TT#157800 run rtpengine as non-root

*) Create dedicated rtpengine user in postinst and remove it in postrm.

*) Use RuntimeDirectory= systemd unit config.

*) Use dedicated user for /proc interface and set file umask to hide it
from other users.

*) Set owner and permissions on default directories used for call recording.

Change-Id: I8e225b36d065d46da2489fb8286916371950f490

debian/ngcp-rtpengine-daemon.default

@@ -1,6 +1,7 @@
 CONFIG_FILE=/etc/rtpengine/rtpengine.conf
 # CONFIG_SECTION=rtpengine
-PIDFILE=/run/ngcp-rtpengine-daemon.pid
+PIDFILE=/run/rtpengine/ngcp-rtpengine-daemon.pid
 MANAGE_IPTABLES=yes
-#SET_USER=root
+SET_USER=rtpengine
-#SET_GROUP=root # GROUP only needs to be set if USER is not set or if the user isn't in the group
+#SET_GROUP=rtpengine # GROUP only needs to be set if USER is not set or if the user isn't in the group
+SET_MASK=0x7

debian/ngcp-rtpengine-daemon.postinst

@@ -32,6 +32,12 @@ else
 	fi
 fi
 
+if [ "$1" = configure ]; then
+	adduser --system --home /nonexistent --gecos rtpengine \
+		--no-create-home --disabled-password \
+		--group --quiet rtpengine || true
+fi
+
 #DEBHELPER#
 
 exit 0

debian/ngcp-rtpengine-daemon.postrm

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = purge ]; then
+	deluser --quiet --system rtpengine > /dev/null || true
+	delgroup --quiet --system rtpengine > /dev/null || true
+fi
+
+#DEBHELPER#
+
+exit 0
+

debian/ngcp-rtpengine-daemon.service

@@ -7,10 +7,15 @@ Requires=network-online.target
 [Service]
 Type=notify
 EnvironmentFile=/etc/default/ngcp-rtpengine-daemon
-PIDFile=/run/ngcp-rtpengine-daemon.pid
+RuntimeDirectory=rtpengine
-ExecStartPre=/usr/sbin/ngcp-rtpengine-iptables-setup start
+PIDFile=/run/rtpengine/ngcp-rtpengine-daemon.pid
-ExecStart=/usr/sbin/rtpengine -f -E --no-log-timestamps --pidfile /run/ngcp-rtpengine-daemon.pid --config-file /etc/rtpengine/rtpengine.conf
+User=rtpengine
-ExecStopPost=/usr/sbin/ngcp-rtpengine-iptables-setup stop
+Group=rtpengine
+AmbientCapabilities=CAP_NET_ADMIN CAP_SYS_NICE
+LimitNOFILE=150000
+ExecStartPre=+/usr/sbin/ngcp-rtpengine-iptables-setup start
+ExecStart=/usr/sbin/rtpengine -f -E --no-log-timestamps --pidfile /run/rtpengine/ngcp-rtpengine-daemon.pid --config-file /etc/rtpengine/rtpengine.conf
+ExecStopPost=+/usr/sbin/ngcp-rtpengine-iptables-setup stop
 
 [Install]
 WantedBy=multi-user.target

debian/ngcp-rtpengine-recording-daemon.default

@@ -1,6 +1,6 @@
 CONFIG_FILE=/etc/rtpengine/rtpengine-recording.conf
 # CONFIG_SECTION=rtpengine-recording
-PIDFILE=/run/ngcp-rtpengine-recording-daemon.pid
+PIDFILE=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid
 #SET_USER=root
 #SET_GROUP=root # GROUP only needs to be set if USER is not set or if the user isn't in the group
 #

debian/ngcp-rtpengine-recording-daemon.postinst

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = configure ]; then
+	for DIR in /var/lib/rtpengine-recording /var/spool/rtpengine; do
+		if ! dpkg-statoverride --list "$DIR" > /dev/null 2>&1; then
+			chown rtpengine:rtpengine "$DIR"
+			chmod 0770 "$DIR"
+		fi
+	done
+fi
+
+#DEBHELPER#
+
+exit 0

debian/ngcp-rtpengine-recording-daemon.service

@@ -9,8 +9,12 @@ Requires=ngcp-rtpengine-recording-nfs-mount.service
 [Service]
 Type=notify
 LimitNOFILE=100000
-PIDFile=/run/ngcp-rtpengine-recording-daemon.pid
+RuntimeDirectory=rtpengine-recording
-ExecStart=/usr/sbin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf
+PIDFile=/run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid
+AmbientCapabilities=CAP_NET_ADMIN
+User=rtpengine
+Group=rtpengine
+ExecStart=/usr/sbin/rtpengine-recording -f -E --no-log-timestamps --pidfile /run/rtpengine-recording/ngcp-rtpengine-recording-daemon.pid --config-file /etc/rtpengine/rtpengine-recording.conf
 
 [Install]
 WantedBy=multi-user.target