From a1bdd5f40e15312bb4891cfa2e0d67d590051d00 Mon Sep 17 00:00:00 2001 From: Frank Meerkoetter Date: Thu, 1 Dec 2016 19:45:26 +0100 Subject: redis: do not run as root Running a network facing daemon written in C as root is not a good idea. Introduce a redis system user/group for that. A drawback is that now redis can no longer increase the number of open fds to 10000 (MaxClients). If this is needed the ulimit needs to be tweaked in the init script or systemd unit file. This only affects systemd based systems. Signed-off-by: Frank Meerkoetter Signed-off-by: Martin Jansa --- meta-oe/recipes-extended/redis/redis/redis.service | 4 ++-- meta-oe/recipes-extended/redis/redis_3.0.2.bb | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'meta-oe/recipes-extended/redis') diff --git a/meta-oe/recipes-extended/redis/redis/redis.service b/meta-oe/recipes-extended/redis/redis/redis.service index e2dc6a715..577bb1421 100644 --- a/meta-oe/recipes-extended/redis/redis/redis.service +++ b/meta-oe/recipes-extended/redis/redis/redis.service @@ -3,8 +3,8 @@ Description=Redis In-Memory Data Store After=network.target [Service] -User=root -Group=root +User=redis +Group=redis ExecStart=/usr/bin/redis-server /etc/redis/redis.conf ExecStop=/usr/bin/redis-cli shutdown Restart=always diff --git a/meta-oe/recipes-extended/redis/redis_3.0.2.bb b/meta-oe/recipes-extended/redis/redis_3.0.2.bb index 98132d798..9395b33b0 100644 --- a/meta-oe/recipes-extended/redis/redis_3.0.2.bb +++ b/meta-oe/recipes-extended/redis/redis_3.0.2.bb @@ -19,7 +19,12 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ SRC_URI[md5sum] = "87be8867447f62524b584813e5a7bd14" SRC_URI[sha256sum] = "93e422c0d584623601f89b956045be158889ebe594478a2c24e1bf218495633f" -inherit autotools-brokensep update-rc.d systemd +inherit autotools-brokensep update-rc.d systemd useradd + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --home-dir /var/lib/redis -g redis --shell /bin/false redis" +GROUPADD_PARAM_${PN} = "--system redis" + REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}" @@ -31,6 +36,7 @@ do_install() { install -d ${D}/${sysconfdir}/init.d install -m 0755 ${WORKDIR}/init-redis-server ${D}/${sysconfdir}/init.d/redis-server install -d ${D}/var/lib/redis/ + chown redis.redis ${D}/var/lib/redis/ install -d ${D}${systemd_system_unitdir} install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir} -- cgit v1.2.3-54-g00ecf