captive-sandbox-server: +Check user/group 'captive' in system files.

diff --git a/README b/README
index e19daad..fcdcaea 100644 (file)
--- a/README
+++ b/README
@@ -120,12 +120,15 @@ Compile by:
   make
 
 Now you have './src/client/cmdline/captive-cmdline' available for testing.
-Later you may invoke standard:
-  make install
 
-Manual addition of user and group 'captive' is required for '--sandbox-server':
+Manual addition of user and group 'captive' is required for '--sandbox-server'.
+User 'captive' should have its group 'captive'. Login should be forbidden.
+Commands may vary on your system, please consult groupadd(8) and useradd(8):
   groupadd captive
-  useradd captive
+  useradd -g captive -r -s /sbin/nologin captive
+
+Later you may invoke standard:
+  make install
 
 Both these steps will be suggested during 'make install' if appropriate:
 You may need to add '/usr/local/lib' line (without quotes) to your

diff --git a/configure.in b/configure.in
index 6c36551..b3cebec 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -106,10 +106,12 @@ AC_SUBST(enable_sbin_mount_fs)
 # AC_ARG_ENABLE(sandbox-setuid,[--enable-sandbox-setuid=USER],,[CAPTIVE_SANDBOX_SETUID="captive"])
 AC_DEFINE_UNQUOTED(CAPTIVE_SANDBOX_SETUID,"$CAPTIVE_SANDBOX_SETUID",
                [non-privileged user  for captive-sandbox-server])
+AC_SUBST(CAPTIVE_SANDBOX_SETUID)
 
 # AC_ARG_ENABLE(sandbox-setgid,[--enable-sandbox-setgid=GROUP],,[CAPTIVE_SANDBOX_SETGID="captive"])
 AC_DEFINE_UNQUOTED(CAPTIVE_SANDBOX_SETGID,"$CAPTIVE_SANDBOX_SETGID",
                [non-privileged group for captive-sandbox-server])
+AC_SUBST(CAPTIVE_SANDBOX_SETGID)
 
 # AC_ARG_ENABLE(sandbox-chroot,[--enable-sandbox-chroot=DIR],,[CAPTIVE_SANDBOX_CHROOT="/var/lib/captive"])
 AC_DEFINE_UNQUOTED(CAPTIVE_SANDBOX_CHROOT,"$CAPTIVE_SANDBOX_CHROOT",

diff --git a/src/client/sandbox-server/Makefile.am b/src/client/sandbox-server/Makefile.am
index 0a41b75..80fa5a4 100644 (file)
--- a/src/client/sandbox-server/Makefile.am
+++ b/src/client/sandbox-server/Makefile.am
@@ -31,6 +31,18 @@ install-data-hook:
        $(mkinstalldirs) $(DESTDIR)$(CAPTIVE_SANDBOX_CHROOT)/tmp
        chmod 1777 $(DESTDIR)$(CAPTIVE_SANDBOX_CHROOT)/tmp
 
+install-exec-hook:
+       if test `id -u` -eq 0 -a -z "$(DESTDIR)";then \
+               if grep -q '^$(CAPTIVE_SANDBOX_SETGID):' /etc/group;then true;else \
+                       echo "ERROR: Add '$(CAPTIVE_SANDBOX_SETGID)' to your '/etc/group'; see README and groupadd(8)"; \
+                       exit 1; \
+               fi; \
+               if grep -q '^$(CAPTIVE_SANDBOX_SETUID):' /etc/passwd;then true;else \
+                       echo "ERROR: Add '$(CAPTIVE_SANDBOX_SETUID)' to your '/etc/passwd'; see README and useradd(8)"; \
+                       exit 1; \
+               fi; \
+       fi
+
 EXTRA_DIST+=captive-sandbox-server.pod.pl.in
 CLEANFILES+=captive-sandbox-server.pod captive-sandbox-server.1
 if ENABLE_MAN_PAGES