Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make userid's for the services configurable at build time #459

Closed
wants to merge 9 commits into from
Closed

Make userid's for the services configurable at build time #459

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
73fda38
Prefix userid's with snap_ when used in a snap.
micahl Sep 12, 2022
a2cf2c3
Fix formatting
micahl Sep 12, 2022
8636fdb
Prefix userid's with snap_ when used in a snap.
micahl Sep 12, 2022
dc751b3
Fix formatting
micahl Sep 12, 2022
421f6ef
Set overridable userid's at build time
micahl Sep 27, 2022
46f5121
Merge branch 'enable-snapping' of https://github.com/micahl/iot-ident…
micahl Sep 27, 2022
5f250ad
Fix merge
micahl Sep 27, 2022
e080d0e
Set users for sockets
micahl Sep 28, 2022
1ffac20
Merge branch 'main' into enable-snapping
micahl Oct 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 31 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@
BINDGEN = bindgen
CBINDGEN = cbindgen

# Default users under which the services will run. Override by specifying on the CLI for make.
USER_AZIOTID ?= aziotid
USER_AZIOTCS ?= aziotcs
USER_AZIOTKS ?= aziotks
USER_AZIOTTPM ?= aziottpm

# 0 => false, _ => true
V = 0

Expand Down Expand Up @@ -56,7 +62,11 @@ CARGO_OUTPUT_ABSPATH = $(abspath ./target/$(CARGO_TARGET)/$(CARGO_PROFILE_DIRECT
VENDOR_PREFIX = $(CARGO_OUTPUT_ABSPATH)/fakeroot
VENDOR_PKGCONFIG = $(VENDOR_PREFIX)$(AZIOT_PRIVATE_LIBRARIES)/pkgconfig

CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" cargo
CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" \
USER_AZIOTID="$(USER_AZIOTID)" \
USER_AZIOTCS="$(USER_AZIOTCS)" \
USER_AZIOTKS="$(USER_AZIOTKS)" \
USER_AZIOTTPM="$(USER_AZIOTTPM)" cargo

# Some of the targets use bash-isms like `set -o pipefail`
SHELL = /bin/bash
Expand Down Expand Up @@ -309,6 +319,9 @@ deb: dist
# Copy package files
cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/
sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog
sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postinst
sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm
sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/preinst

# Build package
# Note: This builds the `default` target before the normal Debian packaging (instead
Expand Down Expand Up @@ -366,6 +379,10 @@ rpm:
-e "s|@devtoolset@|$$DEVTOOLSET|g" \
-e "s|@llvm_toolset@|$$LLVM_TOOLSET|g" \
-e "s|@openssl_engine_filename@|$$OPENSSL_ENGINE_FILENAME|g" \
-e "s/@user_aziotid@/$(USER_AZIOTID)/g" \
-e "s/@user_aziotks@/$(USER_AZIOTKS)/g" \
-e "s/@user_aziotcs@/$(USER_AZIOTCS)/g" \
-e "s/@user_aziottpm@/$(USER_AZIOTTPM)/g" \
>$(RPMBUILDDIR)/SPECS/aziot-identity-service.spec

# Copy preset file to be included in the package
Expand Down Expand Up @@ -464,15 +481,27 @@ install-common:
$(INSTALL) -d -m 0700 $(DESTDIR)$(localstatedir)/lib/aziot/tpmd

# Systemd services and sockets
$(INSTALL) -d $(DESTDIR)$(unitdir)
# NOTE: We do not use "install -D ... -t ..." since it is broken on
# RHEL 7 derivatives and will not be fixed.
# Ref: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1758488
for i in cert identity key tpm; do \
OUTPUT_SOCKET="$(DESTDIR)$(unitdir)/aziot-$${i}d.socket"; \
<"$$i/aziot-$${i}d/aziot-$${i}d.socket.in" sed \
-e 's|@user_aziotid@|$(USER_AZIOTID)|' \
-e 's|@user_aziotks@|$(USER_AZIOTKS)|' \
-e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \
-e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \
>"$$OUTPUT_SOCKET"; \
chmod 0644 "$$OUTPUT_SOCKET"; \
OUTPUT_SERVICE="$(DESTDIR)$(unitdir)/aziot-$${i}d.service"; \
$(INSTALL_DATA) -D "$$i/aziot-$${i}d/aziot-$${i}d.socket" "$(DESTDIR)$(unitdir)/aziot-$${i}d.socket"; \
<"$$i/aziot-$${i}d/aziot-$${i}d.service.in" sed \
-e 's|@private-libs@|$(AZIOT_PRIVATE_LIBRARIES)|' \
-e 's|@libexecdir@|$(libexecdir)|' \
-e 's|@user_aziotid@|$(USER_AZIOTID)|' \
-e 's|@user_aziotks@|$(USER_AZIOTKS)|' \
-e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \
-e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \
>"$$OUTPUT_SERVICE"; \
chmod 0644 "$$OUTPUT_SERVICE"; \
done
Expand Down
5 changes: 5 additions & 0 deletions aziotctl/.cargo/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[env]
USER_AZIOTID = "aziotid"
USER_AZIOTKS = "aziotks"
USER_AZIOTCS = "aziotcs"
USER_AZIOTTPM = "aziottpm"
10 changes: 6 additions & 4 deletions aziotctl/src/config/apply.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,12 @@ pub(crate) fn run(options: Options) -> anyhow::Result<()> {
// So when running as root, get the four users appropriately.
// Otherwise, if this is a debug build, fall back to using the current user.
// Otherwise, tell the user to re-run as root.
let aziotks_user = crate::internal::common::get_system_user("aziotks")?;
let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?;
let aziotid_user = crate::internal::common::get_system_user("aziotid")?;
let aziottpm_user = crate::internal::common::get_system_user("aziottpm")?;
// When run in a snap expect the four users to be prefixed with `snap_`.

let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?;
let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?;
let aziotid_user = crate::internal::common::get_system_user(env!("USER_AZIOTID"))?;
let aziottpm_user = crate::internal::common::get_system_user(env!("USER_AZIOTTPM"))?;

let common_config::apply::RunOutput {
keyd_config,
Expand Down
6 changes: 3 additions & 3 deletions aziotctl/src/internal/check/checks/cert_expiry.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ impl IdentityCert {
) -> Result<CheckResult> {
use aziot_identityd_config::{DpsAttestationMethod, ManualAuthMethod, ProvisioningType};

let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?;
let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?;

let provisioning = &unwrap_or_skip!(&cache.cfg.identityd)
.provisioning
Expand Down Expand Up @@ -123,7 +123,7 @@ impl EstIdentityBootstrapCerts {
) -> Result<CheckResult> {
let certd_config = unwrap_or_skip!(&cache.cfg.certd);

let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?;
let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?;

let certs = certd_config
.cert_issuance
Expand Down Expand Up @@ -226,7 +226,7 @@ impl LocalCaCert {
None => return Ok(CheckResult::Ignored),
};

let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?;
let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?;

let (res, cert_info) =
validate_cert(certd_config, cert_id, "Local CA", &aziotcs_user).await?;
Expand Down
2 changes: 1 addition & 1 deletion aziotctl/src/internal/check/checks/certs_preloaded.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ impl CertsPreloaded {

let mut visited: BTreeMap<_, _> = Default::default();

let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?;
let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?;

for id in preloaded_certs.keys() {
match walk_preloaded_certs(id, preloaded_certs, &aziotcs_user, &mut visited).await? {
Expand Down
2 changes: 1 addition & 1 deletion aziotctl/src/internal/check/checks/read_key_pairs.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ impl ReadKeyPairs {
let mut warn_aggregated = vec![];

// Check every preloaded key at a file:// URI is readable by the aziotks user and report errors when they aren't.
let aziotks_user = crate::internal::common::get_system_user("aziotks")?;
let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?;

for (id, path) in preloaded_keys {
if let Ok(aziot_keys_common::PreloadedKeyLocation::Filesystem { path }) = path.parse() {
Expand Down
2 changes: 1 addition & 1 deletion cert/aziot-certd/aziot-certd.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-certd
KillMode=process
Restart=on-failure
RestartSec=5s
User=aziotcs
User=@user_aziotcs@

[Install]
WantedBy=multi-user.target
4 changes: 2 additions & 2 deletions cert/aziot-certd/aziot-certd.socket → cert/aziot-certd/aziot-certd.socket.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ PartOf=aziot-certd.service
ListenStream=/run/aziot/certd.sock
SocketMode=0660
DirectoryMode=0755
SocketUser=aziotcs
SocketGroup=aziotcs
SocketUser=@user_aziotcs@
SocketGroup=@user_aziotcs@

[Install]
WantedBy=sockets.target
16 changes: 8 additions & 8 deletions contrib/debian/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ set -e

case "$1" in
configure)
chown aziotcs:aziotcs /etc/aziot/certd/config.toml.default
chown aziotid:aziotid /etc/aziot/identityd/config.toml.default
chown aziotks:aziotks /etc/aziot/keyd/config.toml.default
chown aziottpm:aziottpm /etc/aziot/tpmd/config.toml.default
chown @user_aziotcs@:@user_aziotcs@ /etc/aziot/certd/config.toml.default
chown @user_aziotid@:@user_aziotid@ /etc/aziot/identityd/config.toml.default
chown @user_aziotks@:@user_aziotks@ /etc/aziot/keyd/config.toml.default
chown @user_aziottpm@:@user_aziottpm@ /etc/aziot/tpmd/config.toml.default
chown root:root /etc/aziot/config.toml.template
for f in \
/etc/aziot/certd/config.toml.default \
Expand All @@ -36,16 +36,16 @@ case "$1" in
chmod 0600 /etc/aziot/config.toml.template

if [ -d /var/lib/aziot/certd ]; then
chown aziotcs:aziotcs /var/lib/aziot/certd
chown @user_aziotcs@:@user_aziotcs@ /var/lib/aziot/certd
fi
if [ -d /var/lib/aziot/identityd ]; then
chown aziotid:aziotid /var/lib/aziot/identityd
chown @user_aziotid@:@user_aziotid@ /var/lib/aziot/identityd
fi
if [ -d /var/lib/aziot/keyd ]; then
chown aziotks:aziotks /var/lib/aziot/keyd
chown @user_aziotks@:@user_aziotks@ /var/lib/aziot/keyd
fi
if [ -d /var/lib/aziot/tpmd ]; then
chown aziottpm:aziottpm /var/lib/aziot/tpmd
chown @user_aziottpm@:@user_aziottpm@ /var/lib/aziot/tpmd
fi

for d in \
Expand Down
16 changes: 8 additions & 8 deletions contrib/debian/postrm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,21 @@ case "$1" in
systemctl daemon-reload

# Kill all processes running under aziot-identity-service users.
killall -SIGKILL -u aziotid || true
killall -SIGKILL -u aziotcs || true
killall -SIGKILL -u aziotks || true
killall -SIGKILL -u aziottpm || true
[ "@user_aziotid@" != "root" ] && killall -SIGKILL -u @user_aziotid@ || true
[ "@user_aziotcs@" != "root" ] && killall -SIGKILL -u @user_aziotcs@ || true
[ "@user_aziotks@" != "root" ] && killall -SIGKILL -u @user_aziotks@ || true
[ "@user_aziottpm@" != "root" ] && killall -SIGKILL -u @user_aziottpm@ || true

# Delete directories used by aziot-identity-service.
rm -rf /etc/aziot
rm -rf /run/aziot
rm -rf /var/lib/aziot

# Delete aziot-identity-service users.
/usr/sbin/userdel aziotid
/usr/sbin/userdel aziotcs
/usr/sbin/userdel aziotks
/usr/sbin/userdel aziottpm
[ "@user_aziotid@" != "root" ] && /usr/sbin/userdel @user_aziotid@
[ "@user_aziotcs@" != "root" ] && /usr/sbin/userdel @user_aziotcs@
[ "@user_aziotks@" != "root" ] && /usr/sbin/userdel @user_aziotks@
[ "@user_aziottpm@" != "root" ] && /usr/sbin/userdel @user_aziottpm@
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
Expand Down
40 changes: 20 additions & 20 deletions contrib/debian/preinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,39 +18,39 @@ case "$1" in
# For each of CS, IS, KS: create group, create user, create home directory (in case user already exists from a previous install
# but the user deleted the directory manually)

if ! /usr/bin/getent group aziotks >/dev/null; then
/usr/sbin/groupadd -r aziotks
if ! /usr/bin/getent group @user_aziotks@ >/dev/null; then
/usr/sbin/groupadd -r @user_aziotks@
fi
if ! /usr/bin/getent passwd aziotks >/dev/null; then
/usr/sbin/useradd -r -g aziotks -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd aziotks
if ! /usr/bin/getent passwd @user_aziotks@ >/dev/null; then
/usr/sbin/useradd -r -g @user_aziotks@ -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd @user_aziotks@
fi
mkdir -p /var/lib/aziot/keyd

if ! /usr/bin/getent group aziottpm >/dev/null; then
/usr/sbin/groupadd -r aziottpm
if ! /usr/bin/getent group @user_aziottpm@ >/dev/null; then
/usr/sbin/groupadd -r @user_aziottpm@
fi
if ! /usr/bin/getent passwd aziottpm >/dev/null; then
/usr/sbin/useradd -r -g aziottpm -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd aziottpm
if ! /usr/bin/getent passwd @user_aziottpm@ >/dev/null; then
/usr/sbin/useradd -r -g @user_aziottpm@ -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd @user_aziottpm@
fi
mkdir -p /var/lib/aziot/tpmd

if ! /usr/bin/getent group aziotcs >/dev/null; then
/usr/sbin/groupadd -r aziotcs
if ! /usr/bin/getent group @user_aziotcs@ >/dev/null; then
/usr/sbin/groupadd -r @user_aziotcs@
fi
if ! /usr/bin/getent passwd aziotcs >/dev/null; then
/usr/sbin/useradd -r -g aziotcs -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd aziotcs
/usr/sbin/usermod -aG aziotks aziotcs
if ! /usr/bin/getent passwd @user_aziotcs@ >/dev/null; then
/usr/sbin/useradd -r -g @user_aziotcs@ -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd @user_aziotcs@
/usr/sbin/usermod -aG @user_aziotks@ @user_aziotcs@
fi
mkdir -p /var/lib/aziot/certd

if ! /usr/bin/getent group aziotid >/dev/null; then
/usr/sbin/groupadd -r aziotid
if ! /usr/bin/getent group @user_aziotid@ >/dev/null; then
/usr/sbin/groupadd -r @user_aziotid@
fi
if ! /usr/bin/getent passwd aziotid >/dev/null; then
/usr/sbin/useradd -r -g aziotid -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd aziotid
/usr/sbin/usermod -aG aziotcs aziotid
/usr/sbin/usermod -aG aziotks aziotid
/usr/sbin/usermod -aG aziottpm aziotid
if ! /usr/bin/getent passwd @user_aziotid@ >/dev/null; then
/usr/sbin/useradd -r -g @user_aziotid@ -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd @user_aziotid@
/usr/sbin/usermod -aG @user_aziotcs@ @user_aziotid@
/usr/sbin/usermod -aG @user_aziotks@ @user_aziotid@
/usr/sbin/usermod -aG @user_aziottpm@ @user_aziotid@
fi
mkdir -p /var/lib/aziot/identityd
;;
Expand Down
64 changes: 32 additions & 32 deletions contrib/enterprise-linux/aziot-identity-service.spec.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,36 +84,36 @@ make -j \
# For each of CS, IS, KS: create group, create user, create home directory (in case user already exists from a previous install
# but the user deleted the directory manually)

if ! %{_bindir}/getent group aziotks >/dev/null; then
%{_sbindir}/groupadd -r aziotks
if ! %{_bindir}/getent group @user_aziotks@ >/dev/null; then
%{_sbindir}/groupadd -r @user_aziotks@
fi
if ! %{_bindir}/getent passwd aziotks >/dev/null; then
%{_sbindir}/useradd -r -g aziotks -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd aziotks
if ! %{_bindir}/getent passwd @user_aziotks@ >/dev/null; then
%{_sbindir}/useradd -r -g @user_aziotks@ -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd @user_aziotks@
fi

if ! %{_bindir}/getent group aziottpm >/dev/null; then
%{_sbindir}/groupadd -r aziottpm
if ! %{_bindir}/getent group @user_aziottpm@ >/dev/null; then
%{_sbindir}/groupadd -r @user_aziottpm@
fi
if ! %{_bindir}/getent passwd aziottpm >/dev/null; then
%{_sbindir}/useradd -r -g aziottpm -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd aziottpm
if ! %{_bindir}/getent passwd @user_aziottpm@ >/dev/null; then
%{_sbindir}/useradd -r -g @user_aziottpm@ -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd @user_aziottpm@
fi

if ! %{_bindir}/getent group aziotcs >/dev/null; then
%{_sbindir}/groupadd -r aziotcs
if ! %{_bindir}/getent group @user_aziotcs@ >/dev/null; then
%{_sbindir}/groupadd -r @user_aziotcs@
fi
if ! %{_bindir}/getent passwd aziotcs >/dev/null; then
%{_sbindir}/useradd -r -g aziotcs -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd aziotcs
%{_sbindir}/usermod -aG aziotks aziotcs
if ! %{_bindir}/getent passwd @user_aziotcs@ >/dev/null; then
%{_sbindir}/useradd -r -g @user_aziotcs@ -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd @user_aziotcs@
%{_sbindir}/usermod -aG @user_aziotks@ @user_aziotcs@
fi

if ! %{_bindir}/getent group aziotid >/dev/null; then
%{_sbindir}/groupadd -r aziotid
if ! %{_bindir}/getent group @user_aziotid@ >/dev/null; then
%{_sbindir}/groupadd -r @user_aziotid@
fi
if ! %{_bindir}/getent passwd aziotid >/dev/null; then
%{_sbindir}/useradd -r -g aziotid -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd aziotid
%{_sbindir}/usermod -aG aziotcs aziotid
%{_sbindir}/usermod -aG aziotks aziotid
%{_sbindir}/usermod -aG aziottpm aziotid
if ! %{_bindir}/getent passwd @user_aziotid@ >/dev/null; then
%{_sbindir}/useradd -r -g @user_aziotid@ -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd @user_aziotid@
%{_sbindir}/usermod -aG @user_aziotcs@ @user_aziotid@
%{_sbindir}/usermod -aG @user_aziotks@ @user_aziotid@
%{_sbindir}/usermod -aG @user_aziottpm@ @user_aziotid@
fi


Expand Down Expand Up @@ -158,25 +158,25 @@ fi
%{_libdir}/%{name}/*.so*

# Default configs and config directories
%attr(400, aziotcs, aziotcs) %{_sysconfdir}/aziot/certd/config.toml.default
%attr(700, aziotcs, aziotcs) %dir %{_sysconfdir}/aziot/certd/config.d
%attr(400, @user_aziotcs@, @user_aziotcs@) %{_sysconfdir}/aziot/certd/config.toml.default
%attr(700, @user_aziotcs@, @user_aziotcs@) %dir %{_sysconfdir}/aziot/certd/config.d

%attr(400, aziotid, aziotid) %{_sysconfdir}/aziot/identityd/config.toml.default
%attr(700, aziotid, aziotid) %dir %{_sysconfdir}/aziot/identityd/config.d
%attr(400, @user_aziotid@, @user_aziotid@) %{_sysconfdir}/aziot/identityd/config.toml.default
%attr(700, @user_aziotid@, @user_aziotid@) %dir %{_sysconfdir}/aziot/identityd/config.d

%attr(400, aziotks, aziotks) %{_sysconfdir}/aziot/keyd/config.toml.default
%attr(700, aziotks, aziotks) %dir %{_sysconfdir}/aziot/keyd/config.d
%attr(400, @user_aziotks@, @user_aziotks@) %{_sysconfdir}/aziot/keyd/config.toml.default
%attr(700, @user_aziotks@, @user_aziotks@) %dir %{_sysconfdir}/aziot/keyd/config.d

%attr(400, aziottpm, aziottpm) %{_sysconfdir}/aziot/tpmd/config.toml.default
%attr(700, aziottpm, aziottpm) %dir %{_sysconfdir}/aziot/tpmd/config.d
%attr(400, @user_aziottpm@, @user_aziottpm@) %{_sysconfdir}/aziot/tpmd/config.toml.default
%attr(700, @user_aziottpm@, @user_aziottpm@) %dir %{_sysconfdir}/aziot/tpmd/config.d

%attr(600, root, root) %{_sysconfdir}/aziot/config.toml.template

# Home directories
%attr(-, aziotcs, aziotcs) %dir /var/lib/aziot/certd
%attr(-, aziotid, aziotid) %dir /var/lib/aziot/identityd
%attr(-, aziotks, aziotks) %dir /var/lib/aziot/keyd
%attr(-, aziottpm, aziottpm) %dir /var/lib/aziot/tpmd
%attr(-, @user_aziotcs@, @user_aziotcs@) %dir /var/lib/aziot/certd
%attr(-, @user_aziotid@, @user_aziotid@) %dir /var/lib/aziot/identityd
%attr(-, @user_aziotks@, @user_aziotks@) %dir /var/lib/aziot/keyd
%attr(-, @user_aziottpm@, @user_aziottpm@) %dir /var/lib/aziot/tpmd

# Systemd services and sockets
%{_unitdir}/aziot-certd.service
Expand Down
2 changes: 1 addition & 1 deletion identity/aziot-identityd/aziot-identityd.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-identityd
KillMode=process
Restart=on-failure
RestartSec=5s
User=aziotid
User=@user_aziotid@

[Install]
WantedBy=multi-user.target
Loading