From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2131 Path: news.gmane.org!not-for-mail From: Wayne Marshall Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: Getting a process to run as root Date: Wed, 25 Apr 2012 15:07:46 +0200 Organization: b0llix.net: un!x for the deranged Message-ID: <20120425150746.414ef293@b0llix.net> References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: dough.gmane.org 1335359317 21798 80.91.229.3 (25 Apr 2012 13:08:37 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 25 Apr 2012 13:08:37 +0000 (UTC) Cc: supervision@list.skarnet.org To: Peter Hickman Original-X-From: supervision-return-2365-gcsg-supervision=m.gmane.org@list.skarnet.org Wed Apr 25 15:08:34 2012 Return-path: Envelope-to: gcsg-supervision@plane.gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1SN1xO-0005e8-0u for gcsg-supervision@plane.gmane.org; Wed, 25 Apr 2012 15:08:30 +0200 Original-Received: (qmail 19699 invoked by uid 76); 25 Apr 2012 13:12:15 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 19691 invoked from network); 25 Apr 2012 13:12:15 -0000 In-Reply-To: X-Mailer: Claws Mail 3.7.7 (GTK+ 2.22.1; x86_64--netbsd) Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2131 Archived-At: On Wed, 25 Apr 2012 11:20:41 +0100 Peter Hickman wrote: > I have an application that scans log files that is written in > Ruby. It is installed as the user log_watcher but needs to be > run as root so that it can have the rights to read the various > log files that it needs. Essentially the > service/log_watcher/run file comes down to "sudo ruby > log_watcher.rb", the log_watcher user has passwordless sudo > rights. > > We have runit / supervise installed but when we try and start > the application it complains about supervise/ok or > supervise/lock being unavailable which means that the process > is not being restarted after a reboot. > > How do I get to run the process as root from the log_watcher > user. I've tried various things I've seen in the wiki and got > back from googling but nothing seems to work. Or perhaps there > is another way around this? > Normally a supervision environment runs with root permission by default. This means that all your supervised services will *start out* with root privilege. Many supervision packages include utilities that may be used to shape the permissions of service processes. In practice, these utilities are used as a means to *drop* privilege, so that your service will then run without root permission. The point here is that your scenario is rather uncommon, because evidently you are using sudo in a runscript to *escalate* privilege. That is usually not done. My suggestion is that you try to think through your service again, to clarify what you are trying to accomplish. Based on the information you have provided, it would seem feasible to run the "log_watcher" service without root privilege, as long as you can assign it all the group read permissions it needs in order to access the various log files it is scanning. See for example the runuid(8) utility in the latest perp distribution: http://b0llix.net/perp/site.cgi?page=runuid.8 The -S option for this utility allows you to run a process as an unprivileged user, and with any number of supplementary group permissions. Best regards, Wayne