From cc30c7b6eb5019fb814bfd9e3a2a96e029302c95 Mon Sep 17 00:00:00 2001
From: Roger Shimizu <rogershimizu@gmail.com>
Date: Thu, 19 Jan 2017 01:49:05 +0900
Subject: [PATCH] debian/shadowsocks-libev.{default,init,service}: Run service
 as non-root

---
 debian/control                   |  5 ++---
 debian/shadowsocks-libev.default |  4 ++--
 debian/shadowsocks-libev.init    | 10 +++++-----
 debian/shadowsocks-libev.service |  5 +++--
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/debian/control b/debian/control
index 96ce3bb5..6555f745 100644
--- a/debian/control
+++ b/debian/control
@@ -26,11 +26,10 @@ Breaks:
 Architecture: any
 Depends:
  apg,
+ libcap2-bin [linux-any],
  lsb-base (>= 3.0-6),
  ${misc:Depends},
- ${shlibs:Depends},
-Suggests:
- libcap2-bin
+ ${shlibs:Depends}
 Description: lightweight and secure socks5 proxy
  Shadowsocks-libev is a lightweight and secure socks5 proxy for
  embedded devices and low end boxes.
diff --git a/debian/shadowsocks-libev.default b/debian/shadowsocks-libev.default
index 7542b314..4d74ecea 100644
--- a/debian/shadowsocks-libev.default
+++ b/debian/shadowsocks-libev.default
@@ -18,8 +18,8 @@ CONFFILE="/etc/shadowsocks-libev/config.json"
 DAEMON_ARGS="-u"
 
 # User and group to run the server as
-USER=root
-GROUP=root
+USER=nobody
+GROUP=nogroup
 
 # Number of maximum file descriptors
 MAXFD=32768
diff --git a/debian/shadowsocks-libev.init b/debian/shadowsocks-libev.init
index ad17aeed..dcd03577 100644
--- a/debian/shadowsocks-libev.init
+++ b/debian/shadowsocks-libev.init
@@ -29,8 +29,8 @@ SCRIPTNAME=/etc/init.d/$NAME
 
 [ "$START" = "yes" ] || exit 0
 
-: ${USER:="root"}
-: ${GROUP:="root"}
+: ${USER:="nobody"}
+: ${GROUP:="nogroup"}
 
 # Load the VERBOSE setting and other rcS variables
 . /lib/init/vars.sh
@@ -55,10 +55,10 @@ do_start()
     #   0 if daemon has been started
     #   1 if daemon was already running
     #   2 if daemon could not be started
-    start-stop-daemon --start --quiet --pidfile $PIDFILE --chuid root:$GROUP --exec $DAEMON --test > /dev/null \
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON --test > /dev/null \
         || return 1
-    start-stop-daemon --start --quiet --pidfile $PIDFILE --chuid root:$GROUP --exec $DAEMON -- \
-        -c "$CONFFILE" -a "$USER" -u -f $PIDFILE $DAEMON_ARGS \
+    start-stop-daemon --start --quiet --pidfile $PIDFILE --chuid $USER:$GROUP --exec $DAEMON -- \
+        -c "$CONFFILE" -u -f $PIDFILE $DAEMON_ARGS \
         || return 2
 }
 
diff --git a/debian/shadowsocks-libev.service b/debian/shadowsocks-libev.service
index 4887b593..08bf8274 100644
--- a/debian/shadowsocks-libev.service
+++ b/debian/shadowsocks-libev.service
@@ -16,9 +16,10 @@ After=network.target
 [Service]
 Type=simple
 EnvironmentFile=/etc/default/shadowsocks-libev
-User=root
+User=nobody
+Group=nogroup
 LimitNOFILE=32768
-ExecStart=/usr/bin/ss-server -a $USER -c $CONFFILE $DAEMON_ARGS
+ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS
 
 [Install]
 WantedBy=multi-user.target