Fix logic mistake in shibd as non-root user probe

[shibboleth/sp.git] / configs / shibd-debian.in

#! /bin/sh
### BEGIN INIT INFO
# Provides: shibd
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Shibboleth 2 Service Provider Daemon
# Description: Starts the separate daemon used by the Shibboleth
#              Apache module to manage sessions and to retrieve
#              attributes from Shibboleth Identity Providers.
### END INIT INFO
#
# Written by Quanah Gibson-Mount <quanah@stanford.edu>
# Modified by Lukas Haemmerle <lukas.haemmerle@switch.ch> for Shibboleth 2
# Based on the dh-make template written by:
#
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian
# by Ian Murdock <imurdock@gnu.ai.mit.edu>.

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Shibboleth 2 daemon"
NAME=shibd
SHIB_HOME=@-PREFIX-@
SHIBSP_CONFIG=@-PKGSYSCONFDIR-@/shibboleth2.xml
LD_LIBRARY_PATH=@-PREFIX-@/lib
DAEMON=@-PREFIX-@/sbin/$NAME
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=@-PKGRUNDIR-@/$NAME.pid
DAEMON_OPTS=""
DAEMON_USER=_shibd

# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"

# Use defined configuration file
DAEMON_OPTS="$DAEMON_OPTS -c $SHIBSP_CONFIG"

# Specify pid file to use
DAEMON_OPTS="$DAEMON_OPTS -p $PIDFILE"

# Specify wait time to use
DAEMON_OPTS="$DAEMON_OPTS -w 30"

# Exit if the package is not installed.
[ -x "$DAEMON" ] || exit 0

# Read configuration if it is present.
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS

prepare_environment () {
    # Ensure @-PKGRUNDIR-@ exists.  /var/run may be on a tmpfs file system.
    [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'

    # If $DAEMON_USER is set, try to run _shibd as that user.  However,
    # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
    # and the local administrator may not have made the server's private key
    # readable by _shibd.  We therefore test first by running shibd -t and
    # looking for the error code indicating that the private key could not be
    # read.  If we get that error, we fall back on running shibd as root.
    if [ -n "$DAEMON_USER" ]; then
        DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
        if [ $? = 0 ] ; then
            # openssl errstr 200100D (hex for 33558541) says:
            # error:0200100D:system library:fopen:Permission denied
            ERROR='ERROR OpenSSL : error code: 33558541 '
            if echo "$DIAG" | fgrep -q "$ERROR" ; then
                unset DAEMON_USER
                echo "$NAME warning: file permissions require running as root"
            else
                chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
            fi
        else
            unset DAEMON_USER
            echo "$NAME error: unable to run config check as user $DAEMON_USER"
        fi
        unset DIAG
    fi
}

case "$1" in
start)
    prepare_environment

    # Don't start shibd if NO_START is set.
    if [ "$NO_START" = 1 ] ; then
        echo "Not starting $DESC (see /etc/default/$NAME)"
        exit 0
    fi
    echo -n "Starting $DESC: "
    start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
        --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
    echo "$NAME."
    ;;
stop)
    echo -n "Stopping $DESC: "
    start-stop-daemon --stop --quiet --pidfile $PIDFILE \
        --exec $DAEMON
    echo "$NAME."
    ;;
restart|force-reload)
    prepare_environment

    echo -n "Restarting $DESC: "
    start-stop-daemon --stop --quiet --pidfile $PIDFILE \
        --exec $DAEMON
    sleep 1
    start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
        --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
    echo "$NAME."
    ;;
*)
    echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
    exit 1
    ;;
esac

exit 0