Invoking runsvctrl as non-root

Invoking runsvctrl as non-root

[Anthony Baker]

I'm running into a permissions issue trying to invoke runsvctrl as a
non-root user:

$ runsvctrl d .
runsvctrl: warning: .: unable to open supervise/control: access denied

I'm using runit-1.0.5 on a solaris8 system to supervise a java server
process.  runsv is being spawned automatically by the runsvdir-start
script.  The run script switches to a non-root user (via chpst).  I need
this user to be able to bring the server process up and down.

Invoking runsvctrl/runsvstat as root works beautifully, of course.

Any ideas?

TIA,
Anthony

Re: Invoking runsvctrl as non-root

[Charles Duffy]

On Tue, 30 Nov 2004 17:06:46 -0800, Anthony Baker wrote:

> I'm running into a permissions issue trying to invoke runsvctrl as a
> non-root user

As the message implies, you need to give some permissions to the
user you want to allow runsvctrl and runsvstat -- most particularly, write
access to the socket ./supervise/control and read access to ./supervise/ok
and ./supervise/status.

As an aside, I find that this sort of thing is easier if you
have POSIX ACLs available.

Re: Invoking runsvctrl as non-root

[Ian Stokes-Rees]

Hi,

Charles Duffy wrote:
>>I'm running into a permissions issue trying to invoke runsvctrl as a
>>non-root user
> 
> As the message implies, you need to give some permissions to the
> user you want to allow runsvctrl and runsvstat -- most particularly, write
> access to the socket ./supervise/control and read access to ./supervise/ok
> and ./supervise/status.

Put another way, I have seen this happen when I start a service as root, 
which then creates directories, files and sockets which *only* root can 
read and write, and then I want to control that same service with a 
non-root user.  I think this actually goes for *any* change between the 
first user to invoke runit commands on a service and subsequent users.

The trick is to manually change the access permissions, so other users 
can access the service.  Make sure they are the users you want to be 
able to access the service!  I am pretty sure those permissions will 
stick and runit won't overwrite them, unless the 
directories/files/sockets are deleted and re-created.  UMASK might come 
into play here, but I'm not sure.

HTH,

Ian.
-- 
Ian Stokes-Rees              i.stokes-rees@physics.ox.ac.uk
Particle Physics, Oxford     http://grid.physics.ox.ac.uk/~stokes

Re: Invoking runsvctrl as non-root

[Anthony Baker]

On Wed, 2004-12-01 at 01:03, Ian Stokes-Rees wrote:
> >>I'm running into a permissions issue trying to invoke runsvctrl as a
> >>non-root user
> > 
> > As the message implies, you need to give some permissions to the
> > user you want to allow runsvctrl and runsvstat -- most particularly, write
> > access to the socket ./supervise/control and read access to ./supervise/ok
> > and ./supervise/status.
> 
> The trick is to manually change the access permissions, so other users 
> can access the service.  Make sure they are the users you want to be 
> able to access the service!  I am pretty sure those permissions will 
> stick and runit won't overwrite them, unless the 
> directories/files/sockets are deleted and re-created.  UMASK might come 
> into play here, but I'm not sure.
> 
Thanks for the suggestions, a "chown" in the run script prior to exec
did the trick.

Anthony