From 721472d38e9a70cef96519c05d887380eb596c62 Mon Sep 17 00:00:00 2001
From: Jean Raby <jraby@inverse.ca>
Date: Tue, 22 Jan 2013 10:16:15 -0500
Subject: [PATCH] spec: sogo user as a system user, perms fixes

Create the sogo user as a system user
Use %attr() to set directory permissions instead of chown/chmod
Use more restrictive permissions for the log and spool directories
---
 packaging/rhel/sogo.spec | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/packaging/rhel/sogo.spec b/packaging/rhel/sogo.spec
index 27a986443..f283fd153 100644
--- a/packaging/rhel/sogo.spec
+++ b/packaging/rhel/sogo.spec
@@ -195,8 +195,9 @@ mkdir -p ${RPM_BUILD_ROOT}/etc/logrotate.d
 mkdir -p ${RPM_BUILD_ROOT}/etc/sysconfig
 mkdir -p ${RPM_BUILD_ROOT}/etc/httpd/conf.d
 mkdir -p ${RPM_BUILD_ROOT}/usr/sbin
-mkdir -p ${RPM_BUILD_ROOT}/var/run/sogo
+mkdir -p ${RPM_BUILD_ROOT}/var/lib/sogo
 mkdir -p ${RPM_BUILD_ROOT}/var/log/sogo
+mkdir -p ${RPM_BUILD_ROOT}/var/run/sogo
 mkdir -p ${RPM_BUILD_ROOT}/var/spool/sogo
 cat Apache/SOGo.conf | sed -e "s@/lib/@/%{_lib}/@g" > ${RPM_BUILD_ROOT}/etc/httpd/conf.d/SOGo.conf
 install -m 600 Scripts/sogo.cron ${RPM_BUILD_ROOT}/etc/cron.d/sogo
@@ -228,9 +229,10 @@ rm -fr ${RPM_BUILD_ROOT}
 
 /etc/init.d/sogod
 /etc/cron.daily/sogo-tmpwatch
-/var/run/sogo
-/var/log/sogo
-/var/spool/sogo
+%dir %attr(0700, sogo, sogo) %{_var}/lib/sogo
+%dir %attr(0700, sogo, sogo) %{_var}/log/sogo
+%dir %attr(0755, sogo, sogo) %{_var}/run/sogo
+%dir %attr(0700, sogo, sogo) %{_var}/spool/sogo
 %{_sbindir}/sogod
 %{_libdir}/libSOGo.so.*
 %{_libdir}/libSOGoUI.so.*
@@ -299,12 +301,12 @@ rm -fr ${RPM_BUILD_ROOT}
 %endif
 
 # **************************** pkgscripts *****************************
+%pre
+if ! id sogo >& /dev/null; then
+  /usr/sbin/useradd -d %{_var}/lib/sogo -c "SOGo daemon" -s /sbin/nologin -M -r sogo
+fi
+
 %post
-if ! id sogo >& /dev/null; then /usr/sbin/useradd -m -k /var/empty -r sogo > /dev/null 2>&1; fi
-/bin/chown sogo /var/run/sogo
-/bin/chown sogo /var/log/sogo
-/bin/chown sogo /var/spool/sogo
-/bin/chmod 700 /var/spool/sogo
 # update timestamp on imgs,css,js to let apache know the files changed
 find %{_libdir}/GNUstep/SOGo/WebServerResources  -exec touch {} \;
 /sbin/chkconfig --add sogod
@@ -322,12 +324,17 @@ if test "$1" = "0"
 then
   /usr/sbin/userdel sogo
   /usr/sbin/groupdel sogo > /dev/null 2>&1
-  /bin/rm -rf /var/run/sogo
-  /bin/rm -rf /var/spool/sogo
+  /bin/rm -rf %{_var}/run/sogo
+  /bin/rm -rf %{_var}/spool/sogo
+  # not removing /var/lib/sogo to keep .GNUstepDefaults
 fi
 
 # ********************************* changelog *************************
 %changelog
+* Tue Jan 22 2013 Jean Raby <jraby@inverse.ca>
+- Create the sogo user as a system user
+- Use %attr() to set directory permissions instead of chown/chmod
+
 * Mon Nov 12 2012 Jean Raby <jraby@inverse.ca>
 - Add missing dependency on lasso and lasso-devel