systemd unit: run as "sftpgo" system user

Update the docs too Fixes #177
drakkan · Sep 25, 2020 · 4ebedac · 4ebedac
1 parent b23276c
commit 4ebedac
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 28 deletions.
diff --git a/docs/howto/postgresql-s3.md b/docs/howto/postgresql-s3.md
@@ -204,34 +204,12 @@ $ sftpgo initprovider -c /etc/sftpgo
 
 ## Install SFTPGo systemd service
 
-Create the systemd service file `/etc/systemd/system/sftpgo.service` with the following content:
+Copy the systemd service file.
 
 ```shell
-[Unit]
-Description=SFTPGo Server
-After=network.target postgresql.service
-
-[Service]
-User=sftpgo
-Group=sftpgo
-Type=simple
-WorkingDirectory=/etc/sftpgo
-Environment=SFTPGO_CONFIG_DIR=/etc/sftpgo/
-Environment=SFTPGO_LOG_FILE_PATH=
-EnvironmentFile=-/etc/sftpgo/sftpgo.env
-ExecStart=/usr/bin/sftpgo serve
-ExecReload=/bin/kill -s HUP $MAINPID
-KillMode=mixed
-PrivateTmp=true
-Restart=always
-RestartSec=10s
-
-[Install]
-WantedBy=multi-user.target
+sudo install -Dm644 init/sftpgo.service /etc/systemd/system
 ```
 
-This way SFTPGo will run using the dedicated `sftpgo` user and the service will start after PostgreSQL.
-
 Next, start the SFTPGo service and add it to the system boot.
 
 ```shell

diff --git a/docs/service.md b/docs/service.md
@@ -1,12 +1,25 @@
 # Running SFTPGo as a service
 
+Download a binary SFTPGo [release](https://github.com/drakkan/sftpgo/releases) or a build artifact for the [latest commit](https://github.com/drakkan/sftpgo/actions) or build SFTPGo yourself.
+
+Run the following instructions from the directory that contains the sftpgo binary and the accompanying files.
+
 ## Linux
 
 For Linux, a `systemd` sample [service](../init/sftpgo.service "systemd service") can be found inside the source tree.
 
-Here are some basic instructions to run SFTPGo as service, please run the following commands from the directory where you downloaded SFTPGo:
+Here are some basic instructions to run SFTPGo as service using a dedicated `sftpgo` system account, please run the following commands from the directory where you downloaded SFTPGo:
 
 ```bash
+# create the sftpgo user and group
+sudo groupadd --system sftpgo
+sudo useradd --system \
+  --gid sftpgo \
+  --no-create-home \
+  --home-dir /var/lib/sftpgo \
+  --shell /usr/sbin/nologin \
+  --comment "SFTPGo user" \
+  sftpgo
 # create the required directories
 sudo mkdir -p /etc/sftpgo \
   /var/lib/sftpgo \
@@ -23,11 +36,17 @@ sudo sh -c 'echo "SFTPGO_HTTPD__BACKUPS_PATH=/var/lib/sftpgo/backups" >> /etc/sf
 sudo sh -c 'echo "SFTPGO_DATA_PROVIDER__CREDENTIALS_PATH=/var/lib/sftpgo/credentials" >> /etc/sftpgo/sftpgo.env'
 # if you use a file based data provider such as sqlite or bolt consider to set the database path too, for example:
 #sudo sh -c 'echo "SFTPGO_DATA_PROVIDER__NAME=/var/lib/sftpgo/sftpgo.db" >> /etc/sftpgo/sftpgo.env'
+# also set the provider's PATH as env var to get initprovider to work with SQLite provider:
+#export SFTPGO_DATA_PROVIDER__NAME=/var/lib/sftpgo/sftpgo.db
 # install static files and templates for the web UI
 sudo cp -r static templates /usr/share/sftpgo/
+# set files and directory permissions
+sudo chown -R sftpgo:sftpgo /etc/sftpgo /var/lib/sftpgo
+sudo chmod 750 /etc/sftpgo /var/lib/sftpgo
+sudo chmod 640 /etc/sftpgo/sftpgo.json /etc/sftpgo/sftpgo.env
 # initialize the configured data provider
 # if you want to use MySQL or PostgreSQL you need to create the configured database before running the initprovider command
-sudo /usr/bin/sftpgo initprovider -c /etc/sftpgo/
+sudo -E su - sftpgo -m -s /bin/bash -c 'sftpgo initprovider -c /etc/sftpgo'
 # install the systemd service
 sudo install -Dm644 init/sftpgo.service /etc/systemd/system
 # start the service

diff --git a/init/sftpgo.service b/init/sftpgo.service
@@ -3,8 +3,8 @@ Description=SFTPGo Server
 After=network.target
 
 [Service]
-User=root
-Group=root
+User=sftpgo
+Group=sftpgo
 Type=simple
 WorkingDirectory=/etc/sftpgo
 Environment=SFTPGO_CONFIG_DIR=/etc/sftpgo/

diff --git a/sftpd/sftpd_test.go b/sftpd/sftpd_test.go
@@ -906,6 +906,11 @@ func TestEscapeHomeDir(t *testing.T) {
 		assert.NoError(t, err)
 		_, err := client.ReadDir(testDir)
 		assert.Error(t, err, "reading a symbolic link outside home dir should not succeeded")
+		err = client.Chmod(path.Join(testDir, "sub", "dir"), os.ModePerm)
+		if assert.Error(t, err) {
+			assert.Contains(t, err.Error(), "SSH_FX_FAILURE")
+		}
+		assert.Error(t, err, "setstat on a file outside home dir must fail")
 		testFilePath := filepath.Join(homeBasePath, testFileName)
 		testFileSize := int64(65535)
 		err = createTestFile(testFilePath, testFileSize)