github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

NF: run as different user (disabled by default)

pull/23/head
Zbigniew Jędrzejewski-Szmek 2012-01-06 00:36:50 +01:00
parent aa4f5cf2b7
commit de502cf2e4
3 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
debian/fail2ban.default vendored
View File

@ -21,3 +21,19 @@
# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
# valid options.
FAIL2BAN_OPTS=""
# Run fail2ban as a different user. If not set, fail2ban
# will run as root.
#
# The user is not created automatically.
# The user can be created e.g. with
# useradd --system --no-create-home --home-dir / --groups adm fail2ban
# Log files are readable by group adm by default. Adding the fail2ban
# user to this group allows it to read the logfiles.
#
# Another manual step that needs to be taken is to allow write access
# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
# script will change the ownership when starting fail2ban. Logrotate
# needs to be configured seperately, see /etc/logrotate.d/fail2ban.
#
# FAIL2BAN_USER="fail2ban"

15
debian/fail2ban.init vendored
View File

@ -33,6 +33,9 @@ SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Run as root by default.
FAIL2BAN_USER=root
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
DAEMON_ARGS="$FAIL2BAN_OPTS"
@ -103,7 +106,17 @@ do_start()
# Assure that /var/run/fail2ban exists
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
if [ "$FAIL2BAN_USER" != "root" ]; then
# Make the socket directory, IP lists and fail2ban log
# files writable by fail2ban
chown "$FAIL2BAN_USER" /var/run/fail2ban
# Create the logfile if it doesn't exist
touch /var/log/fail2ban.log
chown "$FAIL2BAN_USER" /var/log/fail2ban.log
find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
fi
start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
$DAEMON_ARGS start > /dev/null\
|| return 2

4
debian/fail2ban.logrotate vendored
View File

@ -9,5 +9,9 @@
postrotate
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
}