2

In our product, we had created services using daemontools. One of my service looks like this,

/service/test/run
/service/test/log/run (has multilog command to log into ./main dir)
/service/test/log/main/..

All the process and its directories are owned by root user. Now there is a security requirement to change like this,

1. Service should run in non-root user.
2. Log main directory should be readable only to user and groups.

For this, I have to change the 'run' file under 'log' directory. Also I need to change the permissions of 'main' directory under it.

Note that all these files under '/service' were owned by test-1.0-0.rpm. When I update my rpm, it overrides the existing run file and got error like this,

multilog: fatal: unable to lock directory ./main: access denied

I know we shouldn't override the 'run' file at run time. I have planned to follow these steps in my rpm script %post section,

//Stop service
svc -d /service/test/log

//Moving the main directory
mv /service/test/log/main /service/test/log/main_old

//Updated run file has code to create main with limited permissions.

//Start service
svc -u /service/test/log

In some articles, they suggested to recreate the 'lock' file under 'log/main'. Is there any other cleaner way of doing this without moving 'main' directory ? If not, is it safe to go with the above steps ?

Prabu
  • 121
  • 2

1 Answers1

1
1. Service should run in non-root user.

Easy enough. You would copy your service definition to a service directory in the home of the "user". For example, let's say you create a user, we'll call it niftyuser. Let's also say your service is called niftyservice. So, you would copy your service definition to a directory controlled by that user; for the sake of discussion (and not necessarily that you want to do this) let's say you'll use niftyuser's home directory. So,

cp -Rav /etc/service/niftyservice /home/niftyuser/service/niftyservice

will create the service definition. Then you would have to start a service scan on that user's directory, but launched with the user's credentials. If you wrote it as a script, it would look kinda like:

#!/bin/sh
exec setuidgid niftyuser svscan /home/niftyuser/service

The result will be a service tree that is controlled by that user. Note that by making this a script, you can then wedge the sub-tree of your user-controlled process into the main process tree... you can see the runit example for what this looks like, as runit was inspired by daemontools.

2. Log main directory should be readable only to user and groups.

Frankly, I simply make /service/(service-name)/log/main a symlink to an actual directory, i.e. /service/niftyservice/log/main points to /var/log/niftyservice. In the run script for the log directory, have it point to ./main as the target; this means you can set up the definition once and move around the logging as needed by simply changing the symlink. And finally, to address question (2), you would set the user and group permissions for /var/log/niftyservice as needed, and set the mode as 775. This would allow anyone to read the files, but only the user or group to write to them.

Avery Payne
  • 14,326
  • 1
  • 48
  • 87