Setting custom users and groups

Tue Jul 28 07:50:42 PDT 2015

On 2015-7-29 00:08 , Björn Raupach wrote:
> hi joshua,
> 
>> On 28 Jul 2015, at 15:59, Joshua Root <jmr at macports.org> wrote:
>>
>> On 2015-7-28 22:28 , Björn Raupach wrote:
>>> Dear group,
>>>
>>> I am new to Portfile development and have a problem with permissions for users and groups. At the moment I am trying to create a Portfile for Apache Tomcat 8. I would like to run Tomcat as non-root with a user `tomcat` and group `tomcat`. I am a bit lost.
>>>
>>> set catalina_home   ${destroot}${prefix}/share/java/${name}
>>> set tomcat_user      tomcat
>>> set tomcat_group    tomcat
>>> add_users ${tomcat_user} group=${tomcat_group}
>>>
>>> I saw these lines in some other ports, for example couchdb, and figured that is the way to go even though I don’t find the macro add_users anywhere in the documentation. 
>>>
>>> My destroot-phase currently looks like this:
>>>
>>> destroot {
>>>    xinstall -m 755 -g ${tomcat_group} -d ${catalina_home}
>>>
>>>    file copy \
>>>        ${worksrcpath}/LICENSE \
>>>        ${worksrcpath}/NOTICE \
>>>        ${worksrcpath}/RELEASE-NOTES \
>>>        ${worksrcpath}/RUNNING.txt \
>>>        ${worksrcpath}/bin \
>>>        ${worksrcpath}/conf \
>>>        ${worksrcpath}/lib \
>>>        ${worksrcpath}/logs \
>>>        ${worksrcpath}/temp \
>>>        ${worksrcpath}/webapps \
>>>        ${worksrcpath}/work \
>>>        ${catalina_home}
>>>
>>>    xinstall -m 644 ${filespath}/setenv.sh ${catalina_home}/bin/setenv.sh.default
>>>
>>>    # replace @PREFIX@ to ${prefix}
>>>    reinplace "s|@PREFIX@|${prefix}|g" ${catalina_home}/bin/setenv.sh.default
>>>    # replace @NAME@ to ${name}
>>>    reinplace "s|@NAME@|${name}|g" ${catalina_home}/bin/setenv.sh.default
>>> }
>>>
>>> However `/opt/local/share/java/tomcat8` has the ownership `root:admin` and not `root:tomcat`.
>>
>> First try running the destroot target (rather than install) and check
>> the permissions on ${destroot}${prefix}/share/java/tomcat8. The destroot
>> dir will be in the path given by `port work tomcat8` BTW.
> 
> Nice. I did not know I could do that. Thanks!
> 
> Well, I checked. In the destroot-phase the permissions are like I want them to. The owner of the tomcat8 directory is `root` and the group is `tomcat`. After destroot I only have a post-activate phase that does not touch permissions.
> 
> post-activate {
>     if {![file exists ${prefix}/share/java/${name}/bin/setenv.sh]} {
>         file copy ${prefix}/share/java/${name}/bin/setenv.sh.default \
>             ${prefix}/share/java/${name}/bin/setenv.sh
>     }
> }

(Please keep replies on the list.)

OK, so the ownership in the port image is probably OK. You can verify
that by running 'tar -vtjf $archive' where $archive is the .tbz2 file in
/opt/local/var/macports/software/tomcat8 when the port is installed.

Does the /opt/local/share/java/tomcat8 directory already exist? If it
does, it will not be modified when the port is activated. Ports don't
have exclusive ownership of directories like they do files, since
multiple ports can install files in the same directory.

- Josh