Have webuser be a compile-time config rather than run-time.

8 files changed, 18 insertions, 17 deletions

diff --git a/Makefile b/Makefile
index acb7252..2f647a0 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,8 @@ uwsgidir      = /etc/uwsgi
 pkglibexecdir = $(libexecdir)/parabolaweb-utils
 pkgconffile   = $(sysconfdir)/parabolaweb
 
+webuser = parabolaweb
+
 CFLAGS += -std=c99 -Wall -Wextra -Werror -Wno-unused-parameter
 CPPFLAGS += -DSCRIPT_LOCATION='"$(pkglibexecdir)/parabolaweb-changepassword.real"'
 
@@ -36,8 +38,8 @@ files.sys.all =                                                    $(targets)
 
 # Pattern rules
 
-%: %.in .var.sbindir .var.pkgconffile
-	sed -e 's|@sbindir@|$(sbindir)|' -e 's|@pkgconffile@|$(pkgconffile)|' < $< > $@
+%: %.in .var.sbindir .var.pkgconffile .var.webuser
+	sed $(foreach v,$(patsubst .var.%,%,$(filter .var.%,$^)), -e 's|@$v@|$($v)|' ) < $< > $@
 
 $(DESTDIR)$(sbindir)/%: %
 	install -Dm755 $< $@
diff --git a/parabolaweb-changepassword.real.in b/parabolaweb-changepassword.real.in
index 07499e8..78d526f 100644
--- a/parabolaweb-changepassword.real.in
+++ b/parabolaweb-changepassword.real.in
@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-#   Copyright (c) 2014 Luke Shumaker <lukeshu@sbcglobal.net>
+#   Copyright (c) 2014, 2017 Luke Shumaker <lukeshu@sbcglobal.net>
 #
 #   This program is free software; you can redistribute it and/or modify
 #   it under the terms of the GNU General Public License as published by
@@ -19,16 +19,15 @@ export PATH
 
 usage() {
 	printf 'Usage: %s [USERNAME]\n' "${0##*/}"
-	printf 'A username may only be specified if run as root or WEBUSER.\n'
+	printf 'A username may only be specified if run as root or @webuser@.\n'
 }
 
 main() {
 	. @pkgconffile@
 	[[ -e "${WEBDIR}/manage.py" ]]
-	[[ -n "${WEBUSER}" ]]
 
 	local REAL_USER=$USER
-	if ! { [[ $SUID_USER == root ]] || [[ $SUID_USER == "$WEBUSER" ]]; }; then
+	if ! { [[ $SUID_USER == root ]] || [[ $SUID_USER == @webuser@ ]]; }; then
 		unset SUDO_USER SUDO_UID SUDO_GID SUDO_COMMAND
 	fi
 
@@ -44,7 +43,7 @@ main() {
 	local PERM_OF=${SUID_USER:-$REAL_USER}
 
 	local username
-	if [[ $PERM_OF == root ]] || [[ $PERM_OF == "$WEBUSER" ]]; then
+	if [[ $PERM_OF == root ]] || [[ $PERM_OF == @webuser@ ]]; then
 		if [[ $# -gt 1 ]]; then
 			usage >&2
 			return 1
@@ -58,7 +57,7 @@ main() {
 		username=$NAME_OF
 	fi
 
-	sudo -u "${WEBUSER}" python2 "${WEBDIR}/manage.py" changepassword "${username}"
+	sudo -u @webuser@ python2 "${WEBDIR}/manage.py" changepassword "${username}"
 }
 
 main "$@"
diff --git a/parabolaweb-reporead-inotify.in b/parabolaweb-reporead-inotify.in
index 66934ea..c179a67 100644
--- a/parabolaweb-reporead-inotify.in
+++ b/parabolaweb-reporead-inotify.in
@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-#   Copyright (c) 2012-2013 Luke Shumaker <lukeshu@sbcglobal.net>
+#   Copyright (c) 2012-2013, 2017 Luke Shumaker <lukeshu@sbcglobal.net>
 #
 #   This program is free software; you can redistribute it and/or modify
 #   it under the terms of the GNU General Public License as published by
@@ -20,5 +20,4 @@
 [[ -e "${WEBDIR}/manage.py" ]]
 [[ $# -eq 0 ]]
 
-sudo -u "${WEBUSER:-$USER}" python2 "${WEBDIR}/manage.py" reporead_inotify \
-	"${INOTIFYARGS[@]}"
+python2 "${WEBDIR}/manage.py" reporead_inotify "${INOTIFYARGS[@]}"
diff --git a/parabolaweb-reporead-inotify.service.in b/parabolaweb-reporead-inotify.service.in
index 099db8d..c43ba78 100644
--- a/parabolaweb-reporead-inotify.service.in
+++ b/parabolaweb-reporead-inotify.service.in
@@ -5,6 +5,7 @@ Description=ParabolaWeb reporead_inotify daemon
 
 [Service]
 Type=simple
+User=@webuser@
 ExecStart=@sbindir@/parabolaweb-reporead-inotify
 
 [Install]
diff --git a/parabolaweb-reporead-rsync.in b/parabolaweb-reporead-rsync.in
index f18a412..d71cb2a 100644
--- a/parabolaweb-reporead-rsync.in
+++ b/parabolaweb-reporead-rsync.in
@@ -20,15 +20,15 @@
 [[ -e "${WEBDIR}/manage.py" ]]
 [[ $# -eq 0 ]]
 
-sudo -u "${WEBUSER:-$USER}" rsync -v --no-motd -mrtlH --no-p \
+rsync -v --no-motd -mrtlH --no-p \
       --include='*/' --include='*'.files.tar.gz --exclude='*' \
       --delete-after "$RSYNCSRV" "$RSYNCDIR/"
 
 r=0
-sudo -u "${WEBUSER:-$USER}" find "$RSYNCDIR" -name '*.files.tar.gz' -not -name '.*' |
+find "$RSYNCDIR" -name '*.files.tar.gz' -not -name '.*' |
 	sed -r 's|.*/([^/]+)/[^/]+$|\1 &|' |
 	while read -r arch filename; do
 		echo reporead "$arch" "$filename"
-		sudo -u "${WEBUSER:-$USER}" python2 "${WEBDIR}/manage.py" reporead "$arch" "$filename" || r=$?
+		python2 "${WEBDIR}/manage.py" reporead "$arch" "$filename" || r=$?
 	done
 exit $r
diff --git a/parabolaweb-reporead-rsync.service.in b/parabolaweb-reporead-rsync.service.in
index dde3287..4b9919a 100644
--- a/parabolaweb-reporead-rsync.service.in
+++ b/parabolaweb-reporead-rsync.service.in
@@ -5,4 +5,5 @@ Description=ParabolaWeb rsync reporead batch job
 
 [Service]
 Type=oneshot
+User=@webuser@
 ExecStart=@sbindir@/parabolaweb-reporead-rsync
diff --git a/parabolaweb.conf b/parabolaweb.conf
index db88bef..2e67f72 100644
--- a/parabolaweb.conf
+++ b/parabolaweb.conf
@@ -1,6 +1,5 @@
-# If you change `WEBUSER` or `WEBDIR`, you should also change
+# If you change `WEBDIR`, you should also change
 # `/etc/uwsgi/parabolaweb.ini`.
-WEBUSER=parabolaweb
 WEBDIR=/srv/http/www.parabola.nu/web
 
 GITURL='git://git.parabola.nu/server/parabolaweb.git#branch=master'
diff --git a/parabolaweb.ini b/parabolaweb.ini
index d170279..40a80c8 100644
--- a/parabolaweb.ini
+++ b/parabolaweb.ini
@@ -2,7 +2,7 @@
 master = true
 processes = 4
 
-# If you change `uid` or `wsgi-file`, you should also change
+# If you change `wsgi-file`, you should also change
 # `/etc/conf.d/parabolaweb`.
 
 uid = %n