From 7d8f9c7f6df516d8c2561f3c3979581ab5209f47 Mon Sep 17 00:00:00 2001 From: Austin Date: Thu, 15 May 2025 07:40:46 -0400 Subject: [PATCH] Stop the madness! Run as a user (not root) (#6718) * Stop the madness! Run as a user (not root) * Trigger fsdir migration for < 2.6.9 --------- Co-authored-by: Ben Meadors --- .trunk/trunk.yaml | 1 - Dockerfile | 14 ++++-- alpine.Dockerfile | 11 ++++- bin/99-meshtasticd-udev.rules | 4 ++ bin/config-dist.yaml | 2 +- bin/meshtasticd.service | 7 +-- bin/native-install.sh | 2 +- debian/control | 6 ++- debian/meshtasticd.dirs | 3 +- debian/meshtasticd.install | 4 +- debian/meshtasticd.postinst | 79 ++++++++++++++++++++++++++++++ debian/meshtasticd.postrm | 41 ++++++++++++++++ debian/meshtasticd.udev | 4 ++ meshtasticd.spec.rpkg | 66 +++++++++++++++++++++++-- src/mesh/raspihttp/PiWebServer.cpp | 4 +- 15 files changed, 225 insertions(+), 23 deletions(-) create mode 100644 bin/99-meshtasticd-udev.rules create mode 100755 debian/meshtasticd.postinst create mode 100755 debian/meshtasticd.postrm create mode 100644 debian/meshtasticd.udev diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 4aa5527be..79bdf4778 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -13,7 +13,6 @@ lint: - trufflehog@3.88.29 - yamllint@1.37.1 - bandit@1.8.3 - - terrascan@1.19.9 - trivy@0.62.1 - taplo@0.9.3 - ruff@0.11.9 diff --git a/Dockerfile b/Dockerfile index 6c1b83653..e033b1bba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,3 @@ -# trunk-ignore-all(terrascan/AC_DOCKER_0002): Known terrascan issue # trunk-ignore-all(trivy/DS002): We must run as root for this container # trunk-ignore-all(hadolint/DL3002): We must run as root for this container # trunk-ignore-all(hadolint/DL3008): Do not pin apt package versions @@ -38,6 +37,13 @@ RUN curl -L "https://github.com/meshtastic/web/releases/download/v$(cat /tmp/fir ##### PRODUCTION BUILD ############# FROM debian:bookworm-slim +LABEL org.opencontainers.image.title="Meshtastic" \ + org.opencontainers.image.description="Debian Meshtastic daemon and web interface" \ + org.opencontainers.image.url="https://meshtastic.org" \ + org.opencontainers.image.documentation="https://meshtastic.org/docs/" \ + org.opencontainers.image.authors="Meshtastic" \ + org.opencontainers.image.licenses="GPL-3.0-or-later" \ + org.opencontainers.image.source="https://github.com/meshtastic/firmware/" ENV DEBIAN_FRONTEND=noninteractive ENV TZ=Etc/UTC @@ -54,7 +60,7 @@ RUN apt-get update && apt-get --no-install-recommends -y install \ && mkdir -p /etc/meshtasticd/ssl # Fetch compiled binary from the builder -COPY --from=builder /tmp/firmware/release/meshtasticd /usr/sbin/ +COPY --from=builder /tmp/firmware/release/meshtasticd /usr/bin/ COPY --from=builder /tmp/web /usr/share/meshtasticd/ # Copy config templates COPY ./bin/config.d /etc/meshtasticd/available.d @@ -65,8 +71,8 @@ VOLUME /var/lib/meshtasticd # Expose Meshtastic TCP API port from the host EXPOSE 4403 # Expose Meshtastic Web UI port from the host -EXPOSE 443 +EXPOSE 9443 -CMD [ "sh", "-cx", "meshtasticd -d /var/lib/meshtasticd" ] +CMD [ "sh", "-cx", "meshtasticd --fsdir=/var/lib/meshtasticd" ] HEALTHCHECK NONE diff --git a/alpine.Dockerfile b/alpine.Dockerfile index 350129040..bf7cad6d4 100644 --- a/alpine.Dockerfile +++ b/alpine.Dockerfile @@ -28,12 +28,19 @@ RUN bash ./bin/build-native.sh "$PIO_ENV" && \ # ##### PRODUCTION BUILD ############# FROM alpine:3.21 +LABEL org.opencontainers.image.title="Meshtastic" \ + org.opencontainers.image.description="Alpine Meshtastic daemon" \ + org.opencontainers.image.url="https://meshtastic.org" \ + org.opencontainers.image.documentation="https://meshtastic.org/docs/" \ + org.opencontainers.image.authors="Meshtastic" \ + org.opencontainers.image.licenses="GPL-3.0-or-later" \ + org.opencontainers.image.source="https://github.com/meshtastic/firmware/" # nosemgrep: dockerfile.security.last-user-is-root.last-user-is-root USER root RUN apk --no-cache add \ - libstdc++ libgpiod yaml-cpp libusb i2c-tools libuv \ + shadow libstdc++ libgpiod yaml-cpp libusb i2c-tools libuv \ libx11 libinput libxkbcommon \ && rm -rf /var/cache/apk/* \ && mkdir -p /var/lib/meshtasticd \ @@ -41,7 +48,7 @@ RUN apk --no-cache add \ && mkdir -p /etc/meshtasticd/ssl # Fetch compiled binary from the builder -COPY --from=builder /tmp/firmware/release/meshtasticd /usr/sbin/ +COPY --from=builder /tmp/firmware/release/meshtasticd /usr/bin/ # Copy config templates COPY ./bin/config.d /etc/meshtasticd/available.d diff --git a/bin/99-meshtasticd-udev.rules b/bin/99-meshtasticd-udev.rules new file mode 100644 index 000000000..69a468d7a --- /dev/null +++ b/bin/99-meshtasticd-udev.rules @@ -0,0 +1,4 @@ +# Set spidev ownership to 'spi' group. +SUBSYSTEM=="spidev", KERNEL=="spidev*", GROUP="spi", MODE="0660" +# Allow access to USB CH341 devices +SUBSYSTEM=="usb", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="5512", MODE="0666" diff --git a/bin/config-dist.yaml b/bin/config-dist.yaml index 9238d0e56..98c7696f0 100644 --- a/bin/config-dist.yaml +++ b/bin/config-dist.yaml @@ -188,7 +188,7 @@ Logging: # AsciiLogs: true # default if not specified is !isatty() on stdout Webserver: -# Port: 443 # Port for Webserver & Webservices +# Port: 9443 # Port for Webserver & Webservices # RootPath: /usr/share/meshtasticd/web # Root Dir of WebServer # SSLKey: /etc/meshtasticd/ssl/private_key.pem # Path to SSL Key, generated if not present # SSLCert: /etc/meshtasticd/ssl/certificate.pem # Path to SSL Certificate, generated if not present diff --git a/bin/meshtasticd.service b/bin/meshtasticd.service index 1e8ee98b8..63430bae8 100644 --- a/bin/meshtasticd.service +++ b/bin/meshtasticd.service @@ -5,10 +5,11 @@ StartLimitInterval=200 StartLimitBurst=5 [Service] -User=root -Group=root +AmbientCapabilities=CAP_NET_BIND_SERVICE +User=meshtasticd +Group=meshtasticd Type=simple -ExecStart=/usr/sbin/meshtasticd +ExecStart=/usr/bin/meshtasticd Restart=always RestartSec=3 diff --git a/bin/native-install.sh b/bin/native-install.sh index a8fcc29a6..18cd9205b 100755 --- a/bin/native-install.sh +++ b/bin/native-install.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -cp "release/meshtasticd_linux_$(uname -m)" /usr/sbin/meshtasticd +cp "release/meshtasticd_linux_$(uname -m)" /usr/bin/meshtasticd mkdir -p /etc/meshtasticd if [[ -f "/etc/meshtasticd/config.yaml" ]]; then cp bin/config-dist.yaml /etc/meshtasticd/config-upgrade.yaml diff --git a/debian/control b/debian/control index 9277f6f54..761383a5c 100644 --- a/debian/control +++ b/debian/control @@ -31,7 +31,9 @@ Rules-Requires-Root: no Package: meshtasticd Architecture: any -Depends: ${misc:Depends}, ${shlibs:Depends} +Depends: adduser, + ${misc:Depends}, + ${shlibs:Depends} Description: Meshtastic daemon for communicating with Meshtastic devices Meshtastic is an off-grid text communication platform that uses inexpensive - LoRa radios. \ No newline at end of file + LoRa radios. diff --git a/debian/meshtasticd.dirs b/debian/meshtasticd.dirs index 45a1ca3db..a667768b2 100644 --- a/debian/meshtasticd.dirs +++ b/debian/meshtasticd.dirs @@ -1,5 +1,6 @@ +var/lib/meshtasticd etc/meshtasticd etc/meshtasticd/config.d etc/meshtasticd/available.d usr/share/meshtasticd/web -etc/meshtasticd/ssl \ No newline at end of file +etc/meshtasticd/ssl diff --git a/debian/meshtasticd.install b/debian/meshtasticd.install index 6b6b5a361..3c68b42b1 100644 --- a/debian/meshtasticd.install +++ b/debian/meshtasticd.install @@ -1,8 +1,8 @@ -.pio/build/native-tft/meshtasticd usr/sbin +.pio/build/native-tft/meshtasticd usr/bin bin/config.yaml etc/meshtasticd bin/config.d/* etc/meshtasticd/available.d bin/meshtasticd.service lib/systemd/system -web/* usr/share/meshtasticd/web \ No newline at end of file +web/* usr/share/meshtasticd/web diff --git a/debian/meshtasticd.postinst b/debian/meshtasticd.postinst new file mode 100755 index 000000000..324865718 --- /dev/null +++ b/debian/meshtasticd.postinst @@ -0,0 +1,79 @@ +#!/bin/sh +# postinst script for meshtasticd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure|reconfigure) + # create spi group (for udev rules) + # this group already exists on Raspberry Pi OS + getent group spi >/dev/null 2>/dev/null || addgroup --system spi + # create a meshtasticd group and user + getent passwd meshtasticd >/dev/null 2>/dev/null || adduser --system --home /var/lib/meshtasticd --no-create-home meshtasticd + getent group meshtasticd >/dev/null 2>/dev/null || addgroup --system meshtasticd + adduser meshtasticd meshtasticd >/dev/null 2>/dev/null + adduser meshtasticd spi >/dev/null 2>/dev/null + # add meshtasticd user to appropriate groups (if they exist) + getent group gpio >/dev/null 2>/dev/null && adduser meshtasticd gpio >/dev/null 2>/dev/null + getent group plugdev >/dev/null 2>/dev/null && adduser meshtasticd plugdev >/dev/null 2>/dev/null + getent group dialout >/dev/null 2>/dev/null && adduser meshtasticd dialout >/dev/null 2>/dev/null + getent group i2c >/dev/null 2>/dev/null && adduser meshtasticd i2c >/dev/null 2>/dev/null + getent group video >/dev/null 2>/dev/null && adduser meshtasticd video >/dev/null 2>/dev/null + getent group audio >/dev/null 2>/dev/null && adduser meshtasticd audio >/dev/null 2>/dev/null + getent group input >/dev/null 2>/dev/null && adduser meshtasticd input >/dev/null 2>/dev/null + + + # migrate /root/.portduino to /var/lib/meshtasticd/.portduino + # should only run once, upon upgrade from < 2.6.9 + if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.6.9; then + if [ -d /root/.portduino ] && [ ! -e /var/lib/meshtasticd/.portduino ]; then + cp -r /root/.portduino /var/lib/meshtasticd/.portduino + echo "Migrated meshtasticd VFS from /root/.portduino to /var/lib/meshtasticd/.portduino" + echo "meshtasticd now runs as the 'meshtasticd' user, not 'root'." + echo "See https://github.com/meshtastic/firmware/pull/6718 for details" + fi + fi + + if [ -d /var/lib/meshtasticd ]; then + chown -R meshtasticd:meshtasticd /var/lib/meshtasticd + fi + + if [ -d /etc/meshtasticd ]; then + chown -R meshtasticd:meshtasticd /etc/meshtasticd + fi + + if [ -d /usr/share/meshtasticd ]; then + chown -R meshtasticd:meshtasticd /usr/share/meshtasticd + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/meshtasticd.postrm b/debian/meshtasticd.postrm new file mode 100755 index 000000000..bb2c32a5b --- /dev/null +++ b/debian/meshtasticd.postrm @@ -0,0 +1,41 @@ +#!/bin/sh +# postrm script for meshtasticd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + # Only remove /var/lib/meshtasticd on purge + if [ "${1}" = "purge" ] ; then + rm -rf /var/lib/meshtasticd + fi + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/meshtasticd.udev b/debian/meshtasticd.udev new file mode 100644 index 000000000..69a468d7a --- /dev/null +++ b/debian/meshtasticd.udev @@ -0,0 +1,4 @@ +# Set spidev ownership to 'spi' group. +SUBSYSTEM=="spidev", KERNEL=="spidev*", GROUP="spi", MODE="0660" +# Allow access to USB CH341 devices +SUBSYSTEM=="usb", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="5512", MODE="0666" diff --git a/meshtasticd.spec.rpkg b/meshtasticd.spec.rpkg index 2d777bc76..eb4ab5ae7 100644 --- a/meshtasticd.spec.rpkg +++ b/meshtasticd.spec.rpkg @@ -10,6 +10,8 @@ # - https://docs.pagure.org/rpkg-util/v3/index.html # - https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/ +%global meshtasticd_user meshtasticd + Name: meshtasticd # Version Ex: 2.5.19 Version: {{{ meshtastic_version }}} @@ -47,6 +49,8 @@ BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(libinput) BuildRequires: pkgconfig(xkbcommon-x11) +Requires: systemd-udev + %description Meshtastic daemon for controlling Meshtastic devices. Meshtastic is an off-grid text communication platform that uses inexpensive LoRa radios. @@ -63,15 +67,25 @@ gzip -dr web platformio run -e native-tft %install -mkdir -p %{buildroot}%{_sbindir} -install -m 0755 .pio/build/native-tft/program %{buildroot}%{_sbindir}/meshtasticd +# Install meshtasticd binary +mkdir -p %{buildroot}%{_bindir} +install -m 0755 .pio/build/native-tft/program %{buildroot}%{_bindir}/meshtasticd +# Install portduino VFS dir +install -p -d -m 0770 %{buildroot}%{_localstatedir}/lib/meshtasticd + +# Install udev rules +mkdir -p %{buildroot}%{_udevrulesdir} +install -m 0644 bin/99-meshtasticd-udev.rules %{buildroot}%{_udevrulesdir}/99-meshtasticd-udev.rules + +# Install config dirs mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd install -m 0644 bin/config-dist.yaml %{buildroot}%{_sysconfdir}/meshtasticd/config.yaml mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/config.d mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/available.d cp -r bin/config.d/* %{buildroot}%{_sysconfdir}/meshtasticd/available.d +# Install systemd service install -D -m 0644 bin/meshtasticd.service %{buildroot}%{_unitdir}/meshtasticd.service # Install the web files under /usr/share/meshtasticd/web @@ -80,10 +94,54 @@ cp -r web/* %{buildroot}%{_datadir}/meshtasticd/web # Install default SSL storage directory (for web) mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/ssl +%pre +# create spi group (for udev rules) +getent group spi > /dev/null || groupadd -r spi +# create a meshtasticd group and user +getent group %{meshtasticd_user} > /dev/null || groupadd -r %{meshtasticd_user} +getent passwd %{meshtasticd_user} > /dev/null || \ + useradd -r -d %{_localstatedir}/lib/meshtasticd -g %{meshtasticd_user} -G spi \ + -s /sbin/nologin -c "Meshtastic Daemon" %{meshtasticd_user} +# add meshtasticd user to appropriate groups (if they exist) +getent group gpio > /dev/null && usermod -a -G gpio %{meshtasticd_user} > /dev/null +getent group plugdev > /dev/null && usermod -a -G plugdev %{meshtasticd_user} > /dev/null +getent group dialout > /dev/null && usermod -a -G dialout %{meshtasticd_user} > /dev/null +getent group i2c > /dev/null && usermod -a -G i2c %{meshtasticd_user} > /dev/null +getent group video > /dev/null && usermod -a -G video %{meshtasticd_user} > /dev/null +getent group audio > /dev/null && usermod -a -G audio %{meshtasticd_user} > /dev/null +getent group input > /dev/null && usermod -a -G input %{meshtasticd_user} > /dev/null +exit 0 + +%triggerin -- meshtasticd < 2.6.9 +# migrate .portduino (if it exists and hasn’t already been copied) +if [ -d /root/.portduino ] && [ ! -e /var/lib/meshtasticd/.portduino ]; then + mkdir -p /var/lib/meshtasticd + cp -r /root/.portduino /var/lib/meshtasticd/.portduino + chown -R %{meshtasticd_user}:%{meshtasticd_user} \ + %{_localstatedir}/lib/meshtasticd || : + # Fix SELinux labels if present (no-op on non-SELinux systems) + restorecon -R /var/lib/meshtasticd/.portduino 2>/dev/null || : + echo "Migrated meshtasticd VFS from /root/.portduino to /var/lib/meshtasticd/.portduino" + echo "meshtasticd now runs as the 'meshtasticd' user, not 'root'." + echo "See https://github.com/meshtastic/firmware/pull/6718 for details" +fi + +%post +%systemd_post meshtasticd.service + +%preun +%systemd_preun meshtasticd.service + +%postun +%systemd_postun_with_restart meshtasticd.service + %files +%defattr(-,%{meshtasticd_user},%{meshtasticd_user}) %license LICENSE %doc README.md -%{_sbindir}/meshtasticd +%{_bindir}/meshtasticd +%dir %{_localstatedir}/lib/meshtasticd +%{_udevrulesdir}/99-meshtasticd-udev.rules %dir %{_sysconfdir}/meshtasticd %dir %{_sysconfdir}/meshtasticd/config.d %dir %{_sysconfdir}/meshtasticd/available.d @@ -96,4 +154,4 @@ mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/ssl %dir %{_sysconfdir}/meshtasticd/ssl %changelog -%autochangelog \ No newline at end of file +%autochangelog diff --git a/src/mesh/raspihttp/PiWebServer.cpp b/src/mesh/raspihttp/PiWebServer.cpp index 4fae0bc3d..7d3542e83 100644 --- a/src/mesh/raspihttp/PiWebServer.cpp +++ b/src/mesh/raspihttp/PiWebServer.cpp @@ -462,8 +462,8 @@ PiWebServerThread::PiWebServerThread() webservport = settingsMap[webserverport]; LOG_INFO("Use webserver port from yaml config %i ", webservport); } else { - LOG_INFO("Webserver port in yaml config set to 0, defaulting to port 443"); - webservport = 443; + LOG_INFO("Webserver port in yaml config set to 0, defaulting to port 9443"); + webservport = 9443; } // Web Content Service Instance