LSB start_daemon question

mntbighker · 09-24-2012, 07:02 PM

I am setting up a license server running CentOS 5.8. One of the factory init scripts calls lsb start_daemon, but they had no idea that start_daemon includes a -u switch to run as non-root. This works, but I find I now have two processes running non-root and two as root. I am trying to determine if I have actually achieved better security here or not. Without the switch I would see 3 processes instead of 4. Obviously the runuser would not be there.

Code:

[root@xxx init.d]# ps auxww | grep rlm
root     10090  0.0  0.0  64016  1368 pts/2    S    15:18   0:00 /bin/bash /etc/redhat-lsb/lsb_start_daemon -u license ./rlm -c tecplotlm.lic -dlog debug.log
root     10096  0.0  0.0  91016  1220 pts/2    S    15:18   0:00 runuser -s /bin/bash license -c ulimit -S -c 0 >/dev/null 2>&1 ; ./rlm -c tecplotlm.lic -dlog debug.log
license  10097  0.0  0.0  63884  1084 ?        Ss   15:18   0:00 bash -c ulimit -S -c 0 >/dev/null 2>&1 ; ./rlm -c tecplotlm.lic -dlog debug.log
license  10098  0.0  0.0  23424  1384 ?        Sl   15:18   0:00 ./rlm -c tecplotlm.lic -dlog debug.log
root     10218  0.0  0.0  61220   740 pts/2    S+   15:28   0:00 grep rlm

trey85stang · 09-25-2012, 01:05 PM

those are all child processes of the first entry in your ps grep command.

you can see that with ps -ef | grep rlm

the service rlm you can see is actually launched as the user you specified. so security wise if that service is not running as root. Which is what you want.

mntbighker · 09-25-2012, 01:49 PM

Code:

[tsadmin@xxx ~]$ ps -ef | grep rlm
root     10090 10088  0 Sep24 ?        00:00:00 /bin/bash /etc/redhat-lsb/lsb_start_daemon -u license ./rlm -c tecplotlm.lic -dlog debug.log
root     10096 10090  0 Sep24 ?        00:00:00 runuser -s /bin/bash license -c ulimit -S -c 0 >/dev/null 2>&1 ; ./rlm -c tecplotlm.lic -dlog debug.log
license  10097 10096  0 Sep24 ?        00:00:00 bash -c ulimit -S -c 0 >/dev/null 2>&1 ; ./rlm -c tecplotlm.lic -dlog debug.log
license  10098 10097  0 Sep24 ?        00:00:00 ./rlm -c tecplotlm.lic -dlog debug.log

So 88 begat 90 (root), and 90 begat 96 (root), and 96 begat 97 (license), and 97 begat 98 (license). 98 is the actual daemon running as the license user. I just wanted some reassurance that we achieved the security we were working for. I was hesitant to believe that many processes are required for init to run one daemon as non-root. I am running 6+ different license daemons.

Thanks

trey85stang · 09-27-2012, 05:08 PM

you got it you're good to go. No need to worry about the long line of pre processes commands it took to get there thats all part of the start_daemon script which is a wrapper... that may wrap itself multiple times depending on how you tell it to call a daemon.