api API daemon should run under non root user

API daemon should run under non root user

Open mkudlej opened this issue 7 years ago • 4 comments

I think that Tendrl API daemon should run under non root user because API communicates only with clients and ETCD via HTTP API.

Mar 27 '17 10:03 mkudlej

@TimothyAsir here's what needs to be done in the spec file:

%global name tendrl-api
%global app_group %{name}
%global app_user %{name}
%global install_dir %{_datadir}/%{name}
%global config_dir %{_sysconfdir}/tendrl
%global config_file %{config_dir}/etcd.yml

%pre
getent group %{app_group} > /dev/null || \
  groupadd -r %{app_group}
getent passwd %{app_user} > /dev/null || \
  useradd -r -d %{install_dir} -M -g %{app_group} \
    -s /sbin/nologin %{app_user}

%files
%config %attr(0640, root, %{app_group}) %{config_file}

You'll also need to update the systemd service file to start the process as the tendrl-api user and group.

No other changes should be required anywhere else.

Apr 19 '17 12:04 brainfunked

@TimothyAsir what is the updated on this?

May 23 '17 06:05 anivargi

@TimothyAsirJeyasing Are you done with this issue?

Aug 08 '17 05:08 r0h4n

@r0h4n Sure, The patch already exists at https://github.com/Tendrl/api/pull/188. I will send to master branch

Oct 11 '17 10:10 TimothyAsirJeyasing

api api copied to clipboard

API daemon should run under non root user

api
api copied to clipboard