[oe] [meta-oe][PATCHv2 4/5] redis: do not run as root
Frank Meerkoetter
meerkoetter at googlemail.com
Tue Nov 29 10:04:25 UTC 2016
Running a network facing daemon written in C as root is not
a good idea. Introduce a redis system user/group for that.
A drawback is that now redis can no longer increase the
number of open fds to 10000 (MaxClients). If this is needed
the ulimit needs to be tweaked in the init script or systemd
unit file.
This only affects systemd based systems.
Signed-off-by: Frank Meerkoetter <frank at meerkoetter.org>
---
meta-oe/recipes-extended/redis/redis/redis.service | 4 ++--
meta-oe/recipes-extended/redis/redis_3.0.2.bb | 8 +++++++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/meta-oe/recipes-extended/redis/redis/redis.service b/meta-oe/recipes-extended/redis/redis/redis.service
index e2dc6a7..577bb14 100644
--- a/meta-oe/recipes-extended/redis/redis/redis.service
+++ b/meta-oe/recipes-extended/redis/redis/redis.service
@@ -3,8 +3,8 @@ Description=Redis In-Memory Data Store
After=network.target
[Service]
-User=root
-Group=root
+User=redis
+Group=redis
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/usr/bin/redis-cli shutdown
Restart=always
diff --git a/meta-oe/recipes-extended/redis/redis_3.0.2.bb b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
index 89b79d4..a8242b2 100644
--- a/meta-oe/recipes-extended/redis/redis_3.0.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_3.0.2.bb
@@ -19,7 +19,12 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
SRC_URI[md5sum] = "87be8867447f62524b584813e5a7bd14"
SRC_URI[sha256sum] = "93e422c0d584623601f89b956045be158889ebe594478a2c24e1bf218495633f"
-inherit autotools-brokensep update-rc.d systemd
+inherit autotools-brokensep update-rc.d systemd useradd
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis"
+GROUPADD_PARAM_${PN} = "--system redis"
+
REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}"
@@ -31,6 +36,7 @@ do_install() {
install -d ${D}/${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server
install -d ${D}/var/lib/redis/
+ chown redis.redis ${D}/var/lib/redis/
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_unitdir}/system
--
2.7.4
More information about the Openembedded-devel
mailing list