Run cvmfs_fsck service as user cvmfs

The cvmfs_fsck service can run as user cvmfs which is safer than running as root.
voxpupuli · Dec 11, 2024 · 0ad920f · 0ad920f
1 parent ff3399d
commit 0ad920f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/spec/classes/fsck_spec.rb b/spec/classes/fsck_spec.rb
@@ -28,10 +28,15 @@
           it { is_expected.not_to contain_cron('clean_quarantaine') }
           it { is_expected.not_to contain_cron('cvmfs_fsck') }
           it { is_expected.to contain_systemd__tmpfile('cvmfs-quarantaine.conf').with_ensure('absent') }
-          it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').with_service_content(%r{^ExecStart=/usr/bin/cvmfs_fsck  /var/lib/cvmfs/shared$}) }
-          it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').with_service_content(%r{^ConditionPathExists=/var/lib/cvmfs/shared/txn$}) }
-          it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').with_timer_content(%r{^OnUnitActiveSec=1week$}) }
-          it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').without_timer_content(%r{^OnBootSec$}) }
+
+          it {
+            is_expected.to contain_systemd__timer('cvmfs-fsck.timer').
+              with_service_content(%r{^ExecStart=/usr/bin/cvmfs_fsck  /var/lib/cvmfs/shared$}).
+              with_service_content(%r{^ConditionPathExists=/var/lib/cvmfs/shared/txn$}).
+              with_service_content(%r{^User=cvmfs$}).
+              with_timer_content(%r{^OnUnitActiveSec=1week$}).
+              without_timer_content(%r{^OnBootSec$})
+          }
         end
       end
 

diff --git a/templates/fsck/cvmfs-fsck.service.epp b/templates/fsck/cvmfs-fsck.service.epp
@@ -10,6 +10,7 @@ ConditionPathExists=<%= $cache_base %>/shared/txn
 
 [Service]
 Type=oneshot
+User=cvmfs
 Nice=19
 IOSchedulingClass=2
 IOSchedulingPriority=7