cta/CTA#109 cta or stage user?

Changed user stage:st to cta:cta

cta/CTA#109 cta or stage user?
Changed user stage:st to cta:cta
93ca95e7 · Steven Murray · 0a944669 · 93ca95e7 · 93ca95e7 · 93ca95e7
Commit 93ca95e7 authored May 18, 2017 by Steven Murray
--- a/common/threading/Daemon.cpp
+++ b/common/threading/Daemon.cpp
@@ -74,10 +74,10 @@ void cta::server::Daemon::setCommandLineHasBeenParsed(const bool foreground)
 }

 //------------------------------------------------------------------------------
-// daemonizeIfNotRunInForeground
+// daemonizeIfNotRunInForegroundAndSetUserAndGroup
 //------------------------------------------------------------------------------
-void cta::server::Daemon::daemonizeIfNotRunInForeground(
-  const bool runAsStagerSuperuser) {
+void cta::server::Daemon::daemonizeIfNotRunInForegroundAndSetUserAndGroup(const std::string &userName,
+  const std::string &groupName) {
  // Do nothing if already a daemon
  if (1 == getppid())  {
    return;
@@ -120,16 +120,12 @@ void cta::server::Daemon::daemonizeIfNotRunInForeground(
      "Failed to daemonize: Failed to freopen stderr");
  } // if (!m_foreground)

-  // Change the user of the daemon process if requested
-  if (runAsStagerSuperuser) {
-    const std::string userName = "stage";
-    const std::string groupName = "st";
-    std::list<log::Param> params = {
-      log::Param("userName", userName),
-      log::Param("groupName", groupName)};
-    m_log(log::INFO, "Setting user name and group name of current process", params);
-    cta::System::setUserAndGroup(userName, groupName);
-  }
+  // Change the user and group of the daemon process
+  std::list<log::Param> params = {
+    log::Param("userName", userName),
+    log::Param("groupName", groupName)};
+  m_log(log::INFO, "Setting user name and group name of current process", params);
+  cta::System::setUserAndGroup(userName, groupName);

  // Ignore SIGPIPE (connection lost with client)
  // and SIGXFSZ (a file is too big)

--- a/common/threading/Daemon.hpp
+++ b/common/threading/Daemon.hpp
@@ -77,16 +77,19 @@ protected:
   * Daemonizes the daemon if it has not been configured to run in the
   * foreground.
   *
+   * This method also sets the user and group of the process to the specified
+   * values.
+   *
   * Please make sure that the setForeground() method has been called as
   * appropriate before this method is called.
   *
-   * This method takes into account whether or not the dameon should run in
+   * This method takes into account whether or not the daemon should run in
   * foregreound or background mode (m_foreground).
   *
-   * @param runAsStagerSuperuser Set to true if the user ID and group ID of the
-   * daemon should be set to those of the stager superuser.
+   * @param userName The name of the user.
+   * @param groupName The name of the group.
   */
-  void daemonizeIfNotRunInForeground(const bool runAsStagerSuperuser);
+  void daemonizeIfNotRunInForegroundAndSetUserAndGroup(const std::string &userName, const std::string &groupName);

  /**
   * Object representing the API of the CASTOR logging system.

--- a/common/threading/System.cpp
+++ b/common/threading/System.cpp
@@ -111,7 +111,8 @@ int cta::System::porttoi(char* str)
 // setUserAndGroup
 //------------------------------------------------------------------------------
 void cta::System::setUserAndGroup(const std::string &userName, const std::string &groupName) {
-  const std::string task = std::string("set user and group of current process to ") + userName + ":" + groupName;
+  const std::string task = std::string("set user name of process to ") + userName + " and group name of process to " +
+    groupName;
  struct passwd *pwd = nullptr; // password structure pointer
  struct group  *grp = nullptr; // group structure pointer


--- a/continuousintegration/docker/buildtree_runner/cc7/opt/run/bin/ctafrontend.sh
+++ b/continuousintegration/docker/buildtree_runner/cc7/opt/run/bin/ctafrontend.sh
@@ -17,9 +17,6 @@ echo "Log URL file:/cta-frontend.log" >>/etc/cta/cta-frontend.conf

 echo ${DATABASEURL} >/etc/cta/cta_catalogue_db.conf

-# Create user cta early so that we can set file ownership correctly
-useradd cta
-
 # EOS INSTANCE NAME used as username for SSS key
 EOSINSTANCE=ctaeos


--- a/continuousintegration/docker/buildtree_runner/cc7/opt/run/bin/taped.sh
+++ b/continuousintegration/docker/buildtree_runner/cc7/opt/run/bin/taped.sh
@@ -45,11 +45,9 @@ CTATAPEDSSS="cta_tape_server.keytab"
 #echo '0 u:stage g:tape n:taped+ N:6361736405290319874 c:1481207182 e:0 f:0 k:8e2335f24cf8c7d043b65b3b47758860cbad6691f5775ebd211b5807e1a6ec84' >> /etc/cta/${CTATAPEDSSS}
 echo -n '0 u:daemon g:daemon n:ctaeos+ N:6361884315374059521 c:1481241620 e:0 f:0 k:1a08f769e9c8e0c4c5a7e673247c8561cd23a0e7d8eee75e4a543f2d2dd3fd22' > /etc/cta/${CTATAPEDSSS}
 chmod 600 /etc/cta/${CTATAPEDSSS}
-groupadd st
-adduser stage -g st
 touch /cta-taped.log
-chown stage /cta-taped.log
-chown stage /etc/cta/${CTATAPEDSSS}
+chown cta /cta-taped.log
+chown cta /etc/cta/${CTATAPEDSSS}

 cat <<EOF > /etc/sysconfig/cta-taped
 export CTA_TAPED_OPTIONS="-fl /cta-taped.log"

--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/ctafrontend.sh
@@ -24,9 +24,6 @@ echo "Log URL file:/cta-frontend.log" >>/etc/cta/cta-frontend.conf

 echo ${DATABASEURL} >/etc/cta/cta_catalogue_db.conf

-# Create user cta early so that we can set file ownership correctly
-useradd cta
-
 # EOS INSTANCE NAME used as username for SSS key
 EOSINSTANCE=ctaeos


--- a/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/taped.sh
+++ b/continuousintegration/docker/ctafrontend/cc7/opt/run/bin/taped.sh
@@ -52,7 +52,7 @@ CTATAPEDSSS="cta_tape_server.keytab"
 #echo '0 u:stage g:tape n:taped+ N:6361736405290319874 c:1481207182 e:0 f:0 k:8e2335f24cf8c7d043b65b3b47758860cbad6691f5775ebd211b5807e1a6ec84' >> /etc/cta/${CTATAPEDSSS}
 echo -n '0 u:daemon g:daemon n:ctaeos+ N:6361884315374059521 c:1481241620 e:0 f:0 k:1a08f769e9c8e0c4c5a7e673247c8561cd23a0e7d8eee75e4a543f2d2dd3fd22' > /etc/cta/${CTATAPEDSSS}
 chmod 600 /etc/cta/${CTATAPEDSSS}
-chown stage /etc/cta/${CTATAPEDSSS}
+chown cta /etc/cta/${CTATAPEDSSS}

 cat <<EOF > /etc/sysconfig/cta-taped
 export CTA_TAPED_OPTIONS="-fl /cta-taped.log"

--- a/cta.spec.in
+++ b/cta.spec.in
@@ -124,8 +124,8 @@ requires(pre): /usr/bin/getent, /usr/sbin/groupadd, /usr/sbin/useradd
 CERN Tape Archive:
 The tape server daemon
 %pre -n cta-taped
-/usr/bin/getent group st || /usr/sbin/groupadd -g 1474 st
-/usr/bin/getent passwd stage || /usr/sbin/useradd -s /bin/nologin -c "Stager Staging System" -u 14029 -g 1474 stage
+/usr/bin/getent group cta || /usr/sbin/groupadd cta
+/usr/bin/getent passwd cta || /usr/sbin/useradd -s /bin/nologin -c "CTA system account" -g cta cta
 %files -n cta-taped
 %defattr(-,root,root)
 %attr(0755,root,root) %{_bindir}/cta-taped
@@ -137,9 +137,13 @@ Summary: CERN Tape Archive: Xrootd plugin
 Group: Application/CTA
 requires: cta-lib
 requires: xrootd-server
+requires(pre): /usr/bin/getent, /usr/sbin/groupadd, /usr/sbin/useradd
 %description -n cta-frontend
 CERN Tape Archive:
 The xroot plugin
+%pre -n cta-frontend
+/usr/bin/getent group cta || /usr/sbin/groupadd cta
+/usr/bin/getent passwd cta || /usr/sbin/useradd -s /bin/nologin -c "CTA system account" -g cta cta
 %files -n cta-frontend
 %defattr(-,root,root)
 %attr(0755,root,root) %{_libdir}/libXrdCtaOfs.so

--- a/tapeserver/daemon/TapeDaemon.cpp
+++ b/tapeserver/daemon/TapeDaemon.cpp
@@ -80,8 +80,9 @@ void  cta::tape::daemon::TapeDaemon::exceptionThrowingMain()  {
  // raw IO in the future
  setProcessCapabilities("cap_setgid,cap_setuid+ep cap_sys_rawio+p");

-  const bool runAsStagerSuperuser = true;
-  daemonizeIfNotRunInForeground(runAsStagerSuperuser);
+  const std::string userName = "cta";
+  const std::string groupName = "cta";
+  daemonizeIfNotRunInForegroundAndSetUserAndGroup(userName, groupName);
  setDumpable();

  // There is no longer any need for the process to be able to change user,