GRP-5153: add option to run tomcat as another user

docker · Nov 24, 2023 · 3869372 · 3869372
1 parent e2f6002
commit 3869372
Showing 6 changed files with 80 additions and 17 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -16,11 +16,11 @@ ENV GROUPER_VERSION=5.5.0 \
 
 #  net-tools curl mlocate strace telnet man vim rsyslog cron mod_ssl cronie
 RUN yum update -y \
-    && yum install -y logrotate python3-pip rsync sudo patch wget tar unzip dos2unix file net-tools diffutils curl mlocate logrotate strace telnet man vim rsyslog cronie findutils \
+    && yum install -y logrotate python3-pip rsync sudo patch wget tar unzip dos2unix file net-tools diffutils curl mlocate logrotate strace telnet man vim rsyslog cronie findutils procps \
     && pip3 install --upgrade setuptools \
     && yum clean -y all \
-    && groupadd -r tomcat \
-    && useradd -r -m -s /sbin/nologin -g tomcat tomcat \
+    && groupadd -g 994 -r tomcat \
+    && useradd -u 996 -r -m -s /sbin/nologin -g tomcat tomcat \
     && mkdir -p /opt/container_files
 
 # Install Corretto Java JDK

diff --git a/container_files/usr-local-bin/changeGid.sh b/container_files/usr-local-bin/changeGid.sh
@@ -13,6 +13,11 @@ newGid=$2
 getentOutput="$(getent group "$groupname")"
 oldGid="$( echo "$getentOutput" |cut -d\: -f3 )"
 groupmod -g "$newGid" "$groupname"
-echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi
+
 find / -xdev -group "$oldGid" -exec chgrp -h "$groupname" {} \;
-echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi
diff --git a/container_files/usr-local-bin/changeUid.sh b/container_files/usr-local-bin/changeUid.sh
@@ -12,6 +12,11 @@ username=$1
 newUid=$2
 oldUid="$(id -u "$username")"
 usermod -u "$newUid" "$username"
-echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi
+
 find / -xdev -user "$oldUid" -exec chown -h "$username" {} \;
-echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $?"
+returnCode=$?
+echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $returnCode"
+if [ $returnCode != 0 ]; then exit $returnCode; fi
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
@@ -172,6 +172,18 @@ prep_finishBegin() {
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_UI=false"
       export GROUPER_UI=false
     fi
+    if [ -z "$GROUPER_TOMCAT_UID" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UID=996"
+      export GROUPER_TOMCAT_UID=996
+    fi
+    if [ -z "$GROUPER_TOMCAT_GID" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_GID=994"
+      export GROUPER_TOMCAT_GID=994
+    fi
+    if [ -z "$GROUPER_TOMCAT_UNIX_GROUP" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UNIX_GROUP=root"
+      export GROUPER_TOMCAT_UNIX_GROUP=root
+    fi
     if [ -z "$GROUPER_WS" ] ; then 
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_WS=false"
       export GROUPER_WS=false

diff --git a/container_files/usr-local-bin/libraryRunCommand.sh b/container_files/usr-local-bin/libraryRunCommand.sh
@@ -2,8 +2,14 @@
 
 runCommand() {
 
-  echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat"
-  /opt/tomcat/bin/catalina.sh run
+  if [ "$GROUPER_RUN_PROCESSES_AS_USERS" = "true" ]; then
+    echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo -u tomcat /opt/tomcat/bin/catalina.sh run"
+    sudo -u tomcat /opt/tomcat/bin/catalina.sh run
+  else
+    echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: /opt/tomcat/bin/catalina.sh run"
+    /opt/tomcat/bin/catalina.sh run
+  fi
+
 }
 
 runCommand_unsetAll() {

diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
@@ -211,13 +211,15 @@ setupFilesTomcat_sslCertsAnchors() {
 
     # the container user (we arent sure who this is) should be able to update root certs
     # echo 'ALL ALL=NOPASSWD: /bin/update-ca-trust' | sudo EDITOR='tee -n' visudo
+    # generate anchor:
+    # openssl genrsa -out rootCAKey.pem 2048
+    # openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem
 
 
     if [ -n "$(ls -A /opt/grouper/certs/anchors/ 2>/dev/null)" ]; then
+      # if root
+      if [[ $EUID -eq 0 ]]; then
 
-      amiroot=`whoami`
-      if [ "$amiroot" = "root" ]; then
-
         echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process"
 
         /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors
@@ -237,9 +239,42 @@ setupFilesTomcat_sslCertsAnchors() {
         fi  
 
       else
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in subimage: /bin/update-ca-trust"
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust"
       fi
 
+      chmod u+w $JAVA_HOME/lib/security/cacerts
+      returnCode=$?
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode"
+      if [ $returnCode != 0 ]
+      then
+        exit $returnCode
+      fi  
+
+      for fileName in /opt/grouper/certs/anchors/*.pem; do
+        [ -f "$fileName" ] || continue
+
+        fileNameNoExtension=$(basename -- "$fileName")
+        fileNameNoExtension="${fileNameNoExtension%.*}"
+        /usr/lib/jvm/java/bin/keytool -import -trustcacerts -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias "$fileNameNoExtension" -file "$fileName"
+
+        returnCode=$?
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /usr/lib/jvm/java/bin/keytool -import -trustcacerts -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode"
+        if [ $returnCode != 0 ]
+        then
+          exit $returnCode
+        fi  
+
+      done
+
+      chmod u-w $JAVA_HOME/lib/security/cacerts
+      returnCode=$?
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u-w $JAVA_HOME/lib/security/cacerts , result=$returnCode"
+      if [ $returnCode != 0 ]
+      then
+        exit $returnCode
+      fi  
+
+
     else
       echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are no anchor certs in /opt/grouper/certs/anchors/ to process"
     fi
@@ -252,21 +287,21 @@ setupFilesTomcat_sslCertsClient() {
 
       chmod u+w $JAVA_HOME/lib/security/cacerts
       returnCode=$?
-      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode"
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) chmod u+w $JAVA_HOME/lib/security/cacerts , result=$returnCode"
       if [ $returnCode != 0 ]
       then
         exit $returnCode
       fi  
 
       for fileName in /opt/grouper/certs/client/*.pem; do
-        [ -f "$fileName" ] || break
+        [ -f "$fileName" ] || continue
 
         fileNameNoExtension=$(basename -- "$fileName")
         fileNameNoExtension="${fileNameNoExtension%.*}"
         /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias "$fileNameNoExtension" -file "$fileName"
 
         returnCode=$?
-        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode"
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) /usr/lib/jvm/java/bin/keytool -import -noprompt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias \"$fileNameNoExtension\" -file \"$fileName\" , result=$returnCode"
         if [ $returnCode != 0 ]
         then
           exit $returnCode
@@ -276,7 +311,7 @@ setupFilesTomcat_sslCertsClient() {
 
       chmod u-w $JAVA_HOME/lib/security/cacerts
       returnCode=$?
-      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) chmod u-w $JAVA_HOME/lib/security/cacerts , result=$returnCode"
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsClient) chmod u-w $JAVA_HOME/lib/security/cacerts , result=$returnCode"
       if [ $returnCode != 0 ]
       then
         exit $returnCode