X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=configs%2Fshibd-debian.in;fp=configs%2Fshibd-debian.in;h=da41cd2c86893181e01ebc6e0c142d1522585ba9;hb=02d51181ac49dc3d4002ee0a390615c7f03633c5;hp=59f0995804cef1040605146d0ab9db1d667990ee;hpb=b757a2480a021c4183ee6dba77d4470adbf95ef8;p=shibboleth%2Fsp.git

diff --git a/configs/shibd-debian.in b/configs/shibd-debian.in
index 59f0995..da41cd2 100644
--- a/configs/shibd-debian.in
+++ b/configs/shibd-debian.in
@@ -7,8 +7,8 @@
 # Default-Stop: 0 1 6
 # Short-Description: Shibboleth 2 Service Provider Daemon
 # Description: Starts the separate daemon used by the Shibboleth
-# Apache module to manage sessions and to retrieve
-# attributes from Shibboleth Identity Providers.
+#              Apache module to manage sessions and to retrieve
+#              attributes from Shibboleth Identity Providers.
 ### END INIT INFO
 #
 # Written by Quanah Gibson-Mount <quanah@stanford.edu>
@@ -29,6 +29,7 @@ DAEMON=@-PREFIX-@/sbin/$NAME
 SCRIPTNAME=/etc/init.d/$NAME
 PIDFILE=@-PKGRUNDIR-@/$NAME.pid
 DAEMON_OPTS=""
+DAEMON_USER=_shibd
 
 # Force removal of socket
 DAEMON_OPTS="$DAEMON_OPTS -f"
@@ -51,30 +52,63 @@ DAEMON_OPTS="$DAEMON_OPTS -w 30"
 # Get the setting of VERBOSE and other rcS variables.
 [ -f /etc/default/rcS ] && . /etc/default/rcS
 
+prepare_environment () {
+    # Ensure @-PKGRUNDIR-@ exists.  /var/run may be on a tmpfs file system.
+    [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
+
+    # If $DAEMON_USER is set, try to run shibd as that user.  However,
+    # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
+    # and the local administrator may not have made the server's private key
+    # readable by $DAEMON_USER.  We therefore test first by running shibd -t
+    # and looking for the error code indicating that the private key could not
+    # be read.  If we get that error, we fall back on running shibd as root.
+    if [ -n "$DAEMON_USER" ]; then
+        DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
+        if [ $? = 0 ] ; then
+            # openssl errstr 200100D (hex for 33558541) says:
+            # error:0200100D:system library:fopen:Permission denied
+            ERROR='ERROR OpenSSL : error code: 33558541 '
+            if echo "$DIAG" | fgrep -q "$ERROR" ; then
+                unset DAEMON_USER
+                echo "$NAME warning: file permissions require running as root"
+            else
+                chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
+            fi
+        else
+            unset DAEMON_USER
+            echo "$NAME error: unable to run config check as user $DAEMON_USER"
+        fi
+        unset DIAG
+    fi
+}
+
 case "$1" in
 start)
+    prepare_environment
+
     # Don't start shibd if NO_START is set.
     if [ "$NO_START" = 1 ] ; then
         echo "Not starting $DESC (see /etc/default/$NAME)"
         exit 0
     fi
     echo -n "Starting $DESC: "
-    start-stop-daemon --start --quiet \
+    start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
         --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
     echo "$NAME."
     ;;
 stop)
     echo -n "Stopping $DESC: "
     start-stop-daemon --stop --quiet --pidfile $PIDFILE \
-        --exec $DAEMON
+        --retry TERM/30/KILL/5 --exec $DAEMON
     echo "$NAME."
     ;;
 restart|force-reload)
+    prepare_environment
     echo -n "Restarting $DESC: "
     start-stop-daemon --stop --quiet --pidfile $PIDFILE \
         --exec $DAEMON
     sleep 1
-    start-stop-daemon --start --quiet \
+    start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
         --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
     echo "$NAME."
     ;;