Stop the madness! Run as a user (not root) (#6718)

* Stop the madness! Run as a user (not root)

* Trigger fsdir migration for < 2.6.9

---------

Co-authored-by: Ben Meadors <benmmeadors@gmail.com>

debian/control

@@ -31,7 +31,9 @@ Rules-Requires-Root: no
 
 Package: meshtasticd
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Depends: adduser,
+         ${misc:Depends},
+         ${shlibs:Depends}
 Description: Meshtastic daemon for communicating with Meshtastic devices
  Meshtastic is an off-grid text communication platform that uses inexpensive 
- LoRa radios.
+ LoRa radios.

debian/meshtasticd.dirs

@@ -1,5 +1,6 @@
+var/lib/meshtasticd
 etc/meshtasticd
 etc/meshtasticd/config.d
 etc/meshtasticd/available.d
 usr/share/meshtasticd/web
-etc/meshtasticd/ssl
+etc/meshtasticd/ssl

debian/meshtasticd.install

@@ -1,8 +1,8 @@
-.pio/build/native-tft/meshtasticd  usr/sbin
+.pio/build/native-tft/meshtasticd  usr/bin
 
 bin/config.yaml                    etc/meshtasticd
 bin/config.d/*                     etc/meshtasticd/available.d
 
 bin/meshtasticd.service            lib/systemd/system
 
-web/*                              usr/share/meshtasticd/web
+web/*                              usr/share/meshtasticd/web

debian/meshtasticd.postinst

@@ -0,0 +1,79 @@
+#!/bin/sh
+# postinst script for meshtasticd
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    configure|reconfigure)
+    # create spi group (for udev rules)
+    # this group already exists on Raspberry Pi OS
+        getent group spi >/dev/null 2>/dev/null || addgroup --system spi
+    # create a meshtasticd group and user
+        getent passwd meshtasticd >/dev/null 2>/dev/null || adduser --system --home /var/lib/meshtasticd --no-create-home meshtasticd
+        getent group meshtasticd >/dev/null 2>/dev/null || addgroup --system meshtasticd
+        adduser meshtasticd meshtasticd >/dev/null 2>/dev/null
+        adduser meshtasticd spi >/dev/null 2>/dev/null
+    # add meshtasticd user to appropriate groups (if they exist)
+        getent group gpio >/dev/null 2>/dev/null && adduser meshtasticd gpio >/dev/null 2>/dev/null
+        getent group plugdev >/dev/null 2>/dev/null && adduser meshtasticd plugdev >/dev/null 2>/dev/null
+        getent group dialout >/dev/null 2>/dev/null && adduser meshtasticd dialout >/dev/null 2>/dev/null
+        getent group i2c >/dev/null 2>/dev/null && adduser meshtasticd i2c >/dev/null 2>/dev/null
+        getent group video >/dev/null 2>/dev/null && adduser meshtasticd video >/dev/null 2>/dev/null
+        getent group audio >/dev/null 2>/dev/null && adduser meshtasticd audio >/dev/null 2>/dev/null
+        getent group input >/dev/null 2>/dev/null && adduser meshtasticd input >/dev/null 2>/dev/null
+
+
+    # migrate /root/.portduino to /var/lib/meshtasticd/.portduino
+    # should only run once, upon upgrade from < 2.6.9
+    if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.6.9; then
+        if [ -d /root/.portduino ] && [ ! -e /var/lib/meshtasticd/.portduino ]; then
+            cp -r /root/.portduino /var/lib/meshtasticd/.portduino
+            echo "Migrated meshtasticd VFS from /root/.portduino to /var/lib/meshtasticd/.portduino"
+            echo "meshtasticd now runs as the 'meshtasticd' user, not 'root'."
+            echo "See https://github.com/meshtastic/firmware/pull/6718 for details"
+        fi
+    fi
+
+    if [ -d /var/lib/meshtasticd ]; then
+        chown -R meshtasticd:meshtasticd /var/lib/meshtasticd
+    fi
+
+    if [ -d /etc/meshtasticd ]; then
+        chown -R meshtasticd:meshtasticd /etc/meshtasticd
+    fi
+
+    if [ -d /usr/share/meshtasticd ]; then
+        chown -R meshtasticd:meshtasticd /usr/share/meshtasticd
+    fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/meshtasticd.postrm

@@ -0,0 +1,41 @@
+#!/bin/sh
+# postrm script for meshtasticd
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+      # Only remove /var/lib/meshtasticd on purge
+      if [ "${1}" = "purge" ] ; then
+          rm -rf /var/lib/meshtasticd
+      fi
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0

debian/meshtasticd.udev

@@ -0,0 +1,4 @@
+# Set spidev ownership to 'spi' group.
+SUBSYSTEM=="spidev", KERNEL=="spidev*", GROUP="spi", MODE="0660"
+# Allow access to USB CH341 devices
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="5512", MODE="0666"