|
|
How to create directories in /var/run?
I'm writing an SMF manifest and method script for a simple service
that has no need to run as root. I can use `method_credential' in
the manifest to specify the user and group to use when executing
the method. However, this service needs to create a unix-domain
socket and write a PID file someplace. I'd like to put them into
a subdirectory of /var/run. This would have to be owned by the same
user and group. /var/run itself is owned by root.
How can I accomplish this when the service starts? Creating and
changing ownership has to be done by root. It can't be done in
the method script because it's run as an ordinary user. Can the
start method execute two scripts, the first one as root? Should I
set up another SMF service just to set up the directories correctly?
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
|
|
0
|
|
|
|
Reply
|
 Gary
|
8/12/2008 1:20:41 PM |
|
could you have one script with setuid set which does the job of named pipe
creation in some central location, and the method script could call this
other script to do this stuff?
"Gary Mills" <mills@cc.umanitoba.ca> wrote in message
news:g7s2n9$2dv$1@canopus.cc.umanitoba.ca...
> I'm writing an SMF manifest and method script for a simple service
> that has no need to run as root. I can use `method_credential' in
> the manifest to specify the user and group to use when executing
> the method. However, this service needs to create a unix-domain
> socket and write a PID file someplace. I'd like to put them into
> a subdirectory of /var/run. This would have to be owned by the same
> user and group. /var/run itself is owned by root.
>
> How can I accomplish this when the service starts? Creating and
> changing ownership has to be done by root. It can't be done in
> the method script because it's run as an ordinary user. Can the
> start method execute two scripts, the first one as root? Should I
> set up another SMF service just to set up the directories correctly?
>
> --
> -Gary Mills- -Unix Support- -U of M Academic Computing and
> Networking-
|
|
|
0
|
|
|
|
Reply
|
Madhu
|
8/12/2008 9:58:50 PM
|
|
In <g7t12v$1mi$1@zcars129.ca.nortel.com> "Madhu Ramachandran" <madhuram@nortel.com> writes:
>could you have one script with setuid set which does the job of named pipe
>creation in some central location, and the method script could call this
>other script to do this stuff?
That's an option, although it has some security implications. I'm
leaning towards another service that runs as root to create and change
ownership of directories in /var/run.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
|
|
|
0
|
|
|
|
Reply
|
Gary
|
8/12/2008 10:31:12 PM
|
|
"Gary Mills" <mills@cc.umanitoba.ca> wrote in message
news:g7t2vg$lbh$1@canopus.cc.umanitoba.ca...
> In <g7t12v$1mi$1@zcars129.ca.nortel.com> "Madhu Ramachandran"
> <madhuram@nortel.com> writes:
>
>>could you have one script with setuid set which does the job of named pipe
>>creation in some central location, and the method script could call this
>>other script to do this stuff?
>
> That's an option, although it has some security implications. I'm
> leaning towards another service that runs as root to create and change
> ownership of directories in /var/run.
Gary,
Ugly workaround. Race conditions possible?
What about pre-creation of a subdir in /var/run with the mode and ownership
set correctly -- Possibly name the directory with the name of the
unpriviledged user, ie. /var/run/nonrootuser/. Create the pid, etc files in
that directory. I notice on Sol 10/x86, that there is a /var/run/daemon
directory owned by daemon:daemon -- I suspect for the exact purpose as I
have described.
--
Darren Besler
|
|
|
0
|
|
|
|
Reply
|
forsale606
|
8/12/2008 10:41:02 PM
|
|
In <Mlook.20495$QX3.984@newsfe02.iad> <forsale606@mts.net> writes:
>"Gary Mills" <mills@cc.umanitoba.ca> wrote in message
>news:g7t2vg$lbh$1@canopus.cc.umanitoba.ca...
>> In <g7t12v$1mi$1@zcars129.ca.nortel.com> "Madhu Ramachandran"
>> <madhuram@nortel.com> writes:
>>
>>>could you have one script with setuid set which does the job of named pipe
>>>creation in some central location, and the method script could call this
>>>other script to do this stuff?
>>
>> That's an option, although it has some security implications. I'm
>> leaning towards another service that runs as root to create and change
>> ownership of directories in /var/run.
>Ugly workaround. Race conditions possible?
>What about pre-creation of a subdir in /var/run with the mode and ownership
>set correctly -- Possibly name the directory with the name of the
>unpriviledged user, ie. /var/run/nonrootuser/. Create the pid, etc files in
>that directory.
Yes, that's what I'm considering doing. Once the directory is created
with the right ownership, the next service will be able to write to it
as an ordinary user. The directory would have to be recreated at each
system boot, of course.
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
|
|
|
0
|
|
|
|
Reply
|
Gary
|
8/13/2008 2:26:20 AM
|
|
|
4 Replies
361 Views
(page loaded in 0.081 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25712 articles. 
78 followers. 