Have Routinator drop privileges in a system independent way (now that the init subcommand honours this) instead of adding user entries in systemd files, and keeping the minimal unit as minimal as it used to be.

2024-05-19 06:50:04 +00:00 · 2020-09-29 12:33:34 +02:00
parent 1b27323e5a
commit 3aec404b45
4 changed files with 5 additions and 5 deletions
--- a/.github/workflows/pkg.yml
+++ b/.github/workflows/pkg.yml
@ -289,7 +289,7 @@ jobs:
        sg lxd -c "lxc exec testcon -- systemctl status routinator || true"

        echo -e "\nINIT ROUTINATOR:"
-        sg lxd -c "lxc exec testcon -- sudo -u routinator routinator --config /etc/routinator/routinator.conf init --accept-arin-rpa"
+        sg lxd -c "lxc exec testcon -- sudo routinator --config /etc/routinator/routinator.conf init --accept-arin-rpa"

        echo -e "\nENABLE ROUTINATOR SERVICE:"
        sg lxd -c "lxc exec testcon -- systemctl enable routinator"
--- a/debian/routinator-minimal.routinator.service
+++ b/debian/routinator-minimal.routinator.service
@ -5,7 +5,6 @@ After=network.target

 [Service]
 ExecStart=/usr/bin/routinator --config=/etc/routinator/routinator.conf --syslog server
-User=routinator

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/debian/routinator.routinator.service
+++ b/debian/routinator.routinator.service
@ -7,7 +7,6 @@ After=network.target
 ExecStart=/usr/bin/routinator --config=/etc/routinator/routinator.conf --syslog server
 Type=exec
 Restart=on-failure
-User=routinator
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 LockPersonality=yes
--- a/etc/routinator.conf.system-service
+++ b/etc/routinator.conf.system-service
@ -20,4 +20,6 @@
 repository-dir = "/var/lib/routinator/rpki-cache"
 tal-dir = "/var/lib/routinator/tals"
 rtr-listen = ["127.0.0.1:3323"]
-http-listen = ["127.0.0.1:8323"]
+http-listen = ["127.0.0.1:8323"]
+user = "routinator"
+group = "routinator"