NF: run as different user (disabled by default)

pull/23/head
Zbigniew Jędrzejewski-Szmek 13 years ago
parent aa4f5cf2b7
commit de502cf2e4

@ -21,3 +21,19 @@
# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for # Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
# valid options. # valid options.
FAIL2BAN_OPTS="" FAIL2BAN_OPTS=""
# Run fail2ban as a different user. If not set, fail2ban
# will run as root.
#
# The user is not created automatically.
# The user can be created e.g. with
# useradd --system --no-create-home --home-dir / --groups adm fail2ban
# Log files are readable by group adm by default. Adding the fail2ban
# user to this group allows it to read the logfiles.
#
# Another manual step that needs to be taken is to allow write access
# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
# script will change the ownership when starting fail2ban. Logrotate
# needs to be configured seperately, see /etc/logrotate.d/fail2ban.
#
# FAIL2BAN_USER="fail2ban"

@ -33,6 +33,9 @@ SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local
# Exit if the package is not installed # Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0 [ -x "$DAEMON" ] || exit 0
# Run as root by default.
FAIL2BAN_USER=root
# Read configuration variable file if it is present # Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME [ -r /etc/default/$NAME ] && . /etc/default/$NAME
DAEMON_ARGS="$FAIL2BAN_OPTS" DAEMON_ARGS="$FAIL2BAN_OPTS"
@ -103,7 +106,17 @@ do_start()
# Assure that /var/run/fail2ban exists # Assure that /var/run/fail2ban exists
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \ if [ "$FAIL2BAN_USER" != "root" ]; then
# Make the socket directory, IP lists and fail2ban log
# files writable by fail2ban
chown "$FAIL2BAN_USER" /var/run/fail2ban
# Create the logfile if it doesn't exist
touch /var/log/fail2ban.log
chown "$FAIL2BAN_USER" /var/log/fail2ban.log
find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
fi
start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
$DAEMON_ARGS start > /dev/null\ $DAEMON_ARGS start > /dev/null\
|| return 2 || return 2

@ -9,5 +9,9 @@
postrotate postrotate
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
endscript endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm create 640 root adm
} }

Loading…
Cancel
Save