From: short <>
Date: Tue, 9 Dec 2003 20:39:42 +0000 (+0000)
Subject: captive-sandbox-server: +Check user/group 'captive' in system files.
X-Git-Tag: captive-1_1_4~18
X-Git-Url: http://git.jankratochvil.net/?p=captive.git;a=commitdiff_plain;h=23d032cd40f776aba4144193caf16c6c0da8433e

captive-sandbox-server: +Check user/group 'captive' in system files.
---

diff --git a/README b/README
index e19daad..fcdcaea 100644
--- a/README
+++ b/README
@@ -120,12 +120,15 @@ Compile by:
   make
 
 Now you have './src/client/cmdline/captive-cmdline' available for testing.
-Later you may invoke standard:
-  make install
 
-Manual addition of user and group 'captive' is required for '--sandbox-server':
+Manual addition of user and group 'captive' is required for '--sandbox-server'.
+User 'captive' should have its group 'captive'. Login should be forbidden.
+Commands may vary on your system, please consult groupadd(8) and useradd(8):
   groupadd captive
-  useradd captive
+  useradd -g captive -r -s /sbin/nologin captive
+
+Later you may invoke standard:
+  make install
 
 Both these steps will be suggested during 'make install' if appropriate:
 You may need to add '/usr/local/lib' line (without quotes) to your
diff --git a/configure.in b/configure.in
index 6c36551..b3cebec 100644
--- a/configure.in
+++ b/configure.in
@@ -106,10 +106,12 @@ AC_SUBST(enable_sbin_mount_fs)
 # AC_ARG_ENABLE(sandbox-setuid,[--enable-sandbox-setuid=USER],,[CAPTIVE_SANDBOX_SETUID="captive"])
 AC_DEFINE_UNQUOTED(CAPTIVE_SANDBOX_SETUID,"$CAPTIVE_SANDBOX_SETUID",
 		[non-privileged user  for captive-sandbox-server])
+AC_SUBST(CAPTIVE_SANDBOX_SETUID)
 
 # AC_ARG_ENABLE(sandbox-setgid,[--enable-sandbox-setgid=GROUP],,[CAPTIVE_SANDBOX_SETGID="captive"])
 AC_DEFINE_UNQUOTED(CAPTIVE_SANDBOX_SETGID,"$CAPTIVE_SANDBOX_SETGID",
 		[non-privileged group for captive-sandbox-server])
+AC_SUBST(CAPTIVE_SANDBOX_SETGID)
 
 # AC_ARG_ENABLE(sandbox-chroot,[--enable-sandbox-chroot=DIR],,[CAPTIVE_SANDBOX_CHROOT="/var/lib/captive"])
 AC_DEFINE_UNQUOTED(CAPTIVE_SANDBOX_CHROOT,"$CAPTIVE_SANDBOX_CHROOT",
diff --git a/src/client/sandbox-server/Makefile.am b/src/client/sandbox-server/Makefile.am
index 0a41b75..80fa5a4 100644
--- a/src/client/sandbox-server/Makefile.am
+++ b/src/client/sandbox-server/Makefile.am
@@ -31,6 +31,18 @@ install-data-hook:
 	$(mkinstalldirs) $(DESTDIR)$(CAPTIVE_SANDBOX_CHROOT)/tmp
 	chmod 1777 $(DESTDIR)$(CAPTIVE_SANDBOX_CHROOT)/tmp
 
+install-exec-hook:
+	if test `id -u` -eq 0 -a -z "$(DESTDIR)";then \
+		if grep -q '^$(CAPTIVE_SANDBOX_SETGID):' /etc/group;then true;else \
+			echo "ERROR: Add '$(CAPTIVE_SANDBOX_SETGID)' to your '/etc/group'; see README and groupadd(8)"; \
+			exit 1; \
+		fi; \
+		if grep -q '^$(CAPTIVE_SANDBOX_SETUID):' /etc/passwd;then true;else \
+			echo "ERROR: Add '$(CAPTIVE_SANDBOX_SETUID)' to your '/etc/passwd'; see README and useradd(8)"; \
+			exit 1; \
+		fi; \
+	fi
+
 EXTRA_DIST+=captive-sandbox-server.pod.pl.in
 CLEANFILES+=captive-sandbox-server.pod captive-sandbox-server.1
 if ENABLE_MAN_PAGES