Ensure _shibd user owns necessary files and directories

Because some deployers will mount or inject their own mapping between the _shibd user and its UID the entry point script should execute the proper chown command to make sure that at runtime necessary files and directories have the correct ownership. Also emit a WARNING if any files in /etc/shibboleth are not readable by the _shibd user.
docker · Nov 8, 2017 · 19486f7 · 19486f7
1 parent f9f7ca4
commit 19486f7
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint
@@ -100,4 +100,38 @@ if [ -n "$SHIBBOLETH_SP_PRIVKEY" ]; then
     chmod 0600 /etc/shibboleth/sp-key.pem
 fi
 
+# A deployer may make their own mapping between the _shibd username
+# and the UID, and between the _shibd group and GID, so before starting 
+# make sure files have the correct ownership and group. These are the 
+# files and directories that must be owned by _shibd at runtime.
+chown _shibd:_shibd /etc/shibboleth/sp-cert.pem > /dev/null 2>&1
+chown _shibd:_shibd /etc/shibboleth/sp-key.pem > /dev/null 2>&1
+
+chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/run/shibboleth/shibd.sock > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/transaction.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/signature.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd_warn.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth/shibd.log > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/log/shibboleth-www > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/cache > /dev/null 2>&1
+chown _shibd:_shibd /opt/shibboleth-sp/var/cache/shibboleth > /dev/null 2>&1
+
+# Warn about any files in /etc/shibboleth that the _shibd user cannot read.
+su _shibd -c 'find /etc/shibboleth ! -readable' > /tmp/shibd-not-readable 2>/dev/null
+
+if [ -s /tmp/shibd-not-readable ]; then
+    echo "WARNING: the following files are not readable by _shibd"
+    cat /tmp/shibd-not-readable
+    echo ""
+fi
+
+rm -f /tmp/shibd-not-readable > /dev/null 2>&1
+
+# Start the daemon.
 exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F