From: Wayne Marshall <wcm@b0llix.net>
To: Peter Hickman <peterhickman386@googlemail.com>
Cc: supervision@list.skarnet.org
Subject: Re: Getting a process to run as root
Date: Wed, 25 Apr 2012 15:07:46 +0200 [thread overview]
Message-ID: <20120425150746.414ef293@b0llix.net> (raw)
In-Reply-To: <CALxYQy6eEzvtu-okAKYnk43AODV3AHv6i7iAwq7N8JAGhaQo3A@mail.gmail.com>
On Wed, 25 Apr 2012 11:20:41 +0100
Peter Hickman <peterhickman386@googlemail.com> wrote:
> I have an application that scans log files that is written in
> Ruby. It is installed as the user log_watcher but needs to be
> run as root so that it can have the rights to read the various
> log files that it needs. Essentially the
> service/log_watcher/run file comes down to "sudo ruby
> log_watcher.rb", the log_watcher user has passwordless sudo
> rights.
>
> We have runit / supervise installed but when we try and start
> the application it complains about supervise/ok or
> supervise/lock being unavailable which means that the process
> is not being restarted after a reboot.
>
> How do I get to run the process as root from the log_watcher
> user. I've tried various things I've seen in the wiki and got
> back from googling but nothing seems to work. Or perhaps there
> is another way around this?
>
Normally a supervision environment runs with root permission by
default. This means that all your supervised services will
*start out* with root privilege.
Many supervision packages include utilities that may be used to
shape the permissions of service processes. In practice, these
utilities are used as a means to *drop* privilege, so that
your service will then run without root permission.
The point here is that your scenario is rather uncommon, because
evidently you are using sudo in a runscript to *escalate*
privilege. That is usually not done.
My suggestion is that you try to think through your service
again, to clarify what you are trying to accomplish.
Based on the information you have provided, it would seem
feasible to run the "log_watcher" service without root
privilege, as long as you can assign it all the group read
permissions it needs in order to access the various log files it
is scanning.
See for example the runuid(8) utility in the latest perp
distribution:
http://b0llix.net/perp/site.cgi?page=runuid.8
The -S option for this utility allows you to run a process as an
unprivileged user, and with any number of supplementary group
permissions.
Best regards,
Wayne
next prev parent reply other threads:[~2012-04-25 13:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-25 10:20 Peter Hickman
2012-04-25 13:07 ` Wayne Marshall [this message]
2012-04-26 15:11 ` Peter Hickman
2012-04-26 18:49 ` Wayne Marshall
2012-04-27 9:18 ` Peter Hickman
2012-04-27 11:13 ` Wayne Marshall
2012-04-27 13:44 ` Peter Hickman
2012-04-27 14:42 ` Peter Hickman
2012-04-27 14:56 ` Charlie Brady
2012-04-28 1:17 ` Laurent Bercot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120425150746.414ef293@b0llix.net \
--to=wcm@b0llix.net \
--cc=peterhickman386@googlemail.com \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).