发表新帖
发表新帖

Best practice to run Linux service as a different user

后端 未结
关注
8 1316
甜味超标
甜味超标 2020-12-04 04:46

Services default to starting as root at boot time on my RHEL box. If I recall correctly, the same is true for other Linux distros which use the init scripts in

相关标签:
8条回答
  • 时光取名叫无心
    2020-12-04 05:21

    on a CENTOS (Red Hat) virtual machine for svn server: edited /etc/init.d/svnserver to change the pid to something that svn can write:

    pidfile=${PIDFILE-/home/svn/run/svnserve.pid}

    and added option --user=svn:

    daemon --pidfile=${pidfile} --user=svn $exec $args

    The original pidfile was /var/run/svnserve.pid. The daemon did not start becaseu only root could write there.

     These all work:
/etc/init.d/svnserve start
/etc/init.d/svnserve stop
/etc/init.d/svnserve restart
    0 讨论(0)
  • 栀梦
    2020-12-04 05:23

    Why not try the following in the init script:

    setuid $USER application_name

    It worked for me.

    0 讨论(0)
  • 时光取名叫无心
    2020-12-04 05:24

    Just to add some other things to watch out for:

    • Sudo in a init.d script is no good since it needs a tty ("sudo: sorry, you must have a tty to run sudo")
    • If you are daemonizing a java application, you might want to consider Java Service Wrapper (which provides a mechanism for setting the user id)
    • Another alternative could be su --session-command=[cmd] [user]
    0 讨论(0)
  • 囚心锁ツ
    2020-12-04 05:24

    I needed to run a Spring .jar application as a service, and found a simple way to run this as a specific user:

    I changed the owner and group of my jar file to the user I wanted to run as. Then symlinked this jar in init.d and started the service.

    So:

    #chown myuser:myuser /var/lib/jenkins/workspace/springApp/target/springApp-1.0.jar

#ln -s /var/lib/jenkins/workspace/springApp/target/springApp-1.0.jar /etc/init.d/springApp

#service springApp start

#ps aux | grep java
myuser    9970  5.0  9.9 4071348 386132 ?      Sl   09:38   0:21 /bin/java -Dsun.misc.URLClassPath.disableJarChecking=true -jar /var/lib/jenkins/workspace/springApp/target/springApp-1.0.jar
    0 讨论(0)
  • 旧时难觅i
    2020-12-04 05:25

    On Debian we use the start-stop-daemon utility, which handles pid-files, changing the user, putting the daemon into background and much more.

    I'm not familiar with RedHat, but the daemon utility that you are already using (which is defined in /etc/init.d/functions, btw.) is mentioned everywhere as the equivalent to start-stop-daemon, so either it can also change the uid of your program, or the way you do it is already the correct one.

    If you look around the net, there are several ready-made wrappers that you can use. Some may even be already packaged in RedHat. Have a look at daemonize, for example.

    0 讨论(0)
  • 旧时难觅i
    2020-12-04 05:25
    • Some daemons (e.g. apache) do this by themselves by calling setuid()
    • You could use the setuid-file flag to run the process as a different user.
    • Of course, the solution you mentioned works as well.

    If you intend to write your own daemon, then I recommend calling setuid(). This way, your process can

    1. Make use of its root privileges (e.g. open log files, create pid files).
    2. Drop its root privileges at a certain point during startup.
    0 讨论(0)
 看不清?
提交回复
热议问题