Merge pull request #16973 from wagnerluis1982

* gh-16973:
  Polish "Allow the user that runs the app to be specified via an env var"
  Allow the user that runs the app to be specified via an env var

Closes gh-16973

Author: wilkinsona

spring-boot-project/spring-boot-docs/src/main/asciidoc/deployment.adoc

@@ -491,9 +491,10 @@ For example, on Debian, you could use the following command:
 NOTE: The following is a set of guidelines on how to secure a Spring Boot application that runs as an init.d service.
 It is not intended to be an exhaustive list of everything that should be done to harden an application and the environment in which it runs.
 
-When executed as root, as is the case when root is being used to start an init.d service, the default executable script runs the application as the user who owns the jar file.
-You should never run a Spring Boot application as `root`, so your application's jar file should never be owned by root.
-Instead, create a specific user to run your application and use `chown` to make it the owner of the jar file, as shown in the following example:
+When executed as root, as is the case when root is being used to start an init.d service, the default executable script runs the application as the user specified in the `RUN_AS_USER` environment variable.
+When the environment variable is not set, the user who owns the jar file is used instead.
+You should never run a Spring Boot application as `root`, so `RUN_AS_USER` should never be root and your application's jar file should never be owned by root.
+Instead, create a specific user to run your application and set the `RUN_AS_USER` environment variable or use `chown` to make it the owner of the jar file, as shown in the following example:
 
 [indent=0,subs="verbatim,quotes,attributes"]
 ----
@@ -708,6 +709,10 @@ The following environment properties are supported with the default script:
   The default depends on the way the jar was built but is usually `auto` (meaning it tries to guess if it is an init script by checking if it is a symlink in a directory called `init.d`).
   You can explicitly set it to `service` so that the `stop\|start\|status\|restart` commands work or to `run` if you want to run the script in the foreground.
 
+| `RUN_AS_USER`
+| The user that will be used to run the application.
+  When not set, the user that owns the jar file will be used.
+
 | `USE_START_STOP_DAEMON`
 | Whether the `start-stop-daemon` command, when it's available, should be used to control the process.
   Defaults to `true`.

spring-boot-project/spring-boot-tools/spring-boot-loader-tools/src/main/resources/org/springframework/boot/loader/tools/launch.script

@@ -128,6 +128,21 @@ log_file="$LOG_FOLDER/$LOG_FILENAME"
 # shellcheck disable=SC2012
 [[ $(id -u) == "0" ]] && run_user=$(ls -ld "$jarfile" | awk '{print $3}')
 
+# Run as user specified in RUN_AS_USER
+if [[ -n "$RUN_AS_USER" ]]; then
+    if ! [[ "$action" =~ ^(status|run)$ ]]; then
+        id -u "$RUN_AS_USER" || {
+            echoRed "Cannot run as '$RUN_AS_USER': no such user"
+            exit 2
+        }
+        [[ $(id -u) == 0 ]] || {
+            echoRed "Cannot run as '$RUN_AS_USER': current user is not root"
+            exit 4
+        }
+    fi
+    run_user="$RUN_AS_USER"
+fi
+
 # Issue a warning if the application will run as root
 [[ $(id -u ${run_user}) == "0" ]] && { echoYellow "Application is running as root (UID 0). This is considered insecure."; }
 

spring-boot-tests/spring-boot-integration-tests/spring-boot-launch-script-tests/src/test/java/org/springframework/boot/launchscript/SysVinitLaunchScriptIT.java

@@ -267,6 +267,38 @@ public void launchWithRelativeLogFolder(String os, String version) throws Except
 		assertThat(output).contains("Log written");
 	}
 
+	@ParameterizedTest(name = "{0} {1}")
+	@MethodSource("parameters")
+	public void launchWithRunAsUser(String os, String version) throws Exception {
+		String output = doTest(os, version, "launch-with-run-as-user.sh");
+		assertThat(output).contains("wagner root");
+	}
+
+	@ParameterizedTest(name = "{0} {1}")
+	@MethodSource("parameters")
+	public void whenRunAsUserDoesNotExistLaunchFailsWithInvalidArgument(String os, String version) throws Exception {
+		String output = doTest(os, version, "launch-with-run-as-invalid-user.sh");
+		assertThat(output).contains("Status: 2");
+		assertThat(output).has(coloredString(AnsiColor.RED, "Cannot run as 'johndoe': no such user"));
+	}
+
+	@ParameterizedTest(name = "{0} {1}")
+	@MethodSource("parameters")
+	public void whenJarOwnerAndRunAsUserAreBothSpecifiedRunAsUserTakesPrecedence(String os, String version)
+			throws Exception {
+		String output = doTest(os, version, "launch-with-run-as-user-preferred-to-jar-owner.sh");
+		assertThat(output).contains("wagner root");
+	}
+
+	@ParameterizedTest(name = "{0} {1}")
+	@MethodSource("parameters")
+	public void whenLaunchedUsingNonRootUserWithRunAsUserSpecifiedLaunchFailsWithInsufficientPrivilege(String os,
+			String version) throws Exception {
+		String output = doTest(os, version, "launch-with-run-as-user-root-required.sh");
+		assertThat(output).contains("Status: 4");
+		assertThat(output).has(coloredString(AnsiColor.RED, "Cannot run as 'wagner': current user is not root"));
+	}
+
 	static List<Object[]> parameters() {
 		List<Object[]> parameters = new ArrayList<>();
 		for (File os : new File("src/test/resources/conf").listFiles()) {

spring-boot-tests/spring-boot-integration-tests/spring-boot-launch-script-tests/src/test/resources/scripts/launch-with-run-as-invalid-user.sh

@@ -0,0 +1,7 @@
+source ./test-functions.sh
+install_service
+
+echo 'RUN_AS_USER=johndoe' > /test-service/spring-boot-app.conf
+
+start_service
+echo "Status: $?"

spring-boot-tests/spring-boot-integration-tests/spring-boot-launch-script-tests/src/test/resources/scripts/launch-with-run-as-user-preferred-to-jar-owner.sh

@@ -0,0 +1,13 @@
+source ./test-functions.sh
+install_service
+
+useradd wagner
+echo 'RUN_AS_USER=wagner' > /test-service/spring-boot-app.conf
+
+useradd phil
+chown phil /test-service/spring-boot-app.jar
+
+start_service
+await_app
+
+ls -la /var/log/spring-boot-app.log

spring-boot-tests/spring-boot-integration-tests/spring-boot-launch-script-tests/src/test/resources/scripts/launch-with-run-as-user-root-required.sh

@@ -0,0 +1,9 @@
+source ./test-functions.sh
+install_service
+
+useradd wagner
+echo 'RUN_AS_USER=wagner' > /test-service/spring-boot-app.conf
+echo "JAVA_HOME='$JAVA_HOME'" >> /test-service/spring-boot-app.conf
+
+su - wagner -c "$(which service) spring-boot-app start"
+echo "Status: $?"

spring-boot-tests/spring-boot-integration-tests/spring-boot-launch-script-tests/src/test/resources/scripts/launch-with-run-as-user.sh

@@ -0,0 +1,10 @@
+source ./test-functions.sh
+install_service
+
+useradd wagner
+echo 'RUN_AS_USER=wagner' > /test-service/spring-boot-app.conf
+
+start_service
+await_app
+
+ls -la /var/log/spring-boot-app.log