FS#75434 - [geoipupdate] add geoipupdate system user/group and use it for the service

Attached to Project: Community Packages
Opened by Daniel Micay (thestinger) - Wednesday, 27 July 2022, 03:26 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Thursday, 28 July 2022, 20:23 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Massimiliano Torromeo (mtorromeo)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

The geoipupdate service currently unnecessarily runs the command as root. It would be nice to add a dedicated geoipupdate user to the package and switch the service to using it. I currently make these changes locally but it would be nice to have it in the official package.

The package needs to add a geoipupdate system user/group with /var/lib/GeoIP as the home directory and the usual /usr/bin/nologin shell.

Change ownership/permissions of package files (with geoipupdate replaced with the appropriate uid/gid):

chown root:geoipupdate etc/GeoIP.conf
chmod 640 etc/GeoIP.conf
chown geoipupdate:geoipupdate -R var/lib/GeoIP

This allows it to read the configuration file via the geoipupdate group and allows it to write to the GeoIP databases in /var/lib/GeoIP.

The service could have the usual systemd hardening applied but it's not particularly important compared to simply using a dedicated system user/group.
This task depends upon

Closed by  Massimiliano Torromeo (mtorromeo)
Thursday, 28 July 2022, 20:23 GMT
Reason for closing:  Implemented
Additional comments about closing:  geoipupdate-4.9.0-3
Comment by Evangelos Foutras (foutrelis) - Thursday, 28 July 2022, 19:06 GMT
A dedicated user for this feels overkill. Some hardening should suffice. [1]

[1] https://gitlab.archlinux.org/archlinux/infrastructure/-/blob/master/roles/geoipupdate/files/hardening.conf
Comment by Massimiliano Torromeo (mtorromeo) - Thursday, 28 July 2022, 20:22 GMT
Thanks for the hardening configuration, Evangelos.