This commit is contained in:
@@ -485,32 +485,20 @@ install_dependencies() {
|
||||
echo ""
|
||||
}
|
||||
|
||||
# Create system user
|
||||
# Create system user (optional - service runs as root)
|
||||
create_user() {
|
||||
echo -e "${GREEN}Creating system user...${NC}"
|
||||
echo -e "${GREEN}Note: Service will run as root (no user needed)${NC}"
|
||||
|
||||
# User creation is optional now since service runs as root
|
||||
# But we still create it for file ownership purposes if needed
|
||||
if ! id "$SERVICE_USER" &>/dev/null; then
|
||||
useradd -r -s /bin/false -d "$DATA_DIR" "$SERVICE_USER"
|
||||
echo -e "${GREEN}User $SERVICE_USER created${NC}"
|
||||
else
|
||||
echo -e "${YELLOW}User $SERVICE_USER already exists${NC}"
|
||||
useradd -r -s /bin/false -d "$DATA_DIR" "$SERVICE_USER" 2>/dev/null || {
|
||||
echo -e "${YELLOW}User creation skipped (service runs as root)${NC}"
|
||||
}
|
||||
fi
|
||||
|
||||
# Add user to disk group for block device access (required for ZFS)
|
||||
if getent group disk > /dev/null 2>&1; then
|
||||
usermod -a -G disk "$SERVICE_USER"
|
||||
echo -e "${GREEN}Added $SERVICE_USER to disk group${NC}"
|
||||
fi
|
||||
|
||||
# Create sudoers configuration for ZFS commands
|
||||
echo -e "${GREEN}Configuring sudo for ZFS operations...${NC}"
|
||||
cat > /etc/sudoers.d/atlas-zfs <<EOF
|
||||
# Allow atlas user to run ZFS commands without password
|
||||
# This is required for ZFS pool operations
|
||||
$SERVICE_USER ALL=(ALL) NOPASSWD: /usr/sbin/zpool, /usr/bin/zpool, /sbin/zpool, /usr/sbin/zfs, /usr/bin/zfs, /sbin/zfs
|
||||
EOF
|
||||
chmod 440 /etc/sudoers.d/atlas-zfs
|
||||
echo -e "${GREEN}Sudo configuration created${NC}"
|
||||
# No sudoers configuration needed - service runs as root
|
||||
echo -e "${GREEN}No sudo configuration needed (service runs as root)${NC}"
|
||||
}
|
||||
|
||||
# Create directories
|
||||
@@ -529,12 +517,15 @@ create_directories() {
|
||||
mkdir -p "/storage/datasets"
|
||||
mkdir -p "/storage/shares"
|
||||
|
||||
# Set ownership
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$DATA_DIR"
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$LOG_DIR"
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$BACKUP_DIR"
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR"
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "/storage"
|
||||
# Set ownership (service runs as root, but set ownership for security)
|
||||
# Root can access these directories, but we set ownership for consistency
|
||||
if id "$SERVICE_USER" &>/dev/null; then
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$DATA_DIR" 2>/dev/null || true
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$LOG_DIR" 2>/dev/null || true
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$BACKUP_DIR" 2>/dev/null || true
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR" 2>/dev/null || true
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "/storage" 2>/dev/null || true
|
||||
fi
|
||||
|
||||
# Set permissions
|
||||
chmod 755 "$INSTALL_DIR"
|
||||
@@ -872,8 +863,10 @@ copy_web_files() {
|
||||
}
|
||||
fi
|
||||
|
||||
# Set ownership
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$INSTALL_DIR/web"
|
||||
# Set ownership (service runs as root)
|
||||
if id "$SERVICE_USER" &>/dev/null; then
|
||||
chown -R "$SERVICE_USER:$SERVICE_USER" "$INSTALL_DIR/web" 2>/dev/null || true
|
||||
fi
|
||||
chmod -R 755 "$INSTALL_DIR/web"
|
||||
|
||||
echo -e "${GREEN}Web files copied successfully${NC}"
|
||||
@@ -893,8 +886,8 @@ After=network.target zfs.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=$SERVICE_USER
|
||||
Group=$SERVICE_USER
|
||||
# Service runs as root for ZFS and storage operations
|
||||
# No User/Group specified - runs as root
|
||||
WorkingDirectory=$INSTALL_DIR
|
||||
ExecStart=$INSTALL_DIR/bin/atlas-api
|
||||
Restart=always
|
||||
@@ -911,13 +904,11 @@ Environment="ATLAS_LOG_LEVEL=INFO"
|
||||
Environment="ATLAS_LOG_FORMAT=json"
|
||||
|
||||
# Security
|
||||
# Note: NoNewPrivileges is set to false to allow sudo for ZFS operations
|
||||
# This is necessary for ZFS pool management
|
||||
NoNewPrivileges=false
|
||||
# Service runs as root for ZFS operations (no sudo needed)
|
||||
PrivateTmp=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
ReadWritePaths=$DATA_DIR $LOG_DIR $BACKUP_DIR $CONFIG_DIR
|
||||
ReadWritePaths=$DATA_DIR $LOG_DIR $BACKUP_DIR $CONFIG_DIR /storage /etc/samba /etc/exports
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -959,7 +950,10 @@ ATLAS_LOG_FORMAT=json
|
||||
# ATLAS_JWT_SECRET=your-secret-here
|
||||
EOF
|
||||
|
||||
chown "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR/atlas.conf"
|
||||
# Service runs as root, but set ownership for consistency
|
||||
if id "$SERVICE_USER" &>/dev/null; then
|
||||
chown "$SERVICE_USER:$SERVICE_USER" "$CONFIG_DIR/atlas.conf" 2>/dev/null || true
|
||||
fi
|
||||
chmod 600 "$CONFIG_DIR/atlas.conf"
|
||||
|
||||
echo -e "${GREEN}Configuration created${NC}"
|
||||
|
||||
Reference in New Issue
Block a user