Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-14-2017, 10:04 AM
|
#1
|
LQ Newbie
Registered: Oct 2013
Posts: 3
Rep:
|
how to map system user with process/program
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:
useradd -r USERNAME
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
|
|
|
06-14-2017, 10:42 AM
|
#2
|
Member
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Rep:
|
Not entirely sure if I understand the question, but you can get a "forest view" to see how process relate to eachother using the ps command with the f option (no tac, just f).. For example, ps -a f will give you a forest view of processes other people are running... Depending on the system you may need to leave out the tac on the -a option aswell; so it may also be like ps a f or ps aux f (view daemons and how they relate to eachother)..
Last edited by justmy2cents; 06-14-2017 at 02:16 PM.
|
|
|
06-14-2017, 11:54 AM
|
#3
|
LQ Guru
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (15 current), Slack15, Ubuntu studio, MX Linux, FreeBSD 13.1, WIn10
Posts: 10,342
|
Quote:
Originally Posted by t_granat
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
|
notes:
Quote:
Using Unix Groups
Most users will want to be able to modify their content without being root.
The easiest way to achieve this is through the use of Unix Groups; you create
a group to which you add your content editing user, then you add the httpd
user to that group.
Note that this doesn't easilly extend to more than one user who needs to
edit the files, since at that point you need to set Group write on the files.
One would need to use ACL's to achive this.
For example, we have a user "alice" who needs to edit our content, stored
in /var/www/html/
First we create the content group, then we add both alice and apache to it.
# groupadd www-content
# usermod -aG www-content <user-name>
# usermod -aG www-content _apache
Now we need to set the right permissions on our files.
# chown -R alice:web-content /var/www/html
# find /var/www/html -type f -exec chmod 640 {} \;
# find /var/www/html -type d -exec chmod 750 {} \;
What we've done here is to set all files to 640, or rw-r----- and directories
to rwxr-x---. Because the group "web-content" is applied to all the files
and directories, httpd can read these files, but cannot write to them.
|
www-content could be substituted for www-data
Last edited by BW-userx; 06-14-2017 at 11:55 AM.
|
|
|
06-14-2017, 12:22 PM
|
#4
|
LQ Veteran
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: Rocky 9.5
Posts: 5,844
|
Quote:
Originally Posted by t_granat
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:
useradd -r USERNAME
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
|
This appears to be a similar discussion to this one
The apache web server username is defined in httpd.conf - that user should already exist (it would have been set up by the apache install). You don't need to do anything special for apache to run/authenticate. If I've missed the point of your question, please clarify.
|
|
|
06-14-2017, 12:51 PM
|
#5
|
Member
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Rep:
|
Quote:
Originally Posted by t_granat
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:
useradd -r USERNAME
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
|
Sorry I did misunderstand the question, to map the program/process to another user you make it a setuid program in order to change the effective userID (euid) to that of the system account you created.. The euid is the UID of an account whose privileges attach to a process.. So with the setuid bit set, the euid will be changed to that of the system account so that when you run the program it will run with the permissions of the system account instead of the real userID (ruid).. But in order to do that make sure that USERNAME owns the file, because as I said before, the way setuid works is that it changes the euid to that of the file's owner so that when the program runs it runs with the permissions of the file's owner, instead of the ruid (ruid or "real userID" is the user who starts the program, and the euid is usually the same UID as this, UNLESS changed otherwise by setuid).. Then to add a layer of security you can make a group and specify that only users within that group may execute the setuid program.. This all sounds complicated but if you read up on setuid, euid, and ruid it'll all start to make sense... Setuid is usually used for normal users to escalate to root temporally carrying out tasks as root, then dropping back down to it's regular privileges once those tasks complete (like sudo, which is a setuid program).. But it doesn't have to be done that way, you can use it anywhere the concept applies.. Setuid programs running as root can be a vulnerability, but setuid programs running as a system account that doesn't need root, shouldn't be an issue..
Last edited by justmy2cents; 06-15-2017 at 03:42 PM.
|
|
|
06-15-2017, 02:21 AM
|
#6
|
LQ Newbie
Registered: Oct 2013
Posts: 3
Original Poster
Rep:
|
I will try to explain what I mean with another example.
If I my self for example creates a program/process named TestDeameon and then create a system user with user name TestDeamonUser, how will the Linux system now that TestDeamon belongs to TestDeamonUser and how will TestDeamon authenticate itself?
|
|
|
06-15-2017, 07:23 AM
|
#7
|
Senior Member
Registered: Feb 2003
Distribution: debian
Posts: 4,137
|
In the case of apache, theres a http[d].conf type thing that tells it where it exists. And various other configs for things like minidlna to tell it where it's legos are placed. But it entirely depends on the process. Otherwise the user who launches the thing is what the thing runs as, as viewable in the ps output. And whatever that user has access to, it has access to. Baring "extras" which may not be installed or enabled by default.
$ ps -Al
$ ps -aux
|
|
1 members found this post helpful.
|
06-15-2017, 11:01 AM
|
#8
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 11,063
|
Quote:
Originally Posted by t_granat
I will try to explain what I mean with another example.
If I my self for example creates a program/process named TestDeameon and then create a system user with user name TestDeamonUser, how will the Linux system now that TestDeamon belongs to TestDeamonUser and how will TestDeamon authenticate itself?
|
When you launch a process, say with "systemd," you can specify the user that it should run as.
A program/process is not specifically associated with any user at all. The file(s) from which it comes have "owners," as do any and all files, but processes do not ... unless the "setuid" feature is used. (This is normally used only so that non-rootly users can run programs which can do rootly things.)
|
|
1 members found this post helpful.
|
06-15-2017, 11:26 AM
|
#9
|
Member
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Rep:
|
1) chmod u+s TestDaemon (makes it setuid executable)
2) groupadd Adminz ; usermod -aG Adminz User1 ; dpkg-statoverride --update --add TestDaemonUser Adminz 4750 /path/to/TestDaemon
(creates group "Adminz" and adds User1 to that group, and then modifies permissions of "TestDaemon" so that "TestDaemonUser" owns the file, and so that only users in the "Adminz" group can execute the file; in this case it set so that only User1 can execute the program, but you can add more users in the Adminz group which would grant them access aswell)
3) usermod -L TestDaemonUser (locks the system account "TestDeamonUser" from being able to login, for security purposes)
Last edited by justmy2cents; 06-15-2017 at 02:22 PM.
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 11:33 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|