LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-14-2017, 09:04 AM   #1
t_granat
LQ Newbie
 
Registered: Oct 2013
Posts: 3

Rep: Reputation: Disabled
how to map system user with process/program


If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:

useradd -r USERNAME

How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?

Best regards
 
Old 06-14-2017, 09:42 AM   #2
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
Not entirely sure if I understand the question, but you can get a "forest view" to see how process relate to eachother using the ps command with the f option (no tac, just f).. For example, ps -a f will give you a forest view of processes other people are running... Depending on the system you may need to leave out the tac on the -a option aswell; so it may also be like ps a f or ps aux f (view daemons and how they relate to eachother)..

Last edited by justmy2cents; 06-14-2017 at 01:16 PM.
 
Old 06-14-2017, 10:54 AM   #3
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,172

Rep: Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951Reputation: 1951
Quote:
Originally Posted by t_granat View Post
How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?

Best regards
notes:
Quote:
Using Unix Groups

Most users will want to be able to modify their content without being root.
The easiest way to achieve this is through the use of Unix Groups; you create
a group to which you add your content editing user, then you add the httpd
user to that group.

Note that this doesn't easilly extend to more than one user who needs to
edit the files, since at that point you need to set Group write on the files.
One would need to use ACL's to achive this.

For example, we have a user "alice" who needs to edit our content, stored
in /var/www/html/

First we create the content group, then we add both alice and apache to it.

# groupadd www-content
# usermod -aG www-content <user-name>
# usermod -aG www-content _apache

Now we need to set the right permissions on our files.

# chown -R alice:web-content /var/www/html
# find /var/www/html -type f -exec chmod 640 {} \;
# find /var/www/html -type d -exec chmod 750 {} \;

What we've done here is to set all files to 640, or rw-r----- and directories
to rwxr-x---. Because the group "web-content" is applied to all the files
and directories, httpd can read these files, but cannot write to them.
www-content could be substituted for www-data

Last edited by BW-userx; 06-14-2017 at 10:55 AM.
 
Old 06-14-2017, 11:22 AM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,830

Rep: Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294Reputation: 1294
Quote:
Originally Posted by t_granat View Post
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:

useradd -r USERNAME

How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?

Best regards
This appears to be a similar discussion to this one
The apache web server username is defined in httpd.conf - that user should already exist (it would have been set up by the apache install). You don't need to do anything special for apache to run/authenticate. If I've missed the point of your question, please clarify.
 
Old 06-14-2017, 11:51 AM   #5
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by t_granat View Post
If you want a program/process in Linux to access files and folders with limited access you create a system user for this program/process to use:

useradd -r USERNAME

How do you then map the user name with the program/process? For example how does Apache web server run and authenticate as it's user name "www-data"?

Best regards
Sorry I did misunderstand the question, to map the program/process to another user you make it a setuid program in order to change the effective userID (euid) to that of the system account you created.. The euid is the UID of an account whose privileges attach to a process.. So with the setuid bit set, the euid will be changed to that of the system account so that when you run the program it will run with the permissions of the system account instead of the real userID (ruid).. But in order to do that make sure that USERNAME owns the file, because as I said before, the way setuid works is that it changes the euid to that of the file's owner so that when the program runs it runs with the permissions of the file's owner, instead of the ruid (ruid or "real userID" is the user who starts the program, and the euid is usually the same UID as this, UNLESS changed otherwise by setuid).. Then to add a layer of security you can make a group and specify that only users within that group may execute the setuid program.. This all sounds complicated but if you read up on setuid, euid, and ruid it'll all start to make sense... Setuid is usually used for normal users to escalate to root temporally carrying out tasks as root, then dropping back down to it's regular privileges once those tasks complete (like sudo, which is a setuid program).. But it doesn't have to be done that way, you can use it anywhere the concept applies.. Setuid programs running as root can be a vulnerability, but setuid programs running as a system account that doesn't need root, shouldn't be an issue..

Last edited by justmy2cents; 06-15-2017 at 02:42 PM.
 
Old 06-15-2017, 01:21 AM   #6
t_granat
LQ Newbie
 
Registered: Oct 2013
Posts: 3

Original Poster
Rep: Reputation: Disabled
I will try to explain what I mean with another example.

If I my self for example creates a program/process named TestDeameon and then create a system user with user name TestDeamonUser, how will the Linux system now that TestDeamon belongs to TestDeamonUser and how will TestDeamon authenticate itself?
 
Old 06-15-2017, 06:23 AM   #7
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 3,941
Blog Entries: 1

Rep: Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833
In the case of apache, theres a http[d].conf type thing that tells it where it exists. And various other configs for things like minidlna to tell it where it's legos are placed. But it entirely depends on the process. Otherwise the user who launches the thing is what the thing runs as, as viewable in the ps output. And whatever that user has access to, it has access to. Baring "extras" which may not be installed or enabled by default.

$ ps -Al

$ ps -aux
 
1 members found this post helpful.
Old 06-15-2017, 10:01 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
Quote:
Originally Posted by t_granat View Post
I will try to explain what I mean with another example.

If I my self for example creates a program/process named TestDeameon and then create a system user with user name TestDeamonUser, how will the Linux system now that TestDeamon belongs to TestDeamonUser and how will TestDeamon authenticate itself?
When you launch a process, say with "systemd," you can specify the user that it should run as.

A program/process is not specifically associated with any user at all. The file(s) from which it comes have "owners," as do any and all files, but processes do not ... unless the "setuid" feature is used. (This is normally used only so that non-rootly users can run programs which can do rootly things.)
 
1 members found this post helpful.
Old 06-15-2017, 10:26 AM   #9
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
1) chmod u+s TestDaemon (makes it setuid executable)

2) groupadd Adminz ; usermod -aG Adminz User1 ; dpkg-statoverride --update --add TestDaemonUser Adminz 4750 /path/to/TestDaemon

(creates group "Adminz" and adds User1 to that group, and then modifies permissions of "TestDaemon" so that "TestDaemonUser" owns the file, and so that only users in the "Adminz" group can execute the file; in this case it set so that only User1 can execute the program, but you can add more users in the Adminz group which would grant them access aswell)

3) usermod -L TestDaemonUser (locks the system account "TestDeamonUser" from being able to login, for security purposes)

Last edited by justmy2cents; 06-15-2017 at 01:22 PM.
 
1 members found this post helpful.
  


Reply

Tags
process, system, user account


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Alternative to kill system call using c program to test only process. deymrinmoy Linux - Kernel 3 01-16-2013 10:47 PM
user and system time per process eidbadrlt Linux - Newbie 2 11-21-2011 12:20 PM
Intel64 RHEL system max 32 bit process user memory haimy Red Hat 2 06-03-2007 01:26 AM
Start a program for a user as root, with process belonging to user gnashley Programming 4 03-19-2007 01:58 PM
C program to see user log on in system and print user with real user name also naveen245 Programming 2 12-21-2005 12:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration