2

I have a daemon sitting in my root directory that currently is being run as root. However, since this program can read the file system, this is clearly a security problem. How can I run it as nobody so that I can resolve this problem?

Doing "su - nobody -c /root/myscript" doesn't work, returning a permission denied error. The only ways I can seem to get around this are:

  1. Chmod -R 777 /root, which I don't want to do on my root dir and also messes up ssh.
  2. Move the script to /opt or /var and then do (1)

Of course, there may be an easy solution that I'm missing. I can chown it to nobody but that doesn't fix the problem either. Any ideas?

Chris Bunch
  • 979
  • 3
  • 14
  • 17

2 Answers2

5

You don't want to do (1) -- Leave root's home directory alone. (2) is your best option - Create a new directory owned by the user the daemon will run as & have it do any disk I/O it needs to do in that directory.

Semi-related, please don't run things as "nobody" -- there's an old joke that nobody is usually the most privileged user on a *NIX system because all the daemons run as "nobody".

If you're really concerned about security you don't want to fall into that trap. It's worth taking the extra minute to create a dedicated user for your daemons with appropriate restrictions :-)

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • +1 creating for creating a task-specific service account. – Zoredache Feb 07 '10 at 03:24
  • Hi voretaq7 and @Zoredache, can you provide a link or explain on the proper way of create a dedicated user for the daemon with appropriate restrictions? Thank you. – Haozhun Mar 09 '12 at 16:28
  • @Gene "The same way you would create any user account on your system" is the best answer I can give you - Refer to the documentation for your system (or ask a question on [unix.stackexchange.com](http://unix.stackexchange.com), remembering to specify your OS) – voretaq7 Mar 09 '12 at 16:48
1

Well - the script currently resides in /root. Assuming that your target user is not root, then of course you'll get a permissions error when that user tries to read/execute the script.

What is your opposition to moving the script to a different directory? If you do that, then set the file ownership/mode correctly, you should have no issues.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • I don't have any serious opposition to it, but I just was wondering if there was an easy way to leave it in /root (that is, I originally thought I could just give the file to 'nobody' and call it a day). – Chris Bunch Feb 07 '10 at 02:54