12

I'm running svnserve on a Fedora 17 machine with the following systemd service file:

[Unit]
Description=Subversion Server
After=syslog.target network.target

[Service]
User=svn
Type=forking
Environment=HOME=/repos/svn
ExecStart=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /repos/svn
PIDFile=/run/svnserve/svnserve.pid

[Install]
WantedBy=multi-user.target

This works fine as long as /var/run/svnserve is owned by svn:svn, but breaks on reboot when that ownership is reset to root:root. What I want is to add a pre-launch step that chowns the directory.

Unfortunately I can't find any real documentation on systemd unit files, but I saw that some were using 'ExecStartPre', so I tried this:

ExecStartPre=/bin/chown svn:svn /run/svnserve

Sadly this fails with an 'operation not permitted' error, so it looks like ExecStartPre also runs as the user specified in the unit file.

I also tried having the unit file run as root, then starting svnserve as the svn user via su, but that produced a vague error about the command-line being invalid.

How can systemd units perform actions as root prior to executing as a specific user?

DNS
  • 243
  • 1
  • 2
  • 7
  • You report this as a bug. The permissions should already be correct on the `/run` directory and the pid file, but lots of these broke with the switch to systemd and the `/usr` move. – Michael Hampton Feb 25 '13 at 21:14
  • @MichaelHampton I don't believe this is how it came out of the box. IIRC (this was set up a while back) svnserve doesn't come with a service wrapper, so this was something that we wrote ourselves. – DNS Feb 25 '13 at 21:24
  • 1
    Subversion on Fedora certainly _does_ come with this. It looks fairly similar to yours, though I would recommend you use the original. `yum reinstall subversion` – Michael Hampton Feb 25 '13 at 21:28
  • If you gave your su command line we may be able to solve that problem. – Hauke Laging Feb 26 '13 at 03:48
  • 1
    `PermissionsStartOnly=false` will cause all `ExecStartPre` and `ExecStartPost` commands to ignore `User` and run as root. – Charles Duffy Apr 04 '17 at 15:04
  • @CharlesDuffy I suppose you mean `PermissionsStartOnly=true`? – neverhoodboy Jun 10 '18 at 15:26
  • Err, right. Oops. – Charles Duffy Jun 10 '18 at 19:11
  • 1
    I would disagree with the reason this question was closed. Although it's a about a specific systemd service, running a command as root before starting a systemd service is a common task (and I've found myself doing this more than once, @MichaelHampton. – starbeamrainbowlabs Aug 03 '19 at 13:05
  • @starbeamrainbowlabs Hi, comments are not a good place for discussing these issues. You can visit [meta] and make a complete post for the community to see and discuss. – Michael Hampton Aug 03 '19 at 17:34
  • @MichaelHampton Ah, I see. Not sure I'm confident about posting on a meta site though - I'm scared of doing it wrong :-/ – starbeamrainbowlabs Aug 04 '19 at 12:30
  • @starbeamrainbowlabs But you've already done it "wrong"! Posting on meta is the way to do it right. – Michael Hampton Aug 04 '19 at 16:32
  • @MichaelHampton I've heard and seen many posts being flamed and downvoted on meta stack exchanges - even when the user clearly has good intentions. – starbeamrainbowlabs Jan 11 '20 at 16:02
  • "This question is unlikely to help any future visitors", except this in my exact question. Shouldn't obscure questions get answers too? – jbo5112 Nov 09 '20 at 17:46
  • The reason for closure is plain wrong. Wanting to run an extra command as root is not an "extraordinarily narrow situation." I got here because this question was the top Google result for "execstop run as root." There is a simple answer in @CharlesDuffy's comment to @HaukeLaging's answer (add a `+`), but it can't be added as an answer in its own right, because the question is closed. – sjy Sep 17 '22 at 04:11

2 Answers2

9

The subversion package in Fedora is using systemd's tmpfiles mechanism to create /run/svnserve at boot with root ownership (since the packaged .service file apparently runs the daemon as root). You could copy /usr/lib/tmpfiles.d/svnserve.conf to /etc/tmpfiles.d/svnserve.conf and change the owner. See man tmpfiles.d for details.

Chris Williams
  • 231
  • 2
  • 2
0

You could make ExecStartPre a sudo call to a script and configure the user svn for this script.

Hauke Laging
  • 5,157
  • 2
  • 23
  • 40
  • Can't use sudo; there is no TTY when running systemd units. – DNS Feb 26 '13 at 12:32
  • Why should sudo need a tty if no password is needed? – Hauke Laging Feb 26 '13 at 15:26
  • I don't know exactly, but I had tried that idea, and the system logged an error stating that sudo requires a TTY. – DNS Feb 26 '13 at 17:12
  • @DNS screen may be a solution in such cases. – Hauke Laging Feb 26 '13 at 20:23
  • Whether sudo enforces a TTY is configurable in `/etc/sudoers`. Hackery such as `screen` is utterly inappropriate. – Charles Duffy Apr 04 '17 at 15:00
  • 5
    Moreover, setting `PermissionsStartOnly=false` will in and of itself tell systemd to run `ExecStartPre` and `ExecStartPost` processes as root. – Charles Duffy Apr 04 '17 at 15:03
  • @CharlesDuffy Thanks for pointing out that setting! But I read it the other way around, I run ExecStart as a specified User in the service file but want to run ExecStartPre as root so I should set this to true. "If true ... only applied to the process started with ExecStart=, and not to the various other ExecStartPre=, ExecStartPost=, ExecReload=, ExecStop=, and ExecStopPost= commands. If false, the setting is applied to all configured commands the same way. Defaults to false." https://www.freedesktop.org/software/systemd/man/systemd.service.html#PermissionsStartOnly= – Davos Dec 18 '17 at 00:50
  • 9
    @Davos, in that case, just use a preceding `+` for the `ExecStartPre`; `ExecStartPre=+/path/to/thing-to-run-as-root`; that way you're applying a change only to that one specific command, not making global modifications at all. – Charles Duffy Dec 18 '17 at 16:08
  • @CharlesDuffy It's working without needing to do that. In the service file i have daemonuser as the user, whuch runs the ExecStart and PermissionStartOnly=true means that the ExecStartPre which creates a dir and chmods it runs successfully. I know it's working because daemonuser has no permissions on the mnt where the dir is created so it must be running as root, or have I missed something? – Davos Dec 19 '17 at 00:11
  • 2
    *nod* -- the disadvantage of doing it that way is that any other Pre/Post commands added by dropins, generators, etc. are also impacted by the PermissionStartOnly; whereas a `+`-prefix is guaranteed localized. – Charles Duffy Dec 19 '17 at 00:12
  • 2
    @CharlesDuffy your comment is really an answer. Thanks for sharing! – Greg0ry Apr 18 '20 at 19:01