Dynamically create unprivileged user

2019-07-07 20:01:51 +02:00
parent 14de99b480
commit 876508cd9c
4 changed files with 51 additions and 54 deletions
--- a/scripts/bin/docker-foreground-cmd
+++ b/scripts/bin/docker-foreground-cmd
@@ -3,40 +3,55 @@
 set -eu

 # Disable xdummy if there is no graphics card
-if [ ! -d /dev/dri/ ]; then
+if [ "${DISABLE_GPU:?}" = 'true' ] || [ ! -d /dev/dri/ ]; then
 	unlink /etc/service/xdummy
 fi

-# Update guest user password
-if [ -n "${GUEST_USER_PASSWORD-}" ]; then
-	printf '%s' "guest:${GUEST_USER_PASSWORD}" | chpasswd
-	unset GUEST_USER_PASSWORD
+# Create unprivileged user and group
+groupadd \
+	--gid "${UNPRIVILEGED_USER_GID:?}" \
+	"${UNPRIVILEGED_USER_NAME:?}"
+useradd \
+	--uid "${UNPRIVILEGED_USER_UID:?}" \
+	--gid "${UNPRIVILEGED_USER_GID:?}" \
+	--groups "${UNPRIVILEGED_USER_GROUPS:?}" \
+	--shell "${UNPRIVILEGED_USER_SHELL:?}" \
+	--create-home \
+	"${UNPRIVILEGED_USER_NAME:?}"
+
+# Copy /etc/skel/ to unprivileged user home if empty
+UNPRIVILEGED_USER_HOME=$(getent passwd "${UNPRIVILEGED_USER_NAME:?}" | cut -d: -f6)
+if [ -z "$(ls -A "${UNPRIVILEGED_USER_HOME:?}")" ]; then
+	cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}"
+	chown -R "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
 fi

+# Create /run/user/${UNPRIVILEGED_USER_UID}/dbus-1/ directory
+mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/dbus-1/
+chmod -R 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+chown -R "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+
+# Set unprivileged user password
+printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
+unset UNPRIVILEGED_USER_PASSWORD
+
 # Dump environment variables
 export-env >> /etc/profile.d/env.sh

-# Copy /etc/skel/ to guest user home if empty
-GUEST_USER_HOME=$(getent passwd guest | cut -d: -f6)
-if [ -z "$(ls -A "${GUEST_USER_HOME}")" ]; then
-	cp -aT /etc/skel/ "${GUEST_USER_HOME}"
-	chown -R guest:guest "${GUEST_USER_HOME}"
-fi
-
 # Generate self-signed certificate
-if [ ! -f "${RDP_TLS_KEY_PATH}" ] || [ ! -f "${RDP_TLS_CERT_PATH}" ]; then
-	KEY_FILE=${RDP_TLS_KEY_PATH}
-	CRT_FILE=${RDP_TLS_CERT_PATH}
+if [ ! -f "${RDP_TLS_KEY_PATH:?}" ] || [ ! -f "${RDP_TLS_CERT_PATH:?}" ]; then
+	KEY_FILE=${RDP_TLS_KEY_PATH:?}
+	CRT_FILE=${RDP_TLS_CERT_PATH:?}
 	CSR_FILE=$(mktemp -u)

 	(umask 077 \
-		&& openssl genrsa -out "${KEY_FILE}" 2048 \
+		&& openssl genrsa -out "${KEY_FILE:?}" 2048 \
 	) >/dev/null

 	(umask 022 \
-		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE}" -out "${CSR_FILE}" \
-		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE}" -in "${CSR_FILE}" -out "${CRT_FILE}" \
-		&& rm -f "${CSR_FILE}" \
+		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE:?}" -out "${CSR_FILE:?}" \
+		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE:?}" -in "${CSR_FILE:?}" -out "${CRT_FILE:?}" \
+		&& rm -f "${CSR_FILE:?}" \
 	) >/dev/null
 fi