Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not entirely sure if I understand the question, but you can get a "forest view" to see how process relate to eachother using the ps command with the f option (no tac, just f).. For example, ps -a f will give you a forest view of processes other people are running... Depending on the system you may need to leave out the tac on the -a option aswell; so it may also be like ps a f or ps aux f (view daemons and how they relate to eachother)..
Last edited by justmy2cents; 06-14-2017 at 02:16 PM.
Distribution: Slackware (current), Slack15, win10 that is just there beacuse I have a copy of it
Posts: 10,093
Rep:
Quote:
Originally Posted by t_granat
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
notes:
Quote:
Using Unix Groups
Most users will want to be able to modify their content without being root.
The easiest way to achieve this is through the use of Unix Groups; you create
a group to which you add your content editing user, then you add the httpd
user to that group.
Note that this doesn't easilly extend to more than one user who needs to
edit the files, since at that point you need to set Group write on the files.
One would need to use ACL's to achive this.
For example, we have a user "alice" who needs to edit our content, stored
in /var/www/html/
First we create the content group, then we add both alice and apache to it.
What we've done here is to set all files to 640, or rw-r----- and directories
to rwxr-x---. Because the group "web-content" is applied to all the files
and directories, httpd can read these files, but cannot write to them.
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:
useradd -r USERNAME
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
This appears to be a similar discussion to this one
The apache web server username is defined in httpd.conf - that user should already exist (it would have been set up by the apache install). You don't need to do anything special for apache to run/authenticate. If I've missed the point of your question, please clarify.
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:
useradd -r USERNAME
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?
Best regards
Sorry I did misunderstand the question, to map the program/process to another user you make it a setuid program in order to change the effective userID (euid) to that of the system account you created.. The euid is the UID of an account whose privileges attach to a process.. So with the setuid bit set, the euid will be changed to that of the system account so that when you run the program it will run with the permissions of the system account instead of the real userID (ruid).. But in order to do that make sure that USERNAME owns the file, because as I said before, the way setuid works is that it changes the euid to that of the file's owner so that when the program runs it runs with the permissions of the file's owner, instead of the ruid (ruid or "real userID" is the user who starts the program, and the euid is usually the same UID as this, UNLESS changed otherwise by setuid).. Then to add a layer of security you can make a group and specify that only users within that group may execute the setuid program.. This all sounds complicated but if you read up on setuid, euid, and ruid it'll all start to make sense... Setuid is usually used for normal users to escalate to root temporally carrying out tasks as root, then dropping back down to it's regular privileges once those tasks complete (like sudo, which is a setuid program).. But it doesn't have to be done that way, you can use it anywhere the concept applies.. Setuid programs running as root can be a vulnerability, but setuid programs running as a system account that doesn't need root, shouldn't be an issue..
Last edited by justmy2cents; 06-15-2017 at 03:42 PM.
I will try to explain what I mean with another example.
If I my self for example creates a program/process named TestDeameon and then create a system user with user name TestDeamonUser, how will the Linux system now that TestDeamon belongs to TestDeamonUser and how will TestDeamon authenticate itself?
In the case of apache, theres a http[d].conf type thing that tells it where it exists. And various other configs for things like minidlna to tell it where it's legos are placed. But it entirely depends on the process. Otherwise the user who launches the thing is what the thing runs as, as viewable in the ps output. And whatever that user has access to, it has access to. Baring "extras" which may not be installed or enabled by default.
I will try to explain what I mean with another example.
If I my self for example creates a program/process named TestDeameon and then create a system user with user name TestDeamonUser, how will the Linux system now that TestDeamon belongs to TestDeamonUser and how will TestDeamon authenticate itself?
When you launch a process, say with "systemd," you can specify the user that it should run as.
A program/process is not specifically associated with any user at all. The file(s) from which it comes have "owners," as do any and all files, but processes do not ... unless the "setuid" feature is used. (This is normally used only so that non-rootly users can run programs which can do rootly things.)
(creates group "Adminz" and adds User1 to that group, and then modifies permissions of "TestDaemon" so that "TestDaemonUser" owns the file, and so that only users in the "Adminz" group can execute the file; in this case it set so that only User1 can execute the program, but you can add more users in the Adminz group which would grant them access aswell)
3) usermod -L TestDaemonUser (locks the system account "TestDeamonUser" from being able to login, for security purposes)
Last edited by justmy2cents; 06-15-2017 at 02:22 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.