python27/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-python34-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.4",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python34/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-python35-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.5",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python35/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-python36-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.6",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python36/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-python37-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.7",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python37/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-python38-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_python": {
 			"type": "python 3.8",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python38/examples/python-app",
 			"module": "wsgi"

pkg/rpm/rpmbuild/SOURCES/unit.example-ruby-config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_ruby": {
 			"type": "ruby",
-			"user": "nobody",
 			"processes": 2,
 			"script": "/usr/share/doc/unit-ruby/examples/ruby-app.ru"
 		}

pkg/rpm/rpmbuild/SOURCES/unit.example.config

@@ -2,7 +2,6 @@
 	"applications": {
 		"example_php": {
 			"type": "php",
-			"user": "nobody",
 			"processes": 2,
 			"root": "/usr/share/doc/unit-php/examples/phpinfo-app",
 			"index": "index.php"
@@ -10,7 +9,6 @@
 
 		"example_python": {
 			"type": "python",
-			"user": "nobody",
 			"processes": 2,
 			"path": "/usr/share/doc/unit-python/examples/python-app",
 			"module": "wsgi"
@@ -18,13 +16,11 @@
 
 		"example_go": {
 			"type": "external",
-			"user": "nobody",
 			"executable": "/tmp/go-app"
 		},
 
 		"example_perl": {
 			"type": "perl",
-			"user": "nobody",
 			"processes": 1,
 			"working_directory": "/usr/share/doc/unit-perl/examples/perl-app",
 			"script": "/usr/share/doc/unit-perl/examples/perl-app/index.pl"

pkg/rpm/unit.spec.in

@@ -145,6 +145,10 @@ cat /dev/null > debugsourcefiles.list
 
 %post
 if [ $1 -eq 1 ]; then
+    getent group unit >/dev/null || groupadd -r unit
+    getent passwd unit >/dev/null || \
+        useradd -r -g unit -s /sbin/nologin \
+        -d /nonexistent -c "unit user" unit
     /usr/bin/systemctl preset unit.service >/dev/null 2>&1 ||:
     cat <<BANNER
 ----------------------------------------------------------------------
@@ -172,6 +176,21 @@ if [ $1 -ge 1 ]; then
     /usr/bin/systemctl try-restart unit.service >/dev/null 2>&1 ||:
 fi
 
+%triggerpostun -- unit < 1.22.0
+cat <<BANNER
+----------------------------------------------------------------------
+
+WARNING:
+
+Since version 1.22.0, Unit's non-privileged processes run as unit:unit by
+default.  Review your system permissions and Unit configuration so apps and
+routes that relied on these processes running as nobody:nogroup stay working.
+
+More info: https://unit.nginx.org/installation/#official-packages
+
+----------------------------------------------------------------------
+BANNER
+
 %files
 %defattr(-,root,root,-)
 %attr(0755,root,root) %{_sbindir}/unitd