[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: implicit linkage (was: Re: Effectively criticizing decisions you disagree with in Debian)

On Sun, 12 Oct 2014 19:06:11 +0900
Joel Rees <joel.rees@gmail.com> wrote:

> Hmm. Let's comment that for people newer to scripting than I am.
> 
> On Sun, Oct 12, 2014 at 6:28 AM, Steve Litt
> <slitt@troubleshooters.com> wrote:

> > ####### RUN THE DAEMON #######
> > exec envuidgid slitt envdir ./env setuidgid slitt \
> > /d/at/python/littcron/littcron.py \
> > /d/at/python/littcron/crontab
> 
> man exec for clues to that, understand that littcron.py is Steve's
> special cron (right, Steve?), and that he is setting up a special
> environment for things and there's other stuff there that I can only
> guess at, not having the code to littcron, I think. So I'll punt here.

Exec takes the current process, which in this case is the daemontools
run script, and swaps exec's argument for the current process. So, if
the current process is a shellscript PID 4321, after "exec gnumeric",
PID 4321 is now Gnumeric, not a shellscript.

envdir, envuidgid and setuidgid are executables provided by daemontools.

Let's talk about envdir. Although in daemontools you can export
environment variables to sub programs, just like in any other
shellscript, idiomatic daemontools usage specifies that instead of
exporting within a shellscript, you have an "environment directory" in
which each desired environment variable is associated with a file of
the same name as the environment variable name, and the contents of the
file is the value of the environment variable. So:

envdir ./env

The preceding means look in ./env, and all filenames are environment
variable names, and the contents of each is the value of the respective
filename.

setuidgid and envuidgid are daemontools provided executables to
accommodate running as an arbitrary user instead of root. Consider the
command:

setuidgid slitt

The preceding runs the entire command defined by its arguments as user
slitt instead of user root. In other words:

setuidgid gnumuser gnumeric test.gnumeric

The preceding runs gnumeric as user gnumuser. One gotcha: It runs it as
user slitt with user slitt's major group, but it doesn't run it with
auxilliary groups, for slitt, defined in /etc/group. So if the command
depends on membership in those auxilliary groups, you have to do some
fancy footwork.

Here's another challenge: Now that you're running as a non-privileged
user, you can't read the ./env directory. This is where envuidgid comes
in:

envuidgid slitt

The preceding tells daemontools that user slitt can read the
environment directory. And the way envuidgid command works, after
making this notation it simply passes control to the command defined in
its arguments, which include envdir (which finally defines the
environment directory) and setuidgid, and last but not least, the
actual program you're daemonizing.

And speaking of the devil, 

/d/at/python/littcron/littcron.py /d/at/python/littcron/crontab

The preceding is the cron substitute I wrote, whose one argument is the
crontab file you're using. If I wanted, I could manually run it in
the foreground and it would function just fine. But I wanted it
automatic, and managed as a daemon.

So daemontools runs it as user slitt, and puts its environment
variables in the /service/littcrond/env directory. Environment vars
are important here, because my cron program is called upon by its
constituants to run GUI programs, so its $DISPLAY and $XAUTHORITY vars
must be set right.

SteveT

Steve Litt                *  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance
Reply to: