Add optional user and group configuration (fixes #434)

dehydrated-io · Dec 17, 2017 · 2adc577 · 2adc577
1 parent f35aed6
commit 2adc577
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -12,6 +12,7 @@ This file contains a log of major changes in dehydrated
 - Allow automatic cleanup on exit (AUTO_CLEANUP)
 - Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
 - Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
+- Allow dehydrated to run as specified user (/group)
 
 ## [0.4.0] - 2017-02-05
 ## Changed

diff --git a/dehydrated b/dehydrated
@@ -25,6 +25,7 @@ done
 SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
 
 BASEDIR="${SCRIPTDIR}"
+ORIGARGS="$@"
 
 # Create (identifiable) temporary files
 _mktemp() {
@@ -135,6 +136,8 @@ load_config() {
   IP_VERSION=
   CHAINCACHE=
   AUTO_CLEANUP="no"
+  DEHYDRATED_USER=
+  DEHYDRATED_GROUP=
 
   if [[ -z "${CONFIG:-}" ]]; then
     echo "#" >&2
@@ -165,6 +168,32 @@ load_config() {
    done
   fi
 
+  # Check if we are running & are allowed to run as root
+  if [[ -n "$DEHYDRATED_USER" ]]; then
+    command -v sudo > /dev/null 2>&1 || _exiterr "DEHYDRATED_USER set but sudo not available. Please install sudo."
+    command -v getent > /dev/null 2>&1 || _exiterr "DEHYDRATED_USER set but getent not available. Please install getent."
+
+    TARGET_UID="$(getent passwd "${DEHYDRATED_USER}" | cut -d':' -f3)"
+    if [[ -z "${DEHYDRATED_GROUP}" ]]; then
+      if [[ "${EUID}" != "${TARGET_UID}" ]]; then
+        echo "# INFO: Running $0 as ${DEHYDRATED_USER}"
+        exec sudo -u "${DEHYDRATED_USER}" "${0}" ${ORIGARGS}
+      fi
+    else
+      TARGET_GID="$(getent group "${DEHYDRATED_GROUP}" | cut -d':' -f3)"
+      if [[ -z "${EGID:-}" ]]; then
+        command -v id > /dev/null 2>&1 || _exiterr "DEHYDRATED_GROUP set, don't know current gid and 'id' not available... Please provide 'id' binary."
+        EGID="$(id -g)"
+      fi
+      if [[ "${EUID}" != "${TARGET_UID}" ]] || [[ "${EGID}" != "${TARGET_GID}" ]]; then
+        echo "# INFO: Running $0 as ${DEHYDRATED_USER}/${DEHYDRATED_GROUP}"
+        exec sudo -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" ${ORIGARGS}
+      fi
+    fi
+  elif [[ -n "${DEHYDRATED_GROUP}" ]]; then
+    _exiterr "DEHYDRATED_GROUP can only be used in combination with DEHYDRATED_USER."
+  fi
+
   # Check for missing dependencies
   check_dependencies
 

diff --git a/docs/examples/config b/docs/examples/config
@@ -10,6 +10,12 @@
 # Default values of this config are in comments        #
 ########################################################
 
+# Which user should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_USER=
+
+# Which group should dehydrated run as? This will be implictly enforced when running as root
+#DEHYDRATED_GROUP=
+
 # Resolve names to addresses of IP version only. (curl)
 # supported values: 4, 6
 # default: <unset>