debian: avoid running service as root/nobody

Create a new _statsd system user on package installation (and remove him
when package is purged), and modify upstrart and init-script to have
this user run the daemon.

debian/dirs

@@ -1 +1,2 @@
-var/log/statsd
+var/log/statsd
+var/run/statsd

debian/postinst

@@ -1,6 +1,19 @@
 #!/bin/sh
 
-if [ "`stat -c %G /var/log/statsd`" != 'nogroup' ]; then
-    chown root.nogroup /var/log/statsd
-    chmod 770 /var/log/statsd
-fi
+set -e
+
+if [ "$1" = configure ]; then
+
+  if ! getent passwd _statsd > /dev/null; then
+    adduser --system --quiet --home /nonexistent --no-create-home \
+      --shell /bin/false --force-badname --group --gecos "StatsD User" _statsd
+  fi
+
+  if ! dpkg-statoverride --list /var/run/statsd >/dev/null 2>&1; then
+    dpkg-statoverride --update --add _statsd _statsd 0755 /var/run/statsd
+  fi
+
+  if ! dpkg-statoverride --list /var/log/statsd >/dev/null 2>&1; then
+    dpkg-statoverride --update --add _statsd _statsd 0755 /var/log/statsd
+  fi
+fi

debian/postrm

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = purge ]; then
+
+  update-rc.d statsd remove >/dev/null || true
+
+  rm -rf /var/log/statsd /var/run/statsd
+
+  if dpkg-statoverride --list /var/log/statsd >/dev/null 2>&1; then
+    dpkg-statoverride --remove /var/log/statsd
+  fi
+
+  if dpkg-statoverride --list /var/run/statsd >/dev/null 2>&1; then
+    dpkg-statoverride --remove /var/run/statsd
+  fi
+
+  deluser --system --quiet _statsd || true
+  delgroup --system --quiet _statsd || true
+fi

debian/statsd.init

@@ -21,9 +21,10 @@ fi
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 DESC="StatsD"
 NAME=statsd
+USER=_statsd
 DAEMON=$NODE_BIN
 DAEMON_ARGS="/usr/share/statsd/stats.js /etc/statsd/localConfig.js 2>&1 >> /var/log/statsd/statsd.log "
-PIDFILE=/var/run/$NAME.pid
+PIDFILE=/var/run/$NAME/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
 CHDIR="/usr/share/statsd"
 
@@ -49,9 +50,9 @@ do_start()
 	#   0 if daemon has been started
 	#   1 if daemon was already running
 	#   2 if daemon could not be started
-	start-stop-daemon --start --quiet -m --pidfile $PIDFILE --startas $DAEMON --background --test > /dev/null \
+	start-stop-daemon --start --quiet -m --pidfile $PIDFILE --startas $DAEMON --chuid $USER:$USER --background --test > /dev/null \
 		|| return 1
-	start-stop-daemon --start --quiet -m --pidfile $PIDFILE --startas $DAEMON --background --chdir $CHDIR -- \
+	start-stop-daemon --start --quiet -m --pidfile $PIDFILE --startas $DAEMON --chuid $USER:$USER --background --chdir $CHDIR -- \
 		$DAEMON_ARGS > /dev/null 2> /var/log/$NAME-stderr.log \
 		|| return 2
 	# Add code here, if necessary, that waits for the process to be ready

debian/statsd.upstart

@@ -7,5 +7,5 @@ stop on shutdown
 script
     chdir /usr/share/statsd
 
-    exec sudo -u nobody /usr/share/statsd/scripts/start
+    exec sudo -u _statsd /usr/share/statsd/scripts/start
 end script