Getting a process to run as root

Getting a process to run as root

[Peter Hickman]

I have an application that scans log files that is written in Ruby. It
is installed as the user log_watcher but needs to be run as root so
that it can have the rights to read the various log files that it
needs. Essentially the service/log_watcher/run file comes down to
"sudo ruby log_watcher.rb", the log_watcher user has passwordless sudo
rights.

We have runit / supervise installed but when we try and start the
application it complains about supervise/ok or supervise/lock being
unavailable which means that the process is not being restarted after
a reboot.

How do I get to run the process as root from the log_watcher user.
I've tried various things I've seen in the wiki and got back from
googling but nothing seems to work. Or perhaps there is another way
around this?

Re: Getting a process to run as root

[Wayne Marshall]

On Wed, 25 Apr 2012 11:20:41 +0100
Peter Hickman <peterhickman386@googlemail.com> wrote:

> I have an application that scans log files that is written in
> Ruby. It is installed as the user log_watcher but needs to be
> run as root so that it can have the rights to read the various
> log files that it needs. Essentially the
> service/log_watcher/run file comes down to "sudo ruby
> log_watcher.rb", the log_watcher user has passwordless sudo
> rights.
> 
> We have runit / supervise installed but when we try and start
> the application it complains about supervise/ok or
> supervise/lock being unavailable which means that the process
> is not being restarted after a reboot.
> 
> How do I get to run the process as root from the log_watcher
> user. I've tried various things I've seen in the wiki and got
> back from googling but nothing seems to work. Or perhaps there
> is another way around this?
> 

Normally a supervision environment runs with root permission by
default.  This means that all your supervised services will
*start out* with root privilege.

Many supervision packages include utilities that may be used to
shape the permissions of service processes.  In practice, these
utilities are used as a means to *drop* privilege, so that
your service will then run without root permission.

The point here is that your scenario is rather uncommon, because
evidently you are using sudo in a runscript to *escalate*
privilege.  That is usually not done.

My suggestion is that you try to think through your service
again, to clarify what you are trying to accomplish.

Based on the information you have provided, it would seem
feasible to run the "log_watcher" service without root
privilege, as long as you can assign it all the group read
permissions it needs in order to access the various log files it
is scanning.

See for example the runuid(8) utility in the latest perp
distribution:

http://b0llix.net/perp/site.cgi?page=runuid.8

The -S option for this utility allows you to run a process as an
unprivileged user, and with any number of supplementary group
permissions.

Best regards,

Wayne

Re: Getting a process to run as root

[Peter Hickman]

Thanks for your help. I've added the missing groups to the user and
when I run the script from the command line it works fine (sh
./service/log_watcher/run).

However when I use sv start ./service/log_watcher/ the permissions
have disappeared and the files can no longer be read.

I have updated the /etc/sv/runsvdir-log_watcher/run to include the
necessary groups to the chpst -u option but it does not seem to help
(I have also tried the -U option to no avail)

Any idea where I should be looking?

Re: Getting a process to run as root

[Wayne Marshall]

On Thu, 26 Apr 2012 16:11:55 +0100
Peter Hickman <peterhickman386@googlemail.com> wrote:

> Thanks for your help. I've added the missing groups to the
> user and when I run the script from the command line it works
> fine (sh ./service/log_watcher/run).
>

When you run the script from the command line, you should be
able to invoke it directly, and not as an argument to the sh
command interpreter.  That is, this should work:

./service/log_watcher/run

If not, then you have a problem:

* Does your run script begin with "#!/bin/sh" ?

* Is your run script set executable with chmod +x ?

> However when I use sv start ./service/log_watcher/ the
> permissions have disappeared and the files can no longer be
> read.
> 
> I have updated the /etc/sv/runsvdir-log_watcher/run to include
> the necessary groups to the chpst -u option but it does not
> seem to help (I have also tried the -U option to no avail)
> 
> Any idea where I should be looking?
> 

To say anything more about this, we would really need to see the
complete source of your run script.

Wayne

Re: Getting a process to run as root

[Peter Hickman]

When I run it just as ./service/log_watcher/run it runs fine

Here is the /etc/sv/runsvdir-log_watcher/run file

#!/bin/sh

RUNIT_USER=log_watcher:root:adm

exec 2>&1
exec chpst -u$RUNIT_USER runsvdir /home/log_watcher/service

I've tried a variety of combinations and values for the -u and -U
settings to no avail

The program runs but when it attempts to access the log files it no
longer has permission to do so (just like it was before I added the
missing groups to the log_watcher user).

Re: Getting a process to run as root

[Wayne Marshall]

On Fri, 27 Apr 2012 10:18:52 +0100
Peter Hickman <peterhickman386@googlemail.com> wrote:
 
> Here is the /etc/sv/runsvdir-log_watcher/run file
> 
> #!/bin/sh
> 
> RUNIT_USER=log_watcher:root:adm
> 
> exec 2>&1
> exec chpst -u$RUNIT_USER runsvdir /home/log_watcher/service
> 
> I've tried a variety of combinations and values for the -u and
> -U settings to no avail
> 
> The program runs but when it attempts to access the log files
> it no longer has permission to do so (just like it was before
> I added the missing groups to the log_watcher user).
> 

I see evidence of more than a few problems here.  For example,
why would you be using runsvdir in a service definition?

Anyway, it would appear that your basic runit installation and
setup may be a little confused.  Hopefully some runit users here
will be able to give you some good suggestions.

BTW, if you should ever decide to give perp a try, you may be
pleased to find you don't have to mess around with any symlink
indirection to install your service.  Then I could suggest an
rc.main runscript for your "log_watcher" service that looks
something like this:

#!/bin/sh
# /etc/perp/log_watcher/rc.main

exec 2>&1

TARGET=${1}
SVNAME=${2}

RUNUID="log_watcher"
GROUPS="log_watcher:adm"

start() {
  echo "starting ${SVNAME}..."
  exec runuid -S ${GROUPS} ${RUNUID} /path/to/log_watcher
}

reset() {
  echo "resetting ${SVNAME}..."
  exit 0
}

eval ${TARGET} "$@"

### EOF

Wayne
http://b0llix.net/perp/

Re: Getting a process to run as root

[Peter Hickman]

To be honest this is just the way someone else set it up for our other
projects (we install all this via chef) and it is working fine for
everything else we run. It's just that this is the first time we have
needed to elevate privilege.

Ah well just have to keep on hacking at it.

Thanks for all your help it has definitely got things moving.

Re: Getting a process to run as root

[Peter Hickman]

There we go solved, in my case at least. I kept the
/etc/sv/runsvdir-log_watcher/run file as it was but changed the
/home/log_watcher/service/log_watcher/run file to this:

#!/bin/bash

set -e

EXEC="sudo -u log_watcher ruby log_watcher.rb known_logs.yml"

# Run the script.
cd /home/log_watcher/log_watcher/current
export RAILS_ENV=production
exec $EXEC

The significant change was adding the "sudo -u log_watcher" to the
EXEC string. To be honest it seems horribly convoluted but it seems to
work just fine.

Again thanks for the help.

Re: Getting a process to run as root

[Charlie Brady]

On Fri, 27 Apr 2012, Peter Hickman wrote:

> The significant change was adding the "sudo -u log_watcher" to the
> EXEC string. To be honest it seems horribly convoluted but it seems to
> work just fine.

And indeed it is. You are dropping priveleges from runsvdir, and then need 
to add them later via sudo. If you leave runsvdir running as root, and 
drop priveleges in each service run script, then you will have a simpler 
setup. You will also be avoiding sudo, which is a large complex program 
which does not have a perfect security record.

Re: Getting a process to run as root

[Laurent Bercot]

>> To be honest it seems horribly convoluted but it seems to work just fine.
> And indeed it is.

 http://xkcd.com/763/

 I absolutely *do not want to know* how "chef", whatever that is, installs
and administers its computers.

-- 
 Laurent