[oe-commits] [meta-openembedded] 05/30: redis: do not run as root

[git at git.openembedded.org]

martin_jansa pushed a commit to branch master
in repository meta-openembedded.

commit a1bdd5f40e15312bb4891cfa2e0d67d590051d00
Author: Frank Meerkoetter <meerkoetter at googlemail.com>
AuthorDate: Thu Dec 1 19:45:26 2016 +0100

    redis: do not run as root
    
    Running a network facing daemon written in C as root is not
    a good idea. Introduce a redis system user/group for that.
    
    A drawback is that now redis can no longer increase the
    number of open fds to 10000 (MaxClients). If this is needed
    the ulimit needs to be tweaked in the init script or systemd
    unit file.
    
    This only affects systemd based systems.
    
    Signed-off-by: Frank Meerkoetter <frank at meerkoetter.org>
    Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
---
 meta-oe/recipes-extended/redis/redis/redis.service | 4 ++--
 meta-oe/recipes-extended/redis/redis_3.0.2.bb      | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/meta-oe/recipes-extended/redis/redis/redis.service b/meta-oe/recipes-extended/redis/redis/redis.service
index e2dc6a7..577bb14 100644
--- a/meta-oe/recipes-extended/redis/redis/redis.service
+++ b/meta-oe/recipes-extended/redis/redis/redis.service
@@ -3,8 +3,8 @@ Description=Redis In-Memory Data Store
 After=network.target
 
 [Service]
-User=root
-Group=root
+User=redis
+Group=redis
 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
 ExecStop=/usr/bin/redis-cli shutdown
 Restart=always
diff --git a/meta-oe/recipes-extended/redis/redis_3.0.2.bb b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
index 98132d7..9395b33 100644
--- a/meta-oe/recipes-extended/redis/redis_3.0.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
@@ -19,7 +19,12 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
 SRC_URI[md5sum] = "87be8867447f62524b584813e5a7bd14"
 SRC_URI[sha256sum] = "93e422c0d584623601f89b956045be158889ebe594478a2c24e1bf218495633f"
 
-inherit autotools-brokensep update-rc.d systemd
+inherit autotools-brokensep update-rc.d systemd useradd
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN}  = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis"
+GROUPADD_PARAM_${PN} = "--system redis"
+
 
 REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}"
 
@@ -31,6 +36,7 @@ do_install() {
     install -d ${D}/${sysconfdir}/init.d
     install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server
     install -d ${D}/var/lib/redis/
+    chown redis.redis ${D}/var/lib/redis/
 
     install -d ${D}${systemd_system_unitdir}
     install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir}

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.