diff --git a/CHANGELOG b/CHANGELOG index ac6c3473..f965b8c4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -12,6 +12,7 @@ This file contains a log of major changes in dehydrated - Allow automatic cleanup on exit (AUTO_CLEANUP) - Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH) - Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation) +- Allow dehydrated to run as specified user (/group) ## [0.4.0] - 2017-02-05 ## Changed diff --git a/dehydrated b/dehydrated index fda2072a..cb969a93 100755 --- a/dehydrated +++ b/dehydrated @@ -25,6 +25,7 @@ done SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" BASEDIR="${SCRIPTDIR}" +ORIGARGS="$@" # Create (identifiable) temporary files _mktemp() { @@ -135,6 +136,8 @@ load_config() { IP_VERSION= CHAINCACHE= AUTO_CLEANUP="no" + DEHYDRATED_USER= + DEHYDRATED_GROUP= if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 @@ -165,6 +168,32 @@ load_config() { done fi + # Check if we are running & are allowed to run as root + if [[ -n "$DEHYDRATED_USER" ]]; then + command -v sudo > /dev/null 2>&1 || _exiterr "DEHYDRATED_USER set but sudo not available. Please install sudo." + command -v getent > /dev/null 2>&1 || _exiterr "DEHYDRATED_USER set but getent not available. Please install getent." + + TARGET_UID="$(getent passwd "${DEHYDRATED_USER}" | cut -d':' -f3)" + if [[ -z "${DEHYDRATED_GROUP}" ]]; then + if [[ "${EUID}" != "${TARGET_UID}" ]]; then + echo "# INFO: Running $0 as ${DEHYDRATED_USER}" + exec sudo -u "${DEHYDRATED_USER}" "${0}" ${ORIGARGS} + fi + else + TARGET_GID="$(getent group "${DEHYDRATED_GROUP}" | cut -d':' -f3)" + if [[ -z "${EGID:-}" ]]; then + command -v id > /dev/null 2>&1 || _exiterr "DEHYDRATED_GROUP set, don't know current gid and 'id' not available... Please provide 'id' binary." + EGID="$(id -g)" + fi + if [[ "${EUID}" != "${TARGET_UID}" ]] || [[ "${EGID}" != "${TARGET_GID}" ]]; then + echo "# INFO: Running $0 as ${DEHYDRATED_USER}/${DEHYDRATED_GROUP}" + exec sudo -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" ${ORIGARGS} + fi + fi + elif [[ -n "${DEHYDRATED_GROUP}" ]]; then + _exiterr "DEHYDRATED_GROUP can only be used in combination with DEHYDRATED_USER." + fi + # Check for missing dependencies check_dependencies diff --git a/docs/examples/config b/docs/examples/config index b1a5d731..7132a685 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -10,6 +10,12 @@ # Default values of this config are in comments # ######################################################## +# Which user should dehydrated run as? This will be implictly enforced when running as root +#DEHYDRATED_USER= + +# Which group should dehydrated run as? This will be implictly enforced when running as root +#DEHYDRATED_GROUP= + # Resolve names to addresses of IP version only. (curl) # supported values: 4, 6 # default: