defguard icon indicating copy to clipboard operation
defguard copied to clipboard

Published 20 hours ago verified publisher icon DefGuard

Build deb/rpm packages for core & proxy

Open teon opened this issue 1 year ago • 3 comments
trafficstars

FPM for build packages? APT/YUM repository ??

teon avatar Jan 29 '24 13:01 teon

I've set up package build process for both proxy & core, but at this point it still requires two things:

  • figuring out a way to modify the package to run systemd service as non-root user
  • actual manual testing of the packages being built on both Debian & Fedora

wojcik91 avatar Feb 07 '24 12:02 wojcik91

Regarding required point 1:

Does this (polkit rule) help? ( from https://superuser.com/questions/1146288/how-to-run-init-d-service-under-systemd-without-root-auth-updated )

" In systemd (and other modern init systems), service startup is strictly separated into two steps:

User tools (e.g. systemctl) remotely ask init (pid 1) to start a particular service. Init reads the service's configuration, sets up environment (including switching to the desired user account), and runs the executable. Due to this indirection, services are guaranteed to always have the same environment regardless of who and how started them. (Previously, user environment like locale, path, or SELinux contexts leaking into services used to be a common problem.)

(For init.d scripts, the distro's lsb-functions file contains the magic redirects to 'systemctl start', so they also receive the same indirection.)

This also means that you cannot start a service "as the same user" – you must configure a specific username in the relevant systemd .service file (and if there is none, you really should write one).

The 'start service' call is normally privileged, but you can write a polkit rule allowing it per-user or per-service (if the systemd version is recent enough):

/* /etc/polkit-1/rules.d/allow-whatever.rules */

polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units") { var verb = action.lookup("verb"); var unit = action.lookup("unit"); if (subject.user == "manager" && unit == "app.service" && (verb == "start" || verb == "stop" || verb == "restart")) { return polkit.Result.YES; } } }); Alternatively, it might be possible to opt out of indirection in the init.d script, but then you would also lose systemd's service tracking entirely – your daemon will look like a regular user process. "

biyanpian avatar Feb 16 '24 17:02 biyanpian

I can test in Ubuntu (Debian-based)... I don't know if my VPS host has a Fedora option, but I can check, if it is needed.

biyanpian avatar Feb 16 '24 17:02 biyanpian

Done in version 0.11.0.

teon avatar Aug 15 '24 14:08 teon