[nfcd] Run nfcd under nfc user account. Fixes JB#45270

Root privileges are not required, and for a service that accepts random input (e.g. data from NFC tags) running as root is generally not a very good idea.
sailfishos · Mar 27, 2019 · 4374f3c · 4374f3c
1 parent e32ed02
commit 4374f3c
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 7 deletions.
diff --git a/plugins/dbus_neard/org.neard.conf b/plugins/dbus_neard/org.neard.conf
@@ -1,7 +1,7 @@
 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
-    <policy user="root">
+    <policy user="nfc">
         <allow own="org.neard"/>
         <allow send_destination="org.neard"/>
         <allow send_interface="org.neard.NDEFAgent"/>

diff --git a/plugins/dbus_service/org.sailfishos.nfc.daemon.conf b/plugins/dbus_service/org.sailfishos.nfc.daemon.conf
@@ -1,7 +1,7 @@
 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
-    <policy user="root">
+    <policy user="nfc">
         <allow own="org.sailfishos.nfc.daemon"/>
     </policy>
     <policy context="default">

diff --git a/plugins/settings/org.sailfishos.nfc.settings.conf b/plugins/settings/org.sailfishos.nfc.settings.conf
@@ -1,7 +1,7 @@
 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
-    <policy user="root">
+    <policy user="nfc">
         <allow own="org.sailfishos.nfc.settings"/>
     </policy>
     <policy context="default">

diff --git a/rpm/nfcd.spec b/rpm/nfcd.spec
@@ -13,8 +13,11 @@ BuildRequires: pkgconfig(libglibutil) >= 1.0.34
 BuildRequires: pkgconfig(libdbuslogserver-gio) >= 1.0.14
 Requires: libglibutil >= 1.0.34
 Requires: libdbuslogserver-gio >= 1.0.14
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
+Requires: systemd
+Requires(pre): systemd
+Requires(post): systemd
+Requires(post): coreutils
+Requires(postun): systemd
 
 %description
 Provides D-Bus interfaces to NFC functionality.
@@ -52,15 +55,21 @@ ln -s ../nfcd.service %{buildroot}/%{target_wants_dir}/nfcd.service
 %check
 make -C unit test
 
+%pre
+systemctl stop nfcd ||:
+
 %post
+chown nfc:nfc %{settings_dir}/* ||:
+chmod 600 %{settings_dir}/* ||:
 systemctl daemon-reload ||:
+systemctl start nfcd ||:
 
 %postun
 systemctl daemon-reload ||:
 
 %files
 %defattr(-,root,root,-)
-%dir %{settings_dir}
+%dir %attr(700,nfc,nfc) %{settings_dir}
 %{_sbindir}/*
 %{_sysconfdir}/dbus-1/system.d/*.conf
 /%{target_wants_dir}/nfcd.service

diff --git a/src/nfcd.service b/src/nfcd.service
@@ -6,7 +6,7 @@ After=dbus.service
 [Service]
 Type=dbus
 BusName=org.sailfishos.nfc.daemon
-User=root
+User=nfc
 EnvironmentFile=-/var/lib/environment/nfcd/*.conf
 ExecStart=/usr/sbin/nfcd $NFCD_ARGS
 Restart=always