Running upstart jobs as unprivileged users

What's the canonical way to have an upstart job change its userid and run the script as an unprivileged user?

Obviously one can use su or sudo, but this seems hacky (and can generate needless log lines).

Replay

With upstart v1.4, setuid and setgid are supported natively in config file.

Asking on the #upstart channel on freenode, the official take on the matter is:

A future release of Upstart will have native support for that, but for now, you can use something like:

exec su -s /bin/sh -c 'exec "$0" "[email protected]"' username -- /path/to/command [parameters...]

How about using start-stop-daemon?

exec start-stop-daemon --start --chuid daemonuser --exec /bin/server_cmd

From Upstart cookbook:

The recommended method for Debian and Ubuntu systems is to use the helper utility start-stop-daemon. […] start-stop-daemon does not impose PAM ("Pluggable Authentication Module") limits to the process it starts.

Note: start-stop-daemon not supported in RHEL.

There are several ways to do it, all with slightly different semantics, particularly relating to group membership:

  • setuidgid will put you in only the group you specify, so you won't be able to access files belonging to other groups you're a member of unless you use newgrp.
    • Using newgrp once you've become the less privileged user will add a single group to your groupset, but also creates a new subshell, making it tricky to use inside scripts.
  • start-stop-daemon preserves your group membership, and does a whole lot more than just setuid/setgid.
  • chpst -u username:group1:group2:group3... commandname will let you specify exactly what group memberships to adopt, but (in Ubuntu) it only comes with the runit package, which is an alternative to upstart.
  • su -c commandname username picks up all of username's group memberships, as does sudo -u username commandname, so they're probably the route to least astonishment.

Use setuidgid from the package daemontools.

Documentation here: http://cr.yp.to/daemontools/setuidgid.html

On an Ubuntu 10.10 instance on Amazon EC2, I had better luck with the start-stop-daemon command.

I also struggled with some of the other upstart stanzas. I am calling a python application with a specific virtualenv and some parameters to my executed program.

The following is what worked for me.

script
  export PYTHONPATH=.:/home/ubuntu/.local/lib/python2.7/site-packages/:/home/ubuntu/python/lib/python2.7/site-packages/
  exec start-stop-daemon --start  --chuid ubuntu --exec /home/ubuntu/python_envs/MyProj/bin/python /home/ubuntu/www/MyProj/MyProj.py -- --config-file-dir=/home/ubuntu/www/MyProj/config/ >> /home/ubuntu/startup.log 2>&1 &
end script

The PYTHONPATH is to get some packages installed from source into the PYTHON module path when this upstart job runs. I had to do everything in absolute paths because the chdir stanza didn't seem to do work.

I was using CentOS 6, and I could not get the recommended hack (for Upstart 0.6.5) to work for me, nor the 'su' trick because the number of forks involved (4 I think) was not tracked by 'expect fork' or 'expect daemon'.

I eventually just did

chown user:group executable
chmod +s executable

(ie set the setuid bit and change the ownership).

It may not be the safest method, but for an internal R&D project, it didn't matter in our case.

There is a third possibility depending on what you are trying to accomplish. You may be able to loosen the access controls on the files/devices in question. This can allow an unprivileged user to mount or access items that they normally wouldn't be allowed to. Just be sure you aren't giving away the keys to the kingdom in the process.

You can also change the timeout of the sudo password cache. But I don't recommend it unless your machine is physically secure (i.e., you believe that it's unlikely that a passer-by would attempt to gain sudo access).

There's a good reason that there are very few ways to perform privileged actions and that they perform needless necessary logging. Loose restrictions would be a security hazard for your system, and a lack of logging would mean there's no way to know what happened when you've been compromised.

If the size of your log files is a concern then something is probably wrong. Sudo generates only one line per use under normal conditions.

Category: ubuntu Time: 2009-03-11 Views: 1

Related post

  • Controlling Upstart job as unprivileged user 2011-11-12

    What's the best way to allow an unprivileged user to control an upstart job? By controlling an upstart job I mean starting/stopping/reloading/restarting it: start myservice I can imagine one way to go about it is through sudo; what needs to be done t

  • Upstart Job as Unprivileged user fails with permission denied 2013-02-20

    I'm trying to set up a Sage Cell Server (an open source mathematical engine) running as an unprivileged user. I've created the unprivileged user sagecell to do the job. It is installed correctly and, if I run it normally using [email protected]

  • Sending signals to running Upstart job 2012-07-20

    How can I send signals or events to a running Upstart job? I run a Node.js HTTP server with Upstart as a daemon and sometimes need to put it into maintenance mode for backups and stuff. I'd like to send a signal to the node process, which then will r

  • Running upstart jobs as root but works like unprivileged users 2015-06-17

    I Have a application that need to run like root user, but I need that the enviroment, will be of an unprivileged user. For example: ipython, start by root (ubuntu) user; but I need that cann't run code with commands using sudo. So, I believe that, ma

  • Run upstart as non sudo user 2015-11-04

    I have a upstart of uwsgi, I want non-sudo user to run uwsgi. In ubuntu server 14.04 I have two users, user1(has sudo access) and user2(doesn't have sudo access). upstart script I have /etc/init/uwsgi.conf: description "uWSGI instance" start on

  • Running upstart as non-root user not working in Ubuntu 14.04 LTS 2015-02-27

    I realise a similar question has been asked before but the solutions aren't working. I think its because I'm running a multi-line exec call: script exec start-stop-daemon --start --chuid sbprod --exec forever \ --pidFile $PIDFILE \ -a \ -l $LOG \ --m

  • Why Apache runs as unprivileged user? 2013-12-17

    Apache Web server as a security measure relinquishes its system privileges and runs as a normal unprivileged user before accepting clients over a networks. My Question is How this measure prevents or restrains bugs to be exploited by malware. What is

  • Running some parts of a script as an unprivileged user with shell environment 2015-04-11

    I am creating an instance configuration script that sets up a machine. I am running the script via sudo i.e. sudo run.sh. Most of the steps require root access but some of the script's steps do no require root access and I prefer running them as the

  • Start rsyslog as unprivileged user 2013-03-29

    On Debian, rsyslog runs by default as root (due to POSIX compatibility). It can drop privileges after start, but a cleaner way would be to start as a non-privileged user. Could somebody please advise, what would be a clean way to set up rsyslog to ru

  • Making upstart job redirect output as unprivileged user 2012-05-20

    I am currently making an upstart job run as an unprivileged user like so: start on started mongodb stop on runlevel [06] respawn respawn limit 10 100 env NODE_ENV=production pre-start script ulimit -n 2048 end script exec sudo -u mainuser /usr/bin/ma

  • Upstart: Run service as unprivileged user and pre-start script as root 2014-02-27

    I have following upstart job: description "posty api" start on mysql stop on shutdown env RACK_ENV=production setuid vmail setgid vmail chdir /opt/posty_api pre-start script mkdir -p /var/run/posty chown -R vmail:root /var/run/posty end script e

  • Running Upstart user jobs on startup 2011-11-23

    I am running Ubuntu server 11.04. I have created an Upstart user job as described here. I have the following file at my /home/myuser/.init/sensors.conf: start on started mysql stop on stopping mysql chdir /home/myuser/mydir/project exec /home/myuser/

  • user upstart job in ~/.init/ is not found 2012-06-19

    Running 12.04, I have the following upstart job in ~/.init/: # myjob start on net-device-up stop on [!12345] script echo ">> hello from user script" >> ~/tmp/upstart.log end script After rebooting my machine service myjob start # =&g

  • User defined upstart jobs using Openbox 2013-08-16

    I know that to enable user defined jobs for upstart you need to uncomment ubuntu in /etc/upstart-xsessions and this will allow user defined upstart jobs in ubuntu default Xsession. The question is how to enable user defined upstart jobs using differe

  • Run a scheduled task as an unprivileged user remotely 2013-11-25

    I need to allow a group of unprivileged users to trigger a predefined scheduled tank on a Windows Server 2008 R2 host. I seem unable to find the respective rights to do so. Upon an attempt to connect to the remote Task Scheduler, the remote system ju

  • Creating a folder in `/var/run` when job is run as a non-privileged user 2014-07-24

    I have a few upstart scripts which are run as a non-priviledged user using setuid. Pid files should be created in /var/run/my-service: /var/run/my-service/v1.pid, /var/run/my-service/v2.pid and so on. The upstart scripts are created by a script, whic

  • Running hadoop jobs on Cloudera 3 as regular user? 2011-09-07

    Looking at Cloudera's installation instructions, I don't see any mention of how to run jobs as regular users. When I try to run a sample job, this is what I get: hadoop jar /usr/lib/hadoop/hadoop-*-examples.jar pi 2 100000 Number of Maps = 2 Samples

  • How to run the cron job as a user instead of root user 2011-11-18

    I have few bash scripts which are adding to cron jobs with specified timing, but it needs to be executed as root user. I am trying to run those scripts i.e., crob jobs but it needs root user permission, since I am running this jobs in ubuntu ec2 inst

  • How to run "mongodb --repair" if it's an Upstart job? 2012-04-01

    My MongoDB server died. The log says something about an unclean shutdown and an existing mongodb.lock file. It recommends to remove the lock file, then restart the mongodb server with --repair. However, on my system (Ubuntu 10.10), I've installed Mon

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 1.098 (s). 13 q(s)