From b3d584042215a9bd54eda0e070cc6cde1ff3091c Mon Sep 17 00:00:00 2001
From: David Newhall II <david@sleepers.pro>
Date: Sat, 8 Jun 2019 03:22:10 -0700
Subject: [PATCH] Run as nobody on macos.

---
 Makefile                                      |  7 ++++---
 ...com.github.davidnewhall.unifi-poller.plist |  8 ++++++--
 scripts/after-install.sh                      | 19 +++++++++++--------
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
index c2c24cf9..27c345f3 100644
--- a/Makefile
+++ b/Makefile
@@ -98,7 +98,7 @@ $(BINARY)-$(VERSION).pkg: check_fpm package_build_osx
 package_build_osx: man macos
 	# Building package environment for macOS.
 	mkdir -p $@/usr/local/bin $@/usr/local/etc/$(BINARY) $@/Library/LaunchAgents
-	mkdir -p $@/usr/local/share/man/man1 $@/usr/local/share/doc/$(BINARY) $@/usr/local/var/log
+	mkdir -p $@/usr/local/share/man/man1 $@/usr/local/share/doc/$(BINARY) $@/usr/local/var/log/unifi-poller
 	# Copying the binary, config file and man page into the env.
 	cp $(BINARY).macos $@/usr/local/bin/$(BINARY)
 	cp *.1.gz $@/usr/local/share/man/man1
@@ -144,6 +144,7 @@ install:
 # If you installed with `make install` run `make uninstall` before installing a binary package.
 # This will remove the package install from macOS, it will not remove a package install from Linux.
 uninstall:
+	@echo "  ==> You must run make uninstall as root on Linux. Recommend not running as root on macOS."
 	[ -x /bin/systemctl ] && /bin/systemctl disable $(BINARY) || true
 	[ -x /bin/systemctl ] && /bin/systemctl stop $(BINARY) || true
 	[ -x /bin/launchctl ] && [ -f ~/Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist ] \
@@ -152,10 +153,10 @@ uninstall:
 		&& /bin/launchctl unload /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist || true
 	rm -rf /usr/local/{etc,bin,share/doc}/$(BINARY)
 	rm -f ~/Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist
+	rm -f /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist || true
 	rm -f /etc/systemd/system/$(BINARY).service /usr/local/share/man/man1/$(BINARY).1.gz
 	[ -x /bin/systemctl ] && /bin/systemctl --system daemon-reload || true
-	@[ -f /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist ] \
-		&& echo "  ==> Delete this file manually: sudo rm -f /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist" || true
+	@[ -f /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist ] && echo "  ==> Unload and delete this file manually:" && echo "  sudo launchctl unload /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist" && echo "  sudo rm -f /Library/LaunchAgents/com.github.davidnewhall.$(BINARY).plist" || true
 
 # Don't run this unless you're ready to debug untested vendored dependencies.
 deps:
diff --git a/init/launchd/com.github.davidnewhall.unifi-poller.plist b/init/launchd/com.github.davidnewhall.unifi-poller.plist
index d8a18294..cffcd1d9 100644
--- a/init/launchd/com.github.davidnewhall.unifi-poller.plist
+++ b/init/launchd/com.github.davidnewhall.unifi-poller.plist
@@ -15,8 +15,12 @@
         <key>KeepAlive</key>
         <true/>
         <key>StandardErrorPath</key>
-        <string>/usr/local/var/log/unifi-poller.log</string>
+        <string>/usr/local/var/log/unifi-poller/log</string>
         <key>StandardOutPath</key>
-        <string>/usr/local/var/log/unifi-poller.log</string>
+        <string>/usr/local/var/log/unifi-poller/log</string>
+        <key>UserName</key>
+        <string>nobody</string>
+        <key>GroupName</key>
+        <string>nobody</string>
     </dict>
 </plist>
diff --git a/scripts/after-install.sh b/scripts/after-install.sh
index 8842906b..820eccc2 100755
--- a/scripts/after-install.sh
+++ b/scripts/after-install.sh
@@ -9,18 +9,21 @@ if [ "$(uname -s)" = "Darwin" ]; then
     cp /usr/local/etc/unifi-poller/up.conf.example /usr/local/etc/unifi-poller/up.conf
   fi
 
-  # Allow admins to change the configuration and write logs.
-  chgrp -R admin /usr/local/etc/unifi-poller
-  chmod -R g+wr /usr/local/etc/unifi-poller
+  # Allow admins to change the configuration and delete the docs.
+  chgrp -R admin /usr/local/etc/unifi-poller /usr/local/share/doc/unifi-poller
+  chmod -R g+wr /usr/local/etc/unifi-poller  /usr/local/share/doc/unifi-poller
 
-  # Make sure admins can write logs.
-  chgrp admin /usr/local/var/log
-  chmod g=rwx /usr/local/var/log
+  # Make sure admins can delete logs.
+  chown -R nobody:admin /usr/local/var/log/unifi-poller
+  chmod 0775 /usr/local/var/log/unifi-poller
+  chmod -R g+rw /usr/local/var/log/unifi-poller
 
-  # This starts it as root. no no no .... not sure how to fix that.
-  # launchctl load /Library/LaunchAgents/com.github.davidnewhall.unifi-poller.plist
+  # Restart the service - this starts the application as user nobody.
+  launchctl unload /Library/LaunchAgents/com.github.davidnewhall.unifi-poller.plist
+  launchctl load /Library/LaunchAgents/com.github.davidnewhall.unifi-poller.plist
 
 elif [ -x "/bin/systemctl" ]; then
+  # Reload and restart - this starts the application as user nobody.
   /bin/systemctl daemon-reload
   /bin/systemctl enable unifi-poller
   /bin/systemctl restart unifi-poller