# Default-Stop: 0 1 6
# Short-Description: Shibboleth 2 Service Provider Daemon
# Description: Starts the separate daemon used by the Shibboleth
-# Apache module to manage sessions and to retrieve
-# attributes from Shibboleth Identity Providers.
+# Apache module to manage sessions and to retrieve
+# attributes from Shibboleth Identity Providers.
### END INIT INFO
#
# Written by Quanah Gibson-Mount <quanah@stanford.edu>
SCRIPTNAME=/etc/init.d/$NAME
PIDFILE=@-PKGRUNDIR-@/$NAME.pid
DAEMON_OPTS=""
+DAEMON_USER=_shibd
# Force removal of socket
DAEMON_OPTS="$DAEMON_OPTS -f"
# Get the setting of VERBOSE and other rcS variables.
[ -f /etc/default/rcS ] && . /etc/default/rcS
+prepare_environment () {
+ # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system.
+ [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@'
+
+ # If $DAEMON_USER is set, try to run shibd as that user. However,
+ # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root,
+ # and the local administrator may not have made the server's private key
+ # readable by $DAEMON_USER. We therefore test first by running shibd -t
+ # and looking for the error code indicating that the private key could not
+ # be read. If we get that error, we fall back on running shibd as root.
+ if [ -n "$DAEMON_USER" ]; then
+ DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null)
+ if [ $? = 0 ] ; then
+ # openssl errstr 200100D (hex for 33558541) says:
+ # error:0200100D:system library:fopen:Permission denied
+ ERROR='ERROR OpenSSL : error code: 33558541 '
+ if echo "$DIAG" | fgrep -q "$ERROR" ; then
+ unset DAEMON_USER
+ echo "$NAME warning: file permissions require running as root"
+ else
+ chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@'
+ fi
+ else
+ unset DAEMON_USER
+ echo "$NAME error: unable to run config check as user $DAEMON_USER"
+ fi
+ unset DIAG
+ fi
+}
+
case "$1" in
start)
+ prepare_environment
+
# Don't start shibd if NO_START is set.
if [ "$NO_START" = 1 ] ; then
echo "Not starting $DESC (see /etc/default/$NAME)"
exit 0
fi
echo -n "Starting $DESC: "
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
- --exec $DAEMON
+ --retry TERM/30/KILL/5 --exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
+ prepare_environment
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE \
--exec $DAEMON
sleep 1
- start-stop-daemon --start --quiet \
+ start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \
--pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;