diff --git a/analyzer/README.md b/analyzer/README.md index 4d9169c7f..a1f7f2054 100644 --- a/analyzer/README.md +++ b/analyzer/README.md @@ -23,16 +23,16 @@ rabbitmqctl set_permissions -p /airtime airtime .\* .\* .\* ## Usage This program must run as a user with permissions to write to your Airtime music library -directory. For standard Airtime installations, run it as the www-data user: +directory. For standard Airtime installations, run it as the libretime user: ```bash -sudo -u www-data libretime-analyzer --daemon +sudo -u libretime libretime-analyzer --daemon ``` Or during development, add the --debug flag for more verbose output: ```bash -sudo -u www-data libretime-analyzer --debug +sudo -u libretime libretime-analyzer --debug ``` To print usage instructions, run: diff --git a/analyzer/install/systemd/libretime-analyzer.service b/analyzer/install/systemd/libretime-analyzer.service index b4109116f..8c3d95eaf 100644 --- a/analyzer/install/systemd/libretime-analyzer.service +++ b/analyzer/install/systemd/libretime-analyzer.service @@ -8,8 +8,8 @@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ WorkingDirectory=@@WORKING_DIR@@/analyzer ExecStart=/usr/local/bin/libretime-analyzer -User=libretime-analyzer -Group=libretime-analyzer +User=libretime +Group=libretime Restart=always [Install] diff --git a/api/README.md b/api/README.md index f90aaf42a..aa6777c9d 100644 --- a/api/README.md +++ b/api/README.md @@ -64,7 +64,7 @@ cd /vagrant/api sudo pip3 install -e . sudo systemctl stop libretime-api -sudo -u www-data LIBRETIME_DEBUG=True libretime-api runserver 0.0.0.0:8081 +sudo -u libretime LIBRETIME_DEBUG=True libretime-api runserver 0.0.0.0:8081 ``` ## 3rd Party Licences diff --git a/api/install/systemd/libretime-api.service b/api/install/systemd/libretime-api.service index 20fa55600..6ac548408 100644 --- a/api/install/systemd/libretime-api.service +++ b/api/install/systemd/libretime-api.service @@ -16,8 +16,8 @@ ExecStart=/usr/bin/gunicorn \ --bind 127.0.0.1:8081 \ libretime_api.wsgi ExecReload=/bin/kill -s HUP $MAINPID -User=libretime-api -Group=libretime-api +User=libretime +Group=libretime Restart=always [Install] diff --git a/docs/admin-manual/library.md b/docs/admin-manual/library.md index 288a9e853..017a547c4 100644 --- a/docs/admin-manual/library.md +++ b/docs/admin-manual/library.md @@ -10,7 +10,7 @@ This page describe the available options to manage the LibreTime library. To scan a directory and import the files into the library, you can use the following command: ```bash -sudo -u www-data libretime-api bulk_import --path PATH_THE_DIRECTORY_TO_SCAN +sudo -u libretime libretime-api bulk_import --path PATH_THE_DIRECTORY_TO_SCAN ``` See the command usage to get available options. diff --git a/docs/admin-manual/setup/install.md b/docs/admin-manual/setup/install.md index 93864f31a..5ebc6021e 100644 --- a/docs/admin-manual/setup/install.md +++ b/docs/admin-manual/setup/install.md @@ -162,10 +162,10 @@ Feel free to run `./install --help` to get more details. #### Using hardware audio output -If you plan to output analog audio directly to a mixing console or transmitter, the user running LibreTime (by default `www-data`) needs to be added to the `audio` user group using the command below: +If you plan to output analog audio directly to a mixing console or transmitter, the user running LibreTime needs to be added to the `audio` user group using the command below: ```bash -sudo adduser www-data audio +sudo adduser libretime audio ``` ### Setup @@ -175,7 +175,7 @@ Once the installation is completed, edit the [configuration file](./configuratio Next, run the following commands to setup the database: ```bash -sudo -u www-data libretime-api migrate +sudo -u libretime libretime-api migrate ``` Synchronize the new Icecast passwords into the database: diff --git a/docs/admin-manual/setup/upgrade.md b/docs/admin-manual/setup/upgrade.md index 45e0c6c87..855288b93 100644 --- a/docs/admin-manual/setup/upgrade.md +++ b/docs/admin-manual/setup/upgrade.md @@ -36,7 +36,7 @@ Be sure to carefully read **all** the [releases notes](../../releases/README.md) Run the following command to apply the database migrations: ```bash -sudo -u www-data libretime-api migrate +sudo -u libretime libretime-api migrate ``` ## Restart the services diff --git a/docs/admin-manual/troubleshooting.md b/docs/admin-manual/troubleshooting.md index e86d282b6..538bd1fd0 100644 --- a/docs/admin-manual/troubleshooting.md +++ b/docs/admin-manual/troubleshooting.md @@ -49,7 +49,7 @@ On a common setup, to access LibreTime specific logs you should search for the f For some LibreTime services, you can set a higher log level using the `LIBRETIME_LOG_LEVEL` environment variable, or by running the service by hand and using a command line flag: ```bash -sudo -u www-data libretime-analyzer --config /etc/libretime/config.yml --log-level debug +sudo -u libretime libretime-analyzer --config /etc/libretime/config.yml --log-level debug ``` The `/var/log/apache2/libretime.error.log` file contains logs from the web server. diff --git a/docs/releases/unreleased.md b/docs/releases/unreleased.md index 3462d040c..5d00d7c84 100644 --- a/docs/releases/unreleased.md +++ b/docs/releases/unreleased.md @@ -110,6 +110,21 @@ The worker service no longer uses a dedicated `celery` user to run. The old `cel sudo deluser celery ``` +### LibreTime user + +The LibreTime services now run using a dedicated `libretime` user instead of the default `www-data` user. Be sure to change the ownership of the LibreTime files: + +```bash +# Configuration directory +sudo chown -R libretime:libretime /etc/libretime +# Logs directory +sudo chown -R libretime:libretime /var/log/libretime +# Runtime directory +sudo chown -R libretime:libretime /var/lib/libretime +# Storage directory +sudo chown -R libretime:libretime /srv/libretime +``` + ### New configuration schema The configuration schema was updated. diff --git a/docs/user-manual/playout-history.md b/docs/user-manual/playout-history.md index 5bf896929..16342439e 100644 --- a/docs/user-manual/playout-history.md +++ b/docs/user-manual/playout-history.md @@ -311,7 +311,7 @@ sudo nano /etc/cron.d/libretime-schedule containing the line: ``` -* * * * * www-data /usr/local/bin/libretime-schedule.sh +* * * * * libretime /usr/local/bin/libretime-schedule.sh ``` The schedule server will now be serving the same show information as the LibreTime server, with a cache lifetime of one minute. You can adjust the cache lifetime by altering the frequency of the cron job that polls the LibreTime server. diff --git a/install b/install index 637bec1b1..ac5658a29 100755 --- a/install +++ b/install @@ -98,7 +98,7 @@ EOF # Configuration # > User used to run LibreTime. -LIBRETIME_USER=${LIBRETIME_USER:-"www-data"} +LIBRETIME_USER=${LIBRETIME_USER:-"libretime"} # > Listen port for LibreTime. LIBRETIME_LISTEN_PORT=${LIBRETIME_LISTEN_PORT:-"80"} # > Public URL for LibreTime. @@ -177,6 +177,8 @@ done PYTHON="python3" PIP="$PYTHON -m pip" +DEFAULT_WEB_USER="www-data" + # Paths CONFIG_DIR="/etc/libretime" CONFIG_FILEPATH="$CONFIG_DIR/config.yml" @@ -394,6 +396,11 @@ prepare_packages_install install_packages git make make VERSION +info "creating project user" +if ! id "$LIBRETIME_USER" &> /dev/null; then + useradd --no-create-home --home-dir "$WORKING_DIR" "$LIBRETIME_USER" +fi + info "creating project directories" # TODO: Config dir should not be owned by www-data and should be readonly mkdir_and_chown "$LIBRETIME_USER" "$CONFIG_DIR" diff --git a/installer/vagrant/debian.sh b/installer/vagrant/debian.sh index fc8770da8..56d822419 100755 --- a/installer/vagrant/debian.sh +++ b/installer/vagrant/debian.sh @@ -6,6 +6,4 @@ DEBIAN_FRONTEND=noninteractive apt-get update --allow-releaseinfo-change DEBIAN_FRONTEND=noninteractive apt-get -y -qq install auto-apt-proxy # Install utils -DEBIAN_FRONTEND=noninteractive apt-get -y -qq install alsa-utils vim -usermod -a -G audio vagrant -usermod -a -G audio www-data +DEBIAN_FRONTEND=noninteractive apt-get -y -qq install vim diff --git a/installer/vagrant/post-install.sh b/installer/vagrant/post-install.sh index 91ba5612a..8b30a72f9 100755 --- a/installer/vagrant/post-install.sh +++ b/installer/vagrant/post-install.sh @@ -15,3 +15,8 @@ systemctl restart postgresql.service # Setup rabbitmq management interface rabbitmq-plugins enable rabbitmq_management rabbitmqctl set_user_tags libretime administrator + +# Setup audio +DEBIAN_FRONTEND=noninteractive apt-get -y -qq install alsa-utils +usermod -a -G audio vagrant +usermod -a -G audio libretime diff --git a/playout/install/systemd/libretime-liquidsoap.service b/playout/install/systemd/libretime-liquidsoap.service index d61dd5230..acc7a9266 100644 --- a/playout/install/systemd/libretime-liquidsoap.service +++ b/playout/install/systemd/libretime-liquidsoap.service @@ -8,8 +8,8 @@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ WorkingDirectory=@@WORKING_DIR@@/playout ExecStart=/usr/local/bin/libretime-liquidsoap -User=libretime-playout -Group=libretime-playout +User=libretime +Group=libretime Restart=always [Install] diff --git a/playout/install/systemd/libretime-playout.service b/playout/install/systemd/libretime-playout.service index 049b3fa62..ae4bc1cd2 100644 --- a/playout/install/systemd/libretime-playout.service +++ b/playout/install/systemd/libretime-playout.service @@ -8,8 +8,8 @@ Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ WorkingDirectory=@@WORKING_DIR@@/playout ExecStart=/usr/local/bin/libretime-playout -User=libretime-playout -Group=libretime-playout +User=libretime +Group=libretime Restart=always [Install] diff --git a/worker/install/systemd/libretime-celery.service b/worker/install/systemd/libretime-celery.service index 9e18f1a8e..a8263e3a8 100644 --- a/worker/install/systemd/libretime-celery.service +++ b/worker/install/systemd/libretime-celery.service @@ -14,8 +14,8 @@ ExecStart=/usr/bin/sh -c 'celery worker \ --concurrency=1 \ --loglevel=INFO \ --logfile=$LIBRETIME_LOG_FILEPATH' -User=libretime-worker -Group=libretime-worker +User=libretime +Group=libretime Restart=always [Install]