Different approach for running airtime services as unprivileged user

2015-01-08 12:56:09 -05:00 · 2015-01-08 12:56:09 -05:00 · ab35827439
parent 301c0eb4b0
commit ab35827439
5 changed files with 19 additions and 75 deletions
--- a/installer/install
+++ b/installer/install
@ -374,12 +374,14 @@ verbose "\n * Creating liquidsoap symlink..."
 ln -sf /usr/bin/liquidsoap /usr/bin/airtime-liquidsoap
 verbose "...Done"

-sed "s@WEB_USER@${web_user}@g" ${SCRIPT_DIR}/lib/Upstart.conf > /etc/dbus-1/system.d/Upstart.conf
-chmod 644 /etc/init/airtime*
+sed "s@WEB_USER@${web_user}@g;s@WEB_ROOT@${web_root}@g" ${SCRIPT_DIR}/lib/airtime-session-init.conf > /etc/init/airtime-session-init.conf
+chmod 644 /etc/init/airtime/*

 service dbus restart
 initctl reload-configuration

+service airtime-session-init start
+
 if [ ! -d /var/log/airtime ]; then
    loud "\n-----------------------------------------------------"
    loud "              * Installing Log Files *               "
--- a/installer/lib/Upstart.conf
+++ b/installer/lib/Upstart.conf
@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" ?>
-<!DOCTYPE busconfig PUBLIC
-  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-
-<busconfig>
-  <!-- Only the root user can own the Upstart name -->
-  <policy user="root">
-    <allow own="com.ubuntu.Upstart" />
-  </policy>
-
-  <!-- Permit the root user to invoke all of the methods on Upstart, its jobs
-       or their instances, and to get and set properties. -->
-  <policy user="root">
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="org.freedesktop.DBus.Properties" />
-
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Job" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Instance" />
-  </policy>
-
-  <!-- Allow any user to introspect Upstart's interfaces, to obtain the
-       values of properties (but not set them) and to invoke selected
-       methods on Upstart and its jobs that are used to walk information. -->
-  <policy context="default">
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="org.freedesktop.DBus.Introspectable" />
-
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="org.freedesktop.DBus.Properties"
-       send_type="method_call" send_member="Get" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="org.freedesktop.DBus.Properties"
-       send_type="method_call" send_member="GetAll" />
-
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6"
-       send_type="method_call" send_member="GetJobByName" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6"
-       send_type="method_call" send_member="GetAllJobs" />
-
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Job"
-       send_type="method_call" send_member="GetInstance" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Job"
-       send_type="method_call" send_member="GetInstanceByName" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Job"
-       send_type="method_call" send_member="GetAllInstances" />
-  </policy>
-  
-  <!-- Permit the web user to invoke all of the methods on Upstart, its jobs
-       or their instances, and to get and set properties. -->
-  <policy user="WEB_USER">
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="org.freedesktop.DBus.Properties" />
-
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Job" />
-    <allow send_destination="com.ubuntu.Upstart"
-       send_interface="com.ubuntu.Upstart0_6.Instance" />
-  </policy>
-</busconfig>
--- a/installer/lib/airtime-session-init.conf
+++ b/installer/lib/airtime-session-init.conf
@ -0,0 +1,13 @@
+instance WEB_USER
+
+stop on runlevel [016]
+
+script
+  uid=WEB_USER
+  HOME=WEB_ROOT
+
+  export XDG_RUNTIME_DIR="/run/airtime"
+  export HOME
+
+  exec su -s /bin/sh -c 'exec "$0" "$@"' $USER -- init --user --confdir /etc/init/airtime
+end script
--- a/python_apps/media-monitor/setup.py
+++ b/python_apps/media-monitor/setup.py
@ -12,7 +12,7 @@ if '--no-init-script' in sys.argv:
    data_files = []
    sys.argv.remove('--no-init-script') # super hax
 else:
-    data_files = [('/etc/init', ['install/airtime-media-monitor.conf'])]
+    data_files = [('/etc/init/airtime', ['install/airtime-media-monitor.conf'])]
    print data_files

 setup(name='airtime-media-monitor',
--- a/python_apps/pypo/setup.py
+++ b/python_apps/pypo/setup.py
@ -12,7 +12,7 @@ if '--no-init-script' in sys.argv:
    data_files = []
    sys.argv.remove('--no-init-script') # super hax
 else:
-    data_files = [('/etc/init', ['install/airtime-playout.conf', 'install/airtime-liquidsoap.conf'])]
+    data_files = [('/etc/init/airtime', ['install/airtime-playout.conf', 'install/airtime-liquidsoap.conf'])]
    print data_files

 setup(name='airtime-playout',