diff --git a/+POST_INSTALL b/+POST_INSTALL index 4edcfb526a..d5ee43f9c4 100644 --- a/+POST_INSTALL +++ b/+POST_INSTALL @@ -1,29 +1,3 @@ -PW=/usr/sbin/pw -USER=%%CORE_USER%% -GROUP=%%CORE_GROUP%% -UID=%%CORE_UID%% -GID=%%CORE_GID%% - -PW_ARG=add -if ${PW} groupshow ${GROUP} >/dev/null 2>&1; then - PW_ARG=mod -fi - -echo "Creating group '${GROUP}' with gid '${GID}'" -${PW} group${PW_ARG} ${GROUP} -g ${GID} - -PW_ARG=add -if ${PW} usershow ${USER} >/dev/null 2>&1; then - PW_ARG=mod -fi - -echo "Creating user '${USER}' with uid '${UID}'" -${PW} user${PW_ARG} ${USER} -u ${UID} -g ${GID} -c "World Wide Web Only" -d /nonexistent -s /usr/sbin/nologin - -if [ -n "${CORE_USER_GROUP_ONLY}" ]; then - exit 0 -fi - echo "Updating /etc/shells" cp /etc/shells /etc/shells.bak (grep -v /usr/local/sbin/opnsense-shell /etc/shells.bak; \ diff --git a/+PRE_DEINSTALL b/+PRE_DEINSTALL index 7fb7536aaa..71483468a4 100644 --- a/+PRE_DEINSTALL +++ b/+PRE_DEINSTALL @@ -1,7 +1,3 @@ -if [ -n "${CORE_USER_GROUP_ONLY}" ]; then - exit 0 -fi - /usr/local/etc/rc.d/configd stop echo "Resetting root shell" diff --git a/Makefile b/Makefile index 3fcfb57edc..58f6cd2f90 100644 --- a/Makefile +++ b/Makefile @@ -253,8 +253,6 @@ manifest: @echo "comment: \"${CORE_COMMENT}\"" @echo "desc: \"${CORE_HASH}\"" @echo "maintainer: \"${CORE_MAINTAINER}\"" - @echo "users: [ \"${CORE_USER}\" ]" - @echo "groups: [ \"${CORE_GROUP}\" ]" @echo "www: \"${CORE_WWW}\"" @echo "message: \"${CORE_MESSAGE}\"" @echo "categories: [ \"sysutils\", \"www\" ]" diff --git a/src/etc/rc.subr.d/php b/src/etc/rc.subr.d/php index cda47d14e4..2af2e45a93 100755 --- a/src/etc/rc.subr.d/php +++ b/src/etc/rc.subr.d/php @@ -25,11 +25,30 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. -# XXX Eventually we could try to ensure the user from here as it would -# avoid our bootstrap worries regarding using a predefined non-root user -# that does not even exist on the system which can prevent the GUI from -# starting or changing ownership staying root. -OWNER="$(opnsense-version -R CORE_USER):wheel" +OWNERSHIP=$(opnsense-version -R 'CORE_GROUP=CORE_GID:CORE_USER=CORE_UID') +OWNERGRP=${OWNERSHIP%:*} +OWNERUSR=${OWNERSHIP##*:} + +PW=/usr/sbin/pw +GROUP=${OWNERGRP%=*} +GID=${OWNERGRP##*=} +USER=${OWNERUSR%=*} +UID=${OWNERUSR##*=} +OWNER="${USER}:wheel" + +PW_ARG=add +if ${PW} groupshow ${GROUP} >/dev/null 2>&1; then + PW_ARG=mod +fi + +${PW} group${PW_ARG} ${GROUP} -g ${GID} + +PW_ARG=add +if ${PW} usershow ${USER} >/dev/null 2>&1; then + PW_ARG=mod +fi + +${PW} user${PW_ARG} ${USER} -u ${UID} -g ${GID} -c "World Wide Web Only" -d /nonexistent -s /usr/sbin/nologin # set up required output directories for various PHP components for PHPDIR in cache sessions tmp; do diff --git a/src/etc/rc.subr.d/recover.in b/src/etc/rc.subr.d/recover similarity index 98% rename from src/etc/rc.subr.d/recover.in rename to src/etc/rc.subr.d/recover index 906ac26609..561c4233be 100755 --- a/src/etc/rc.subr.d/recover.in +++ b/src/etc/rc.subr.d/recover @@ -63,7 +63,6 @@ www:*:80: u2f:*:116: ntpd:*:123: _ypldap:*:160: -%%CORE_GROUP%%:*:%%CORE_GID%%: hast:*:845: tests:*:977: nogroup:*:65533: @@ -97,7 +96,6 @@ auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologi www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin ntpd:*:123:123::0:0:NTP Daemon:/var/db/ntp:/usr/sbin/nologin _ypldap:*:160:160::0:0:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin -%%CORE_USER%%:*:%%CORE_UID%%:%%CORE_GID%%::0:0:World Wide Web Only:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin tests:*:977:977::0:0:Unprivileged user for tests:/nonexistent:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin @@ -234,8 +232,6 @@ function recover_ports() $tempfile = fopen($tempname, 'w'); $luacount = 0; - putenv('CORE_USER_GROUP_ONLY=yes'); - foreach ($pkgs as $pkg) { $raw = exec('/usr/local/sbin/pkg-static info --raw --raw-format json-compact ' . $pkg); $info = json_decode($raw, true); diff --git a/src/sbin/opnsense-version b/src/sbin/opnsense-version index e4e09c3ff9..3ef306aecd 100755 --- a/src/sbin/opnsense-version +++ b/src/sbin/opnsense-version @@ -143,7 +143,7 @@ if [ -n "${DO_RAW}" ]; then exit 0 fi - OUTPUT=$(echo "${FILE}" | sed -e 's=\([A-Z][A-Z_]*\)=$\1=g') + OUTPUT=$(echo "${FILE}" | sed -e 's=\(CORE_[A-Z_]*\)=${\1}=g' -e 's=\(PLUGIN_[A-Z_]*\)=${\1}=g') TARGET=nop fi