From 4ebedace1e9f590b0b6286540f2140e4a73489fc Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Fri, 25 Sep 2020 18:23:04 +0200 Subject: [PATCH] systemd unit: run as "sftpgo" system user Update the docs too Fixes #177 --- docs/howto/postgresql-s3.md | 26 ++------------------------ docs/service.md | 23 +++++++++++++++++++++-- init/sftpgo.service | 4 ++-- sftpd/sftpd_test.go | 5 +++++ 4 files changed, 30 insertions(+), 28 deletions(-) diff --git a/docs/howto/postgresql-s3.md b/docs/howto/postgresql-s3.md index 09d02581..cbf72447 100644 --- a/docs/howto/postgresql-s3.md +++ b/docs/howto/postgresql-s3.md @@ -204,34 +204,12 @@ $ sftpgo initprovider -c /etc/sftpgo ## Install SFTPGo systemd service -Create the systemd service file `/etc/systemd/system/sftpgo.service` with the following content: +Copy the systemd service file. ```shell -[Unit] -Description=SFTPGo Server -After=network.target postgresql.service - -[Service] -User=sftpgo -Group=sftpgo -Type=simple -WorkingDirectory=/etc/sftpgo -Environment=SFTPGO_CONFIG_DIR=/etc/sftpgo/ -Environment=SFTPGO_LOG_FILE_PATH= -EnvironmentFile=-/etc/sftpgo/sftpgo.env -ExecStart=/usr/bin/sftpgo serve -ExecReload=/bin/kill -s HUP $MAINPID -KillMode=mixed -PrivateTmp=true -Restart=always -RestartSec=10s - -[Install] -WantedBy=multi-user.target +sudo install -Dm644 init/sftpgo.service /etc/systemd/system ``` -This way SFTPGo will run using the dedicated `sftpgo` user and the service will start after PostgreSQL. - Next, start the SFTPGo service and add it to the system boot. ```shell diff --git a/docs/service.md b/docs/service.md index cfcbea28..2af9c55b 100644 --- a/docs/service.md +++ b/docs/service.md @@ -1,12 +1,25 @@ # Running SFTPGo as a service +Download a binary SFTPGo [release](https://github.com/drakkan/sftpgo/releases) or a build artifact for the [latest commit](https://github.com/drakkan/sftpgo/actions) or build SFTPGo yourself. + +Run the following instructions from the directory that contains the sftpgo binary and the accompanying files. + ## Linux For Linux, a `systemd` sample [service](../init/sftpgo.service "systemd service") can be found inside the source tree. -Here are some basic instructions to run SFTPGo as service, please run the following commands from the directory where you downloaded SFTPGo: +Here are some basic instructions to run SFTPGo as service using a dedicated `sftpgo` system account, please run the following commands from the directory where you downloaded SFTPGo: ```bash +# create the sftpgo user and group +sudo groupadd --system sftpgo +sudo useradd --system \ + --gid sftpgo \ + --no-create-home \ + --home-dir /var/lib/sftpgo \ + --shell /usr/sbin/nologin \ + --comment "SFTPGo user" \ + sftpgo # create the required directories sudo mkdir -p /etc/sftpgo \ /var/lib/sftpgo \ @@ -23,11 +36,17 @@ sudo sh -c 'echo "SFTPGO_HTTPD__BACKUPS_PATH=/var/lib/sftpgo/backups" >> /etc/sf sudo sh -c 'echo "SFTPGO_DATA_PROVIDER__CREDENTIALS_PATH=/var/lib/sftpgo/credentials" >> /etc/sftpgo/sftpgo.env' # if you use a file based data provider such as sqlite or bolt consider to set the database path too, for example: #sudo sh -c 'echo "SFTPGO_DATA_PROVIDER__NAME=/var/lib/sftpgo/sftpgo.db" >> /etc/sftpgo/sftpgo.env' +# also set the provider's PATH as env var to get initprovider to work with SQLite provider: +#export SFTPGO_DATA_PROVIDER__NAME=/var/lib/sftpgo/sftpgo.db # install static files and templates for the web UI sudo cp -r static templates /usr/share/sftpgo/ +# set files and directory permissions +sudo chown -R sftpgo:sftpgo /etc/sftpgo /var/lib/sftpgo +sudo chmod 750 /etc/sftpgo /var/lib/sftpgo +sudo chmod 640 /etc/sftpgo/sftpgo.json /etc/sftpgo/sftpgo.env # initialize the configured data provider # if you want to use MySQL or PostgreSQL you need to create the configured database before running the initprovider command -sudo /usr/bin/sftpgo initprovider -c /etc/sftpgo/ +sudo -E su - sftpgo -m -s /bin/bash -c 'sftpgo initprovider -c /etc/sftpgo' # install the systemd service sudo install -Dm644 init/sftpgo.service /etc/systemd/system # start the service diff --git a/init/sftpgo.service b/init/sftpgo.service index bde868d9..a712d315 100644 --- a/init/sftpgo.service +++ b/init/sftpgo.service @@ -3,8 +3,8 @@ Description=SFTPGo Server After=network.target [Service] -User=root -Group=root +User=sftpgo +Group=sftpgo Type=simple WorkingDirectory=/etc/sftpgo Environment=SFTPGO_CONFIG_DIR=/etc/sftpgo/ diff --git a/sftpd/sftpd_test.go b/sftpd/sftpd_test.go index c45eb558..6efd3f75 100644 --- a/sftpd/sftpd_test.go +++ b/sftpd/sftpd_test.go @@ -906,6 +906,11 @@ func TestEscapeHomeDir(t *testing.T) { assert.NoError(t, err) _, err := client.ReadDir(testDir) assert.Error(t, err, "reading a symbolic link outside home dir should not succeeded") + err = client.Chmod(path.Join(testDir, "sub", "dir"), os.ModePerm) + if assert.Error(t, err) { + assert.Contains(t, err.Error(), "SSH_FX_FAILURE") + } + assert.Error(t, err, "setstat on a file outside home dir must fail") testFilePath := filepath.Join(homeBasePath, testFileName) testFileSize := int64(65535) err = createTestFile(testFilePath, testFileSize)