Start systemd service as a user, but run ExecStartPost as root
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Start systemd service as a user, but run ExecStartPost as root
Hi,
I'm using systemd on a CentOS 7 system to run a user based process. This is working perfectly.
However, I now need to add an additional step that runs after the main process start, but this has to run as root. Just adding the ExecStartPost entry fails with Permission Denied as this step is currently run as the same user as the main process.
Location: Amarillo, T Amateur photographer, published author. Interests: astronomy, political science & freedom of press. Been: 37 countries. Lived: 3 continents.X
Distribution: linux mint mate kfce 18.1
Posts: 7
Rep:
Quote:
Originally Posted by MQMan
Permission Denied as this step is currently run as the same user as the main process.
I am very interested in this. I spent half my morning today trying to figure out the exact same thing. I finally figured out the best way to do what I was trying to do was use crontab. In other words, I gave up and went a different way. I'm still interested in the outcome, however.
Obviously, in the general sense, what you would be asking for here is privilege escalation. A non-root process wants to "run something as root." ("Well, don't they all ...")
One possibility is to create an entirely root-level sequence that, say, uses some kind of sudo -u userid trick to invoke a particular process under the auspices of a particular user. The owning sequence, however, is still understood to be "rootly," and it therefore could initiate the other processing.
I haven't thought this hare-brained idea completely through, o'course ...
A non-root process wants to "run something as root."
Not quite. systemd *is* (or should be) running as root to fire off the user process. It's just that the ExecStartPost inherits the user attribute.
Another possibility would be if there's a way to "chain" another service off the user one, as a dependency, then that would work also.
Quote:
Originally Posted by sundialsvcs
One possibility is to create an entirely root-level sequence that, say, uses some kind of sudo -u userid trick to invoke a particular process under the auspices of a particular user.
I thought that's what's happening now. The systemd process runs as root and starts a process as a particular user. Plus, I also thought that it wasn't possible to use sudo under systemd. But I'm happy to be corrected.
Create another service file and have it run after the user service?
Code:
After = your-user.service
Been playing with this all morning, together with lots of Google-fu, and just the After= on the 2nd service didn't do the trick, sorry.
But, the following does appear to do what I want:
On the original service, I added the following:
Code:
Before=2nd.service
Wants=2nd.service
And created that 2nd service with:
Code:
[Unit]
Description=Follow up script that needs to be root
PartOf=original.service
[Service]
Type=oneshot
ExecStart=/usr/local/bin/some.sh
RemainAfterExit=yes
Since this is the top result for my duckduckgo search for starting a process as a user, but execstart[pre|post] as root, I wanted to add this answer
From man 5 systemd.service
Code:
Table 1. Special executable prefixes
...
If the executable path is prefixed with "+" then the process is executed with full privileges.
In this mode privilege restrictions configured with User=, Group=, CapabilityBoundingSet= or the
various file system namespacing options (such as PrivateDevices=, PrivateTmp=) are not applied to the
invoked command line (but still affect any other ExecStart=, ExecStop=, ... lines).
This will start /home/user/userprocess as user jamal, but the ExecStartPre and ExecStartPost will run as root. This should be much simpler and cleaner than creating a subservice that is PartOf the main service.
Last edited by mobusdorphin; 05-06-2019 at 12:42 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
)
