Skip to content

Commit

Permalink
Merge pull request voxpupuli#328 from janorn/run_as_unprivileged
Browse files Browse the repository at this point in the history 
Run as unprivileged user
  • Loading branch information
James Fryman committed Jun 11, 2014
2 parents ee786b9 + b41f242 commit 96c995b
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 8 deletions.
6 changes: 4 additions & 2 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
$client_max_body_size = $nginx::params::nx_client_max_body_size,
$confd_purge = $nginx::params::nx_confd_purge,
$conf_template = $nginx::params::nx_conf_template,
$daemon_user = $nginx::params::nx_daemon_user,
$events_use = $nginx::params::nx_events_use,
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
Expand Down Expand Up @@ -49,6 +50,7 @@
$proxy_send_timeout = $nginx::params::nx_proxy_send_timeout,
$proxy_set_header = $nginx::params::nx_proxy_set_header,
$server_tokens = $nginx::params::nx_server_tokens,
$super_user = $nginx::params::nx_super_user,
$types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size,
$types_hash_max_size = $nginx::params::nx_types_hash_max_size,
$vhost_purge = $nginx::params::nx_vhost_purge,
Expand Down Expand Up @@ -101,12 +103,12 @@

file {$nginx::config::nx_client_body_temp_path:
ensure => directory,
owner => $nginx::params::nx_daemon_user,
owner => $daemon_user,
}

file {$nginx::config::nx_proxy_temp_path:
ensure => directory,
owner => $nginx::params::nx_daemon_user,
owner => $daemon_user,
}

file { "${nginx::params::nx_conf_dir}/sites-available":
Expand Down
5 changes: 5 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
$confd_purge = $nginx::params::nx_confd_purge,
$configtest_enable = $nginx::params::nx_configtest_enable,
$conf_template = $nginx::params::nx_conf_template,
$daemon_user = $nginx::params::nx_daemon_user,
$events_use = $nginx::params::nx_events_use,
$fastcgi_cache_inactive = $nginx::params::nx_fastcgi_cache_inactive,
$fastcgi_cache_key = $nginx::params::nx_fastcgi_cache_key,
Expand Down Expand Up @@ -76,6 +77,7 @@
$server_tokens = $nginx::params::nx_server_tokens,
$service_ensure = $nginx::params::nx_service_ensure,
$service_restart = $nginx::params::nx_service_restart,
$super_user = $nginx::params::nx_super_user,
$vhost_purge = $nginx::params::nx_vhost_purge,
$worker_connections = $nginx::params::nx_worker_connections,
$worker_processes = $nginx::params::nx_worker_processes,
Expand Down Expand Up @@ -154,6 +156,7 @@
validate_hash($nginx_mailhosts)
validate_bool($manage_repo)
validate_string($proxy_headers_hash_bucket_size)
validate_bool($super_user)

class { 'nginx::package':
package_name => $package_name,
Expand All @@ -168,6 +171,7 @@
client_max_body_size => $client_max_body_size,
confd_purge => $confd_purge,
conf_template => $conf_template,
daemon_user => $daemon_user,
events_use => $events_use,
fastcgi_cache_inactive => $fastcgi_cache_inactive,
fastcgi_cache_key => $fastcgi_cache_key,
Expand Down Expand Up @@ -199,6 +203,7 @@
proxy_send_timeout => $proxy_send_timeout,
proxy_set_header => $proxy_set_header,
server_tokens => $server_tokens,
super_user => $super_user,
vhost_purge => $vhost_purge,
worker_connections => $worker_connections,
worker_processes => $worker_processes,
Expand Down
3 changes: 3 additions & 0 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,9 @@
}
}

# Nginx is default launched as root if not change this parameter
$nx_super_user = true

# Service restart after Nginx 0.7.53 could also be just
# "/path/to/nginx/bin -s HUP" Some init scripts do a configtest, some don't.
# If configtest_enable it's true then service restart will take
Expand Down
10 changes: 5 additions & 5 deletions manifests/resource/vhost.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -516,32 +516,32 @@
# Check if the file has been defined before creating the file to
# avoid the error when using wildcard cert on the multiple vhosts
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.crt", {
owner => $nginx::params::nx_daemon_user,
owner => $nginx::config::daemon_user,
mode => '0444',
source => $ssl_cert,
})
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.key", {
owner => $nginx::params::nx_daemon_user,
owner => $nginx::config::daemon_user,
mode => '0440',
source => $ssl_key,
})
if ($ssl_dhparam != undef) {
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.dh.pem", {
owner => $nginx::params::nx_daemon_user,
owner => $nginx::config::daemon_user,
mode => '0440',
source => $ssl_dhparam,
})
}
if ($ssl_stapling_file != undef) {
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.ocsp.resp", {
owner => $nginx::params::nx_daemon_user,
owner => $nginx::config::daemon_user,
mode => '0440',
source => $ssl_stapling_file,
})
}
if ($ssl_trusted_cert != undef) {
ensure_resource('file', "${nginx::params::nx_conf_dir}/${cert}.trusted.crt", {
owner => $nginx::params::nx_daemon_user,
owner => $nginx::config::daemon_user,
mode => '0440',
source => $ssl_trusted_cert,
})
Expand Down
4 changes: 3 additions & 1 deletion templates/conf.d/nginx.conf.erb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
user <%= scope.lookupvar('nginx::config::nx_daemon_user') %>;
<% if @super_user -%>
user <%= @daemon_user %>;
<% end -%>
worker_processes <%= @worker_processes %>;
worker_rlimit_nofile <%= @worker_rlimit_nofile %>;

Expand Down

0 comments on commit 96c995b

Please sign in to comment.