how can I securely start non-root services?

jsmith6 · 06-19-2011, 05:39 PM

I run Slackware 13.1 on a small Pentium 4 box that runs a torrent client, game server, and a few more Internet-related scripts.

I see no point running these stuff with root priviledges, so I have this line in rc.local:

Code:

su user -c "/home/user/services/start-all.sh"

How secure is that command, su user -c? And what would be the right way to go with it?

psionl0 · 06-19-2011, 08:20 PM

It depends on what "start-all.sh" starts as to whether root privileges are needed. You can "chmod" start-all.sh itself so that you don't need root privileges to use it.

If any programs in start-all.sh need root privileges to run then I would have thought that "sudo" would be the better way to go. You can set up the sudoers file (run "visudo") so that only those commands in start-all.sh can be run by user.

jsmith6 · 06-20-2011, 10:03 AM

Quote:

It depends on what "start-all.sh" starts as to whether root privileges are needed.

None of the programs inside start-all.sh need root priviledges.

Quote:

You can "chmod" start-all.sh itself so that you don't need root privileges to use it.

It's already executable, see how I am starting the script from rc.local. If it wasn't, I would need to sh /path/to/start-all.sh. But even if it wasn't, how would a chmod change the fact that a program needs root priviledges to run? You have me confused here.

Perhaps the mention of start-all.sh complicated things. Imagine that I only have one service that I want to run as non-root, so I use this line in rc.local:

Code:

su user -c "transmission-daemon"

Is this the prudent and right way to start a non-root process on boot?

qweasd · 06-20-2011, 01:55 PM

I don't see anything wrong with what you are doing. That's the way I would do it:

Code:

su -l -c "/home/user/services/start-all.sh" user

which is the same, except that -l emulates a direct login. In Slackware 13.37,
I would also check /etc/group to make sure that user doesn't get extra permissions.
As an interactive user, I am in floppy, audio, video, cdrom, plugdev, power, and
netdev. A transmission-daemon would not need any of them, I believe. I am not even sure
I need them.

mRgOBLIN · 06-20-2011, 04:58 PM

Quote:

Originally Posted by psionl0

It depends on what "start-all.sh" starts as to whether root privileges are needed. You can "chmod" start-all.sh itself so that you don't need root privileges to use it.

If you're talking about setting it suid then that wouldn't work on a shell script.

Quote:

Originally Posted by psionl0

If any programs in start-all.sh need root privileges to run then I would have thought that "sudo" would be the better way to go. You can set up the sudoers file (run "visudo") so that only those commands in start-all.sh can be run by user.

That's just the point... the OP is wanting to run programs as a non-root user without any root (or any extra) privs.

Quote:

Originally Posted by jsmith6

Is this the prudent and right way to start a non-root process on boot?

Yes although in addition to what queasd said...

I'm not sure "-l" will work in all cases but if you make sure that your user has only the permissions needed you can use.

Code:

su - user -c "/home/user/services/start-all.sh"

piratesmack · 06-20-2011, 05:22 PM

Quote:

Originally Posted by mRgOBLIN

I'm not sure "-l" will work in all cases but if you make sure that your user has only the permissions needed you can use.

Code:

su - user -c "/home/user/services/start-all.sh"

I didn't test if that command works or not, but the su man page says that if '-' is used it must be the last option.

Code:

su user -c "/home/user/services/start-all.sh" -

Quote:

$ man su
...
When - is used, it must be specified as the last su option. The other forms (-l and --login) do not have this restriction.

edit:
Hmm... it seems to work even when it's not the last option

jsmith6 · 06-22-2011, 06:23 AM

Is it more secure using the -l option?

mRgOBLIN · 06-22-2011, 07:02 AM

Quote:

Originally Posted by jsmith6

Is it more secure using the -l option?

It's the same thing.

Just that -l may or may not work on some machines.... depends on su version and compile time options.

jsmith6 · 06-22-2011, 10:11 AM

Excellent!

Thanks guys!