Commit 59e03db2 authored by Seblu's avatar Seblu
Browse files

Archive must be run as a specific user 

In order to prevent running as root or with different user, which
is complex with a lot of files, check user/group before run.
parent cbceb545

archive.conf

+4 −0
Original line number Diff line number Diff line
@@ -6,6 +6,10 @@ ARCHIVE_RSYNC='rsync://polymorf.fr/archlinux/' 
# Archive local directory

ARCHIVE_DIR='/srv/archive'



# Archive User and Group

ARCHIVE_USER=archive

ARCHIVE_GROUP=archive



# Package extensions

PKGEXT='.pkg.tar.xz'

PKGSIG="$PKGEXT.sig"

archive.service

+1 −0
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ Description=Archive Update 


[Service]

Type=oneshot

EnvironmentFile=/etc/archive.conf

User=archive

Group=archive

ExecStart=/usr/bin/archive

archive.sh

+9 −6
Original line number Diff line number Diff line
@@ -190,17 +190,17 @@ iso_rsync() { 
}



main() {

	# running this as root, is a bad idea.

	(( $UID == 0 )) && echo 'You should not run me as root!'



	# Only one run at a time

	singleton



	# more verbose when launched from a tty

	[[ -t 1 && -n "$DEBUG" ]] && set -x



	load_config



	# check running user/group

	[[ "$(id -u -n)" == "$ARCHIVE_USER" ]] ||

		fail "The script must be run as user $ARCHIVE_USER."

	[[ "$(id -g -n)" == "$ARCHIVE_GROUP" ]] ||

		fail "The script must be run as group $ARCHIVE_GROUP."



	# we love IOs and we are nice guys

	renice -n 19 -p $$ >/dev/null

	ionice -c 2 -n 7 -p $$
@@ -208,6 +208,9 @@ main() { 
	# load umask

	umask "${UMASK:-022}"



	# Only one run at a time

	singleton



	if (( $ARCHIVE_REPO )); then

		REPO_DIR="$ARCHIVE_DIR/repos"