diff --git a/Makefile b/Makefile index 6d9166166..f452b101a 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,12 @@ BINDGEN = bindgen CBINDGEN = cbindgen +# Default users under which the services will run. Override by specifying on the CLI for make. +USER_AZIOTID ?= aziotid +USER_AZIOTCS ?= aziotcs +USER_AZIOTKS ?= aziotks +USER_AZIOTTPM ?= aziottpm + # 0 => false, _ => true V = 0 @@ -56,7 +62,11 @@ CARGO_OUTPUT_ABSPATH = $(abspath ./target/$(CARGO_TARGET)/$(CARGO_PROFILE_DIRECT VENDOR_PREFIX = $(CARGO_OUTPUT_ABSPATH)/fakeroot VENDOR_PKGCONFIG = $(VENDOR_PREFIX)$(AZIOT_PRIVATE_LIBRARIES)/pkgconfig -CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" cargo +CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" \ + USER_AZIOTID="$(USER_AZIOTID)" \ + USER_AZIOTCS="$(USER_AZIOTCS)" \ + USER_AZIOTKS="$(USER_AZIOTKS)" \ + USER_AZIOTTPM="$(USER_AZIOTTPM)" cargo # Some of the targets use bash-isms like `set -o pipefail` SHELL = /bin/bash @@ -309,6 +319,9 @@ deb: dist # Copy package files cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/ sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postinst + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/preinst # Build package # Note: This builds the `default` target before the normal Debian packaging (instead @@ -366,6 +379,10 @@ rpm: -e "s|@devtoolset@|$$DEVTOOLSET|g" \ -e "s|@llvm_toolset@|$$LLVM_TOOLSET|g" \ -e "s|@openssl_engine_filename@|$$OPENSSL_ENGINE_FILENAME|g" \ + -e "s/@user_aziotid@/$(USER_AZIOTID)/g" \ + -e "s/@user_aziotks@/$(USER_AZIOTKS)/g" \ + -e "s/@user_aziotcs@/$(USER_AZIOTCS)/g" \ + -e "s/@user_aziottpm@/$(USER_AZIOTTPM)/g" \ >$(RPMBUILDDIR)/SPECS/aziot-identity-service.spec # Copy preset file to be included in the package @@ -464,15 +481,27 @@ install-common: $(INSTALL) -d -m 0700 $(DESTDIR)$(localstatedir)/lib/aziot/tpmd # Systemd services and sockets + $(INSTALL) -d $(DESTDIR)$(unitdir) # NOTE: We do not use "install -D ... -t ..." since it is broken on # RHEL 7 derivatives and will not be fixed. # Ref: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1758488 for i in cert identity key tpm; do \ + OUTPUT_SOCKET="$(DESTDIR)$(unitdir)/aziot-$${i}d.socket"; \ + <"$$i/aziot-$${i}d/aziot-$${i}d.socket.in" sed \ + -e 's|@user_aziotid@|$(USER_AZIOTID)|' \ + -e 's|@user_aziotks@|$(USER_AZIOTKS)|' \ + -e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \ + -e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \ + >"$$OUTPUT_SOCKET"; \ + chmod 0644 "$$OUTPUT_SOCKET"; \ OUTPUT_SERVICE="$(DESTDIR)$(unitdir)/aziot-$${i}d.service"; \ - $(INSTALL_DATA) -D "$$i/aziot-$${i}d/aziot-$${i}d.socket" "$(DESTDIR)$(unitdir)/aziot-$${i}d.socket"; \ <"$$i/aziot-$${i}d/aziot-$${i}d.service.in" sed \ -e 's|@private-libs@|$(AZIOT_PRIVATE_LIBRARIES)|' \ -e 's|@libexecdir@|$(libexecdir)|' \ + -e 's|@user_aziotid@|$(USER_AZIOTID)|' \ + -e 's|@user_aziotks@|$(USER_AZIOTKS)|' \ + -e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \ + -e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \ >"$$OUTPUT_SERVICE"; \ chmod 0644 "$$OUTPUT_SERVICE"; \ done diff --git a/aziotctl/.cargo/config.toml b/aziotctl/.cargo/config.toml new file mode 100644 index 000000000..756099ca3 --- /dev/null +++ b/aziotctl/.cargo/config.toml @@ -0,0 +1,5 @@ +[env] +USER_AZIOTID = "aziotid" +USER_AZIOTKS = "aziotks" +USER_AZIOTCS = "aziotcs" +USER_AZIOTTPM = "aziottpm" diff --git a/aziotctl/src/config/apply.rs b/aziotctl/src/config/apply.rs index 5b3a25324..85e039579 100644 --- a/aziotctl/src/config/apply.rs +++ b/aziotctl/src/config/apply.rs @@ -37,10 +37,12 @@ pub(crate) fn run(options: Options) -> anyhow::Result<()> { // So when running as root, get the four users appropriately. // Otherwise, if this is a debug build, fall back to using the current user. // Otherwise, tell the user to re-run as root. - let aziotks_user = crate::internal::common::get_system_user("aziotks")?; - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; - let aziotid_user = crate::internal::common::get_system_user("aziotid")?; - let aziottpm_user = crate::internal::common::get_system_user("aziottpm")?; + // When run in a snap expect the four users to be prefixed with `snap_`. + + let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; + let aziotid_user = crate::internal::common::get_system_user(env!("USER_AZIOTID"))?; + let aziottpm_user = crate::internal::common::get_system_user(env!("USER_AZIOTTPM"))?; let common_config::apply::RunOutput { keyd_config, diff --git a/aziotctl/src/internal/check/checks/cert_expiry.rs b/aziotctl/src/internal/check/checks/cert_expiry.rs index eb4095758..241252acb 100644 --- a/aziotctl/src/internal/check/checks/cert_expiry.rs +++ b/aziotctl/src/internal/check/checks/cert_expiry.rs @@ -47,7 +47,7 @@ impl IdentityCert { ) -> Result { use aziot_identityd_config::{DpsAttestationMethod, ManualAuthMethod, ProvisioningType}; - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; let provisioning = &unwrap_or_skip!(&cache.cfg.identityd) .provisioning @@ -123,7 +123,7 @@ impl EstIdentityBootstrapCerts { ) -> Result { let certd_config = unwrap_or_skip!(&cache.cfg.certd); - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; let certs = certd_config .cert_issuance @@ -226,7 +226,7 @@ impl LocalCaCert { None => return Ok(CheckResult::Ignored), }; - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; let (res, cert_info) = validate_cert(certd_config, cert_id, "Local CA", &aziotcs_user).await?; diff --git a/aziotctl/src/internal/check/checks/certs_preloaded.rs b/aziotctl/src/internal/check/checks/certs_preloaded.rs index 9a4653acd..33a0a809a 100644 --- a/aziotctl/src/internal/check/checks/certs_preloaded.rs +++ b/aziotctl/src/internal/check/checks/certs_preloaded.rs @@ -45,7 +45,7 @@ impl CertsPreloaded { let mut visited: BTreeMap<_, _> = Default::default(); - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; for id in preloaded_certs.keys() { match walk_preloaded_certs(id, preloaded_certs, &aziotcs_user, &mut visited).await? { diff --git a/aziotctl/src/internal/check/checks/read_key_pairs.rs b/aziotctl/src/internal/check/checks/read_key_pairs.rs index 1c34c3b7f..c1d96b99e 100644 --- a/aziotctl/src/internal/check/checks/read_key_pairs.rs +++ b/aziotctl/src/internal/check/checks/read_key_pairs.rs @@ -63,7 +63,7 @@ impl ReadKeyPairs { let mut warn_aggregated = vec![]; // Check every preloaded key at a file:// URI is readable by the aziotks user and report errors when they aren't. - let aziotks_user = crate::internal::common::get_system_user("aziotks")?; + let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?; for (id, path) in preloaded_keys { if let Ok(aziot_keys_common::PreloadedKeyLocation::Filesystem { path }) = path.parse() { diff --git a/cert/aziot-certd/aziot-certd.service.in b/cert/aziot-certd/aziot-certd.service.in index ea5705e83..e33aa9bf8 100644 --- a/cert/aziot-certd/aziot-certd.service.in +++ b/cert/aziot-certd/aziot-certd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-certd KillMode=process Restart=on-failure RestartSec=5s -User=aziotcs +User=@user_aziotcs@ [Install] WantedBy=multi-user.target diff --git a/cert/aziot-certd/aziot-certd.socket b/cert/aziot-certd/aziot-certd.socket.in similarity index 79% rename from cert/aziot-certd/aziot-certd.socket rename to cert/aziot-certd/aziot-certd.socket.in index 86a763b21..55157abc1 100644 --- a/cert/aziot-certd/aziot-certd.socket +++ b/cert/aziot-certd/aziot-certd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-certd.service ListenStream=/run/aziot/certd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziotcs -SocketGroup=aziotcs +SocketUser=@user_aziotcs@ +SocketGroup=@user_aziotcs@ [Install] WantedBy=sockets.target diff --git a/contrib/debian/postinst b/contrib/debian/postinst index 5fb306053..c65123b21 100755 --- a/contrib/debian/postinst +++ b/contrib/debian/postinst @@ -20,10 +20,10 @@ set -e case "$1" in configure) - chown aziotcs:aziotcs /etc/aziot/certd/config.toml.default - chown aziotid:aziotid /etc/aziot/identityd/config.toml.default - chown aziotks:aziotks /etc/aziot/keyd/config.toml.default - chown aziottpm:aziottpm /etc/aziot/tpmd/config.toml.default + chown @user_aziotcs@:@user_aziotcs@ /etc/aziot/certd/config.toml.default + chown @user_aziotid@:@user_aziotid@ /etc/aziot/identityd/config.toml.default + chown @user_aziotks@:@user_aziotks@ /etc/aziot/keyd/config.toml.default + chown @user_aziottpm@:@user_aziottpm@ /etc/aziot/tpmd/config.toml.default chown root:root /etc/aziot/config.toml.template for f in \ /etc/aziot/certd/config.toml.default \ @@ -36,16 +36,16 @@ case "$1" in chmod 0600 /etc/aziot/config.toml.template if [ -d /var/lib/aziot/certd ]; then - chown aziotcs:aziotcs /var/lib/aziot/certd + chown @user_aziotcs@:@user_aziotcs@ /var/lib/aziot/certd fi if [ -d /var/lib/aziot/identityd ]; then - chown aziotid:aziotid /var/lib/aziot/identityd + chown @user_aziotid@:@user_aziotid@ /var/lib/aziot/identityd fi if [ -d /var/lib/aziot/keyd ]; then - chown aziotks:aziotks /var/lib/aziot/keyd + chown @user_aziotks@:@user_aziotks@ /var/lib/aziot/keyd fi if [ -d /var/lib/aziot/tpmd ]; then - chown aziottpm:aziottpm /var/lib/aziot/tpmd + chown @user_aziottpm@:@user_aziottpm@ /var/lib/aziot/tpmd fi for d in \ diff --git a/contrib/debian/postrm b/contrib/debian/postrm index 5f24a76bf..b69dbb633 100755 --- a/contrib/debian/postrm +++ b/contrib/debian/postrm @@ -23,10 +23,10 @@ case "$1" in systemctl daemon-reload # Kill all processes running under aziot-identity-service users. - killall -SIGKILL -u aziotid || true - killall -SIGKILL -u aziotcs || true - killall -SIGKILL -u aziotks || true - killall -SIGKILL -u aziottpm || true + [ "@user_aziotid@" != "root" ] && killall -SIGKILL -u @user_aziotid@ || true + [ "@user_aziotcs@" != "root" ] && killall -SIGKILL -u @user_aziotcs@ || true + [ "@user_aziotks@" != "root" ] && killall -SIGKILL -u @user_aziotks@ || true + [ "@user_aziottpm@" != "root" ] && killall -SIGKILL -u @user_aziottpm@ || true # Delete directories used by aziot-identity-service. rm -rf /etc/aziot @@ -34,10 +34,10 @@ case "$1" in rm -rf /var/lib/aziot # Delete aziot-identity-service users. - /usr/sbin/userdel aziotid - /usr/sbin/userdel aziotcs - /usr/sbin/userdel aziotks - /usr/sbin/userdel aziottpm + [ "@user_aziotid@" != "root" ] && /usr/sbin/userdel @user_aziotid@ + [ "@user_aziotcs@" != "root" ] && /usr/sbin/userdel @user_aziotcs@ + [ "@user_aziotks@" != "root" ] && /usr/sbin/userdel @user_aziotks@ + [ "@user_aziottpm@" != "root" ] && /usr/sbin/userdel @user_aziottpm@ ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; diff --git a/contrib/debian/preinst b/contrib/debian/preinst index 3f3ce6a1c..0ebf7ca12 100755 --- a/contrib/debian/preinst +++ b/contrib/debian/preinst @@ -18,39 +18,39 @@ case "$1" in # For each of CS, IS, KS: create group, create user, create home directory (in case user already exists from a previous install # but the user deleted the directory manually) - if ! /usr/bin/getent group aziotks >/dev/null; then - /usr/sbin/groupadd -r aziotks + if ! /usr/bin/getent group @user_aziotks@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziotks@ fi - if ! /usr/bin/getent passwd aziotks >/dev/null; then - /usr/sbin/useradd -r -g aziotks -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd aziotks + if ! /usr/bin/getent passwd @user_aziotks@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziotks@ -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd @user_aziotks@ fi mkdir -p /var/lib/aziot/keyd - if ! /usr/bin/getent group aziottpm >/dev/null; then - /usr/sbin/groupadd -r aziottpm + if ! /usr/bin/getent group @user_aziottpm@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziottpm@ fi - if ! /usr/bin/getent passwd aziottpm >/dev/null; then - /usr/sbin/useradd -r -g aziottpm -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd aziottpm + if ! /usr/bin/getent passwd @user_aziottpm@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziottpm@ -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd @user_aziottpm@ fi mkdir -p /var/lib/aziot/tpmd - if ! /usr/bin/getent group aziotcs >/dev/null; then - /usr/sbin/groupadd -r aziotcs + if ! /usr/bin/getent group @user_aziotcs@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziotcs@ fi - if ! /usr/bin/getent passwd aziotcs >/dev/null; then - /usr/sbin/useradd -r -g aziotcs -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd aziotcs - /usr/sbin/usermod -aG aziotks aziotcs + if ! /usr/bin/getent passwd @user_aziotcs@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziotcs@ -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd @user_aziotcs@ + /usr/sbin/usermod -aG @user_aziotks@ @user_aziotcs@ fi mkdir -p /var/lib/aziot/certd - if ! /usr/bin/getent group aziotid >/dev/null; then - /usr/sbin/groupadd -r aziotid + if ! /usr/bin/getent group @user_aziotid@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziotid@ fi - if ! /usr/bin/getent passwd aziotid >/dev/null; then - /usr/sbin/useradd -r -g aziotid -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd aziotid - /usr/sbin/usermod -aG aziotcs aziotid - /usr/sbin/usermod -aG aziotks aziotid - /usr/sbin/usermod -aG aziottpm aziotid + if ! /usr/bin/getent passwd @user_aziotid@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziotid@ -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd @user_aziotid@ + /usr/sbin/usermod -aG @user_aziotcs@ @user_aziotid@ + /usr/sbin/usermod -aG @user_aziotks@ @user_aziotid@ + /usr/sbin/usermod -aG @user_aziottpm@ @user_aziotid@ fi mkdir -p /var/lib/aziot/identityd ;; diff --git a/contrib/enterprise-linux/aziot-identity-service.spec.in b/contrib/enterprise-linux/aziot-identity-service.spec.in index 836ea2637..836770b6e 100644 --- a/contrib/enterprise-linux/aziot-identity-service.spec.in +++ b/contrib/enterprise-linux/aziot-identity-service.spec.in @@ -84,36 +84,36 @@ make -j \ # For each of CS, IS, KS: create group, create user, create home directory (in case user already exists from a previous install # but the user deleted the directory manually) -if ! %{_bindir}/getent group aziotks >/dev/null; then - %{_sbindir}/groupadd -r aziotks +if ! %{_bindir}/getent group @user_aziotks@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziotks@ fi -if ! %{_bindir}/getent passwd aziotks >/dev/null; then - %{_sbindir}/useradd -r -g aziotks -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd aziotks +if ! %{_bindir}/getent passwd @user_aziotks@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziotks@ -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd @user_aziotks@ fi -if ! %{_bindir}/getent group aziottpm >/dev/null; then - %{_sbindir}/groupadd -r aziottpm +if ! %{_bindir}/getent group @user_aziottpm@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziottpm@ fi -if ! %{_bindir}/getent passwd aziottpm >/dev/null; then - %{_sbindir}/useradd -r -g aziottpm -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd aziottpm +if ! %{_bindir}/getent passwd @user_aziottpm@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziottpm@ -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd @user_aziottpm@ fi -if ! %{_bindir}/getent group aziotcs >/dev/null; then - %{_sbindir}/groupadd -r aziotcs +if ! %{_bindir}/getent group @user_aziotcs@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziotcs@ fi -if ! %{_bindir}/getent passwd aziotcs >/dev/null; then - %{_sbindir}/useradd -r -g aziotcs -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd aziotcs - %{_sbindir}/usermod -aG aziotks aziotcs +if ! %{_bindir}/getent passwd @user_aziotcs@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziotcs@ -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd @user_aziotcs@ + %{_sbindir}/usermod -aG @user_aziotks@ @user_aziotcs@ fi -if ! %{_bindir}/getent group aziotid >/dev/null; then - %{_sbindir}/groupadd -r aziotid +if ! %{_bindir}/getent group @user_aziotid@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziotid@ fi -if ! %{_bindir}/getent passwd aziotid >/dev/null; then - %{_sbindir}/useradd -r -g aziotid -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd aziotid - %{_sbindir}/usermod -aG aziotcs aziotid - %{_sbindir}/usermod -aG aziotks aziotid - %{_sbindir}/usermod -aG aziottpm aziotid +if ! %{_bindir}/getent passwd @user_aziotid@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziotid@ -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd @user_aziotid@ + %{_sbindir}/usermod -aG @user_aziotcs@ @user_aziotid@ + %{_sbindir}/usermod -aG @user_aziotks@ @user_aziotid@ + %{_sbindir}/usermod -aG @user_aziottpm@ @user_aziotid@ fi @@ -158,25 +158,25 @@ fi %{_libdir}/%{name}/*.so* # Default configs and config directories -%attr(400, aziotcs, aziotcs) %{_sysconfdir}/aziot/certd/config.toml.default -%attr(700, aziotcs, aziotcs) %dir %{_sysconfdir}/aziot/certd/config.d +%attr(400, @user_aziotcs@, @user_aziotcs@) %{_sysconfdir}/aziot/certd/config.toml.default +%attr(700, @user_aziotcs@, @user_aziotcs@) %dir %{_sysconfdir}/aziot/certd/config.d -%attr(400, aziotid, aziotid) %{_sysconfdir}/aziot/identityd/config.toml.default -%attr(700, aziotid, aziotid) %dir %{_sysconfdir}/aziot/identityd/config.d +%attr(400, @user_aziotid@, @user_aziotid@) %{_sysconfdir}/aziot/identityd/config.toml.default +%attr(700, @user_aziotid@, @user_aziotid@) %dir %{_sysconfdir}/aziot/identityd/config.d -%attr(400, aziotks, aziotks) %{_sysconfdir}/aziot/keyd/config.toml.default -%attr(700, aziotks, aziotks) %dir %{_sysconfdir}/aziot/keyd/config.d +%attr(400, @user_aziotks@, @user_aziotks@) %{_sysconfdir}/aziot/keyd/config.toml.default +%attr(700, @user_aziotks@, @user_aziotks@) %dir %{_sysconfdir}/aziot/keyd/config.d -%attr(400, aziottpm, aziottpm) %{_sysconfdir}/aziot/tpmd/config.toml.default -%attr(700, aziottpm, aziottpm) %dir %{_sysconfdir}/aziot/tpmd/config.d +%attr(400, @user_aziottpm@, @user_aziottpm@) %{_sysconfdir}/aziot/tpmd/config.toml.default +%attr(700, @user_aziottpm@, @user_aziottpm@) %dir %{_sysconfdir}/aziot/tpmd/config.d %attr(600, root, root) %{_sysconfdir}/aziot/config.toml.template # Home directories -%attr(-, aziotcs, aziotcs) %dir /var/lib/aziot/certd -%attr(-, aziotid, aziotid) %dir /var/lib/aziot/identityd -%attr(-, aziotks, aziotks) %dir /var/lib/aziot/keyd -%attr(-, aziottpm, aziottpm) %dir /var/lib/aziot/tpmd +%attr(-, @user_aziotcs@, @user_aziotcs@) %dir /var/lib/aziot/certd +%attr(-, @user_aziotid@, @user_aziotid@) %dir /var/lib/aziot/identityd +%attr(-, @user_aziotks@, @user_aziotks@) %dir /var/lib/aziot/keyd +%attr(-, @user_aziottpm@, @user_aziottpm@) %dir /var/lib/aziot/tpmd # Systemd services and sockets %{_unitdir}/aziot-certd.service diff --git a/identity/aziot-identityd/aziot-identityd.service.in b/identity/aziot-identityd/aziot-identityd.service.in index 42adf6f07..7e261fd22 100644 --- a/identity/aziot-identityd/aziot-identityd.service.in +++ b/identity/aziot-identityd/aziot-identityd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-identityd KillMode=process Restart=on-failure RestartSec=5s -User=aziotid +User=@user_aziotid@ [Install] WantedBy=multi-user.target diff --git a/identity/aziot-identityd/aziot-identityd.socket b/identity/aziot-identityd/aziot-identityd.socket.in similarity index 79% rename from identity/aziot-identityd/aziot-identityd.socket rename to identity/aziot-identityd/aziot-identityd.socket.in index f3e5de556..23e910a37 100644 --- a/identity/aziot-identityd/aziot-identityd.socket +++ b/identity/aziot-identityd/aziot-identityd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-identityd.service ListenStream=/run/aziot/identityd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziotid -SocketGroup=aziotid +SocketUser=@user_aziotid@ +SocketGroup=@user_aziotid@ [Install] WantedBy=sockets.target diff --git a/key/aziot-keyd/aziot-keyd.service.in b/key/aziot-keyd/aziot-keyd.service.in index cf66c34c1..0a33965fd 100644 --- a/key/aziot-keyd/aziot-keyd.service.in +++ b/key/aziot-keyd/aziot-keyd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-keyd KillMode=process Restart=on-failure RestartSec=5s -User=aziotks +User=@user_aziotks@ [Install] WantedBy=multi-user.target diff --git a/key/aziot-keyd/aziot-keyd.socket b/key/aziot-keyd/aziot-keyd.socket.in similarity index 78% rename from key/aziot-keyd/aziot-keyd.socket rename to key/aziot-keyd/aziot-keyd.socket.in index 739d1a4ee..beb7b8123 100644 --- a/key/aziot-keyd/aziot-keyd.socket +++ b/key/aziot-keyd/aziot-keyd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-keyd.service ListenStream=/run/aziot/keyd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziotks -SocketGroup=aziotks +SocketUser=@user_aziotks@ +SocketGroup=@user_aziotks@ [Install] WantedBy=sockets.target diff --git a/tpm/aziot-tpmd/aziot-tpmd.service.in b/tpm/aziot-tpmd/aziot-tpmd.service.in index 34e1d10f4..31bbfc4ff 100644 --- a/tpm/aziot-tpmd/aziot-tpmd.service.in +++ b/tpm/aziot-tpmd/aziot-tpmd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-tpmd KillMode=process Restart=on-failure RestartSec=5s -User=aziottpm +User=@user_aziottpm@ [Install] WantedBy=multi-user.target diff --git a/tpm/aziot-tpmd/aziot-tpmd.socket b/tpm/aziot-tpmd/aziot-tpmd.socket.in similarity index 77% rename from tpm/aziot-tpmd/aziot-tpmd.socket rename to tpm/aziot-tpmd/aziot-tpmd.socket.in index b49fd4a46..201927c0c 100644 --- a/tpm/aziot-tpmd/aziot-tpmd.socket +++ b/tpm/aziot-tpmd/aziot-tpmd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-tpmd.service ListenStream=/run/aziot/tpmd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziottpm -SocketGroup=aziottpm +SocketUser=@user_aziottpm@ +SocketGroup=@user_aziottpm@ [Install] WantedBy=sockets.target