| View previous topic :: View next topic |
| Author |
Message |
majoron
Apprentice
Joined: 12 Oct 2005
Posts: 243
Location: Frankfurt
|
 Posted: Wed Mar 16, 2016 11:51 am Post subject: Starting OpenRC based init script as unprivileged user |
 |
|
Dear all,
I'm having troubles to find a way to start an OpenRC service as a normal user.
I have written a simple init script to run a service that does not require root privileges. However when I try to start the service as non-root, I get:
| Code: | $ ./bin/myservice.openrc start
* myservice.openrc: superuser access required |
Of course running it as root works. Other commands ("status") are not affected; they go through.
I have also checked that the check for permissions does not happen at the script level, no. The init script does not even get read. It is "openrc" what stops the execution when it gets the "start" command, before playing with the script, AFAICT.
Does anyone know how to disable this "root privilege" enforcement? I would say there must be an easy way to do that...
Thanks in advance.
PS BTW, sorry if this is not the correct place to post this question. Let me know in case I should post in a different forum...
PS: Edit: typo
_________________
Computers are like air conditioners, they stop working properly if you open Windows |
|
| Back to top |
|
 |
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 10012
Location: almost Mile High in the USA
|
| Posted: Wed Mar 16, 2016 12:55 pm Post subject: |
|
|
I would assume the logging and tracking of this service is why openrc wants root. Do you need the logging/tracking or can you live without it and simply not use openrc?
Otherwise you should simply just use "sudo" or something to run these scripts...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
lexflex
Guru
Joined: 05 Mar 2006
Posts: 363
Location: the Netherlands
|
| Posted: Wed Mar 16, 2016 12:55 pm Post subject: Re: Starting OpenRC based init script as unprivileged user |
|
|
Hi,
It depends on what you are trying to achieve:
The usual way (as far as I know) is that the service is started by root.
You can still run the services as another user. You can indicate this in the init file using the -u option:
| Code: | | start-stop-daemon --start --quiet --exec /usr/bin/<FILE TO EXECUTE> -u USER |
( however, this will still require root acces to start the service using openrc, but it will run as USER)
Alex. |
|
| Back to top |
|
|
schorsch_76
Guru
Joined: 19 Jun 2012
Posts: 452
|
| Posted: Wed Mar 16, 2016 1:49 pm Post subject: |
|
|
I have managed such an issue with sudo
in /etc/sudoers i added my script "/etc/init.d/something" and allowed it to espesially one user.  The "problem" is that openrc keeps track of the running Services. This update in ist tree needs root privileges. It is a seperate issue than the rights, that your service process needs
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://github.com/schorsch1976/portage
git clone https://github.com/schorsch1976/portage |
|
| Back to top |
|
|
majoron
Apprentice
Joined: 12 Oct 2005
Posts: 243
Location: Frankfurt
|
| Posted: Thu Mar 17, 2016 2:33 pm Post subject: |
|
|
Thank you for the answers. I think some more info is needed...
I'm developing a service in a TDD fashion. There is a daemon doing its job, and at the end of the day the daemon should run as root in production. But I wanted to write some functional tests to check things from the user perspective, including the control of the daemon process through an OpenRC script. For the tests I would like to run as non-root.
So, I guess I need to play sudo to do the tests. Right?
Any other suggestions or comments would be welcome.
_________________
Computers are like air conditioners, they stop working properly if you open Windows |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Mar 18, 2016 2:57 am Post subject: |
|
|
| sudo would be easiest - if you really have to run it under OpenRC. You could also run a process supervision tool as a regular user which might be easier (not to mention more portable). |
|
| Back to top |
|
|
majoron
Apprentice
Joined: 12 Oct 2005
Posts: 243
Location: Frankfurt
|
| Posted: Fri Mar 18, 2016 2:21 pm Post subject: |
|
|
| Ant P. wrote: | | You could also run a process supervision tool as a regular user which might be easier (not to mention more portable). |
Can you elaborate on this, please?
TIA
_________________
Computers are like air conditioners, they stop working properly if you open Windows |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Fri Mar 18, 2016 3:39 pm Post subject: |
|
|
| majoron wrote: | | I'm developing a service in a TDD fashion. There is a daemon doing its job, and at the end of the day the daemon should run as root in production. But I wanted to write some functional tests to check things from the user perspective, including the control of the daemon process through an OpenRC script. For the tests I would like to run as non-root. |
Hmm I was about to say: there is no such thing as "control of the daemon process through an OpenRC script", "from the user [non-root] perspective", but I have a vague memory that's incorrect. (ISTR some discussion in the commit history.)
UberLord would be able to provide some perspective.
| Quote: | | So, I guess I need to play sudo to do the tests. Right? |
To start up, for now, yes; but use the -u option to ssd, mentioned above by lexflex, to ensure your service at least does not run as root, and thus cannot mess up too much, during testing. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Mar 18, 2016 6:32 pm Post subject: |
|
|
| majoron wrote: | | Ant P. wrote: | | You could also run a process supervision tool as a regular user which might be easier (not to mention more portable). |
Can you elaborate on this, please?
TIA |
Look at sys-process/daemontools{,-encore}, sys-process/runit, sys-apps/s6 or busybox - they all work more or less the same (and systemd/upstart happen to be clones of these). |
|
| Back to top |
|
|
cord
Guru
Joined: 28 Apr 2007
Posts: 346
|
| Posted: Thu Jul 14, 2016 4:19 pm Post subject: |
|
|
Hi Averyone, I don't want to start new topic because this one is match to my issue.
I need to restart my net.eth0 often enough (networking lags). I want to make applet at desktop panel for that (so I would restart eth0 by one mouse click).
I added to /etc/sudoers this line (using visudo; user = john):
| Code: | | john localhost = NOPASSWD: /etc/init.d/net.eth0 restart |
but
| Code: | john@localhost ~ $ sudo -l
User john may run the following commands on localhost:
(root) NOPASSWD: /etc/init.d/net.eth0 restart
john@localhost ~ $ /etc/init.d/net.eth0 restart
* net.eth0: superuser access required
john@localhost ~ $ |
|
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3530
|
| Posted: Thu Jul 14, 2016 4:33 pm Post subject: |
|
|
john@localhost ~ $ sudo /etc/init.d/net.eth0 restart
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 10012
Location: almost Mile High in the USA
|
| Posted: Thu Jul 14, 2016 4:34 pm Post subject: |
|
|
Probably should have started a new thread, it's different enough... But anyway, don't forget to add "sudo" before the init script...
$ sudo /etc/init.d/net.eth0 restart
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
cord
Guru
Joined: 28 Apr 2007
Posts: 346
|
| Posted: Thu Jul 14, 2016 4:43 pm Post subject: |
|
|
Ooops! I hadn't noticed the Elephant. 
Thanks. And sorry for different issue. |
|
| Back to top |
|
|
|
Portage & Programming
