Stop the madness! Run as a user (not root) (#6718)

* Stop the madness! Run as a user (not root) * Trigger fsdir migration for < 2.6.9 --------- Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
2025-12-13 22:32:27 +00:00 · 2025-05-15 07:40:46 -04:00
parent c2d5862161
commit 7d8f9c7f6d
15 changed files with 225 additions and 23 deletions
--- a/meshtasticd.spec.rpkg
+++ b/meshtasticd.spec.rpkg
@@ -10,6 +10,8 @@
 # - https://docs.pagure.org/rpkg-util/v3/index.html
 # - https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning/

+%global  meshtasticd_user          meshtasticd   
+
 Name:           meshtasticd
 # Version Ex:   2.5.19
 Version:        {{{ meshtastic_version }}}
@@ -47,6 +49,8 @@ BuildRequires: pkgconfig(x11)
 BuildRequires: pkgconfig(libinput)
 BuildRequires: pkgconfig(xkbcommon-x11)

+Requires:      systemd-udev
+
 %description
 Meshtastic daemon for controlling Meshtastic devices. Meshtastic is an off-grid
 text communication platform that uses inexpensive LoRa radios.
@@ -63,15 +67,25 @@ gzip -dr web
 platformio run -e native-tft

 %install
-mkdir -p %{buildroot}%{_sbindir}
-install -m 0755 .pio/build/native-tft/program %{buildroot}%{_sbindir}/meshtasticd
+# Install meshtasticd binary
+mkdir -p %{buildroot}%{_bindir}
+install -m 0755 .pio/build/native-tft/program %{buildroot}%{_bindir}/meshtasticd

+# Install portduino VFS dir
+install -p -d -m 0770 %{buildroot}%{_localstatedir}/lib/meshtasticd
+
+# Install udev rules
+mkdir -p %{buildroot}%{_udevrulesdir}
+install -m 0644 bin/99-meshtasticd-udev.rules %{buildroot}%{_udevrulesdir}/99-meshtasticd-udev.rules
+
+# Install config dirs
 mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd
 install -m 0644 bin/config-dist.yaml %{buildroot}%{_sysconfdir}/meshtasticd/config.yaml
 mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/config.d
 mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/available.d
 cp -r bin/config.d/* %{buildroot}%{_sysconfdir}/meshtasticd/available.d

+# Install systemd service
 install -D -m 0644 bin/meshtasticd.service %{buildroot}%{_unitdir}/meshtasticd.service

 # Install the web files under /usr/share/meshtasticd/web
@@ -80,10 +94,54 @@ cp -r web/* %{buildroot}%{_datadir}/meshtasticd/web
 # Install default SSL storage directory (for web)
 mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/ssl

+%pre
+# create spi group (for udev rules)
+getent group spi > /dev/null || groupadd -r spi
+# create a meshtasticd group and user
+getent group %{meshtasticd_user} > /dev/null || groupadd -r %{meshtasticd_user}
+getent passwd %{meshtasticd_user} > /dev/null || \
+    useradd -r -d %{_localstatedir}/lib/meshtasticd -g %{meshtasticd_user} -G spi \
+    -s /sbin/nologin -c "Meshtastic Daemon" %{meshtasticd_user}
+# add meshtasticd user to appropriate groups (if they exist)
+getent group gpio > /dev/null && usermod -a -G gpio %{meshtasticd_user} > /dev/null
+getent group plugdev > /dev/null && usermod -a -G plugdev %{meshtasticd_user} > /dev/null
+getent group dialout > /dev/null && usermod -a -G dialout %{meshtasticd_user} > /dev/null
+getent group i2c > /dev/null && usermod -a -G i2c %{meshtasticd_user} > /dev/null
+getent group video > /dev/null && usermod -a -G video %{meshtasticd_user} > /dev/null
+getent group audio > /dev/null && usermod -a -G audio %{meshtasticd_user} > /dev/null
+getent group input > /dev/null && usermod -a -G input %{meshtasticd_user} > /dev/null
+exit 0
+
+%triggerin -- meshtasticd < 2.6.9
+# migrate .portduino (if it exists and hasn’t already been copied)
+if [ -d /root/.portduino ] && [ ! -e /var/lib/meshtasticd/.portduino ]; then
+    mkdir -p /var/lib/meshtasticd
+    cp -r /root/.portduino /var/lib/meshtasticd/.portduino
+    chown -R %{meshtasticd_user}:%{meshtasticd_user} \
+        %{_localstatedir}/lib/meshtasticd || :
+    # Fix SELinux labels if present (no-op on non-SELinux systems)
+    restorecon -R /var/lib/meshtasticd/.portduino 2>/dev/null || :
+    echo "Migrated meshtasticd VFS from /root/.portduino to /var/lib/meshtasticd/.portduino"
+    echo "meshtasticd now runs as the 'meshtasticd' user, not 'root'."
+    echo "See https://github.com/meshtastic/firmware/pull/6718 for details"
+fi
+
+%post
+%systemd_post meshtasticd.service
+
+%preun
+%systemd_preun meshtasticd.service
+
+%postun
+%systemd_postun_with_restart meshtasticd.service
+
 %files
+%defattr(-,%{meshtasticd_user},%{meshtasticd_user})
 %license LICENSE
 %doc README.md
-%{_sbindir}/meshtasticd
+%{_bindir}/meshtasticd
+%dir %{_localstatedir}/lib/meshtasticd
+%{_udevrulesdir}/99-meshtasticd-udev.rules
 %dir %{_sysconfdir}/meshtasticd
 %dir %{_sysconfdir}/meshtasticd/config.d
 %dir %{_sysconfdir}/meshtasticd/available.d
@@ -96,4 +154,4 @@ mkdir -p %{buildroot}%{_sysconfdir}/meshtasticd/ssl
 %dir %{_sysconfdir}/meshtasticd/ssl

 %changelog
-%autochangelog
+%autochangelog