Re: Getting a daemon off uid root
On Fri, 21 Feb 2003 19:21, Thomas Viehmann wrote:
> I'd like to get some advice as to what the best solution for running a
> daemon as not as root might be.
> I need the following three on startup which seem to keep me from not
> starting out as root:
> - open devices (in my case tty?, ttyUSB?)
> - open syslog (and/or logfile)
/dev/log doesn't need any particular privs unless running SE Linux (and SE
policy for the daemon that allows /dev/log access is trivial to write).
For log files you can have the system create a directory for the application's
logs that is owned by the application UID.
> - write pidfile
> In particular, I don't know how to write my pidfile under /var/run without
> being root.
Have a directory /var/run/chipcard which is owned by the chipcard UID.
> If there isn't any way, is there documentation/good example on how to shed
> the root privilege after starting? Is a simple setresuid/gid to
> nobody/nogroup enough?
No! You have to get your own UID. Having all daemons running as "nobody"
would be almost as bad as having them all running as root.
If you need to bind to a low port then the options are:
1) Bind as root then setuid() to another UID.
3) Run as root.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page