3

I'm looking for a framework/library/environment so an ordinary user can set up it's own server processes. These processes should run under his uid as any other user process.

However the definition of which processes should be started, with arguments they get etc should be specified by an ordinary user without extra privileges. It's important to me that this happens without the necessity for the user to actually log in. Ideally it should work with SYSV init but a systemd-based thing is ok as well.

Examples/use cases:

  • nginx uwsgi/fast cgi processes
  • mongodb instances
  • different builders for continuous integration server

All of these have in common, that I might want to start multiple instances of the same binary (with different parameters) and that these parameters might need regular changes. However users should be able to tweak all of that without requiring root privileges.

Any suggestions/pointers how this can be implemented in Linux?

EDIT: The minimal requirement is just to start the user processes but obviously there will be the need for more advanced control mechanisms. For example there should be an easy way to query if the service is running, stopping the instance, restarting it, reloading it, ...

Felix Schwarz
  • 212

3 Answers3

4

cron provides for this with the @reboot prefix (Vixie, and perhaps other flavors, check man 5 crontab). The user would use crontab to create/edit their own crontab file, and specify

@reboot /some/path/command -flags --moreflags

Which will run that command on startup, as that user.

DerfK
  • 19,826
3

This would be about 10 lines of shell script, why do you need a framework/library/environment?

As a quick example, using sysV init....

#!/bin/bash

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

DAEMON_USERS=`cat /etc/daemon_users`

CMD="$1"

for DUSER in $DAEMON_USERS ; do
   DSCRIPTS=`ls /home/${DUSER}/init/`
   for DFILE in DSCRIPTS ; do
      if [ -x "/home/${DUSER}/init/${DFILE}" -a ! -d "/home/${DUSER}/init/${DFILE}" ]
      then
         su -c $DUSER /home/${DUSER}/init/${DFILE} $CMD
      fi
   done
done

If you really want to allow them to run stuff as root, then remove the 'su -c $DUSER' and add them to the sudoers so they can restart / add stuff without a reboot.

symcbean
  • 23,767
  • 2
  • 38
  • 58
2

So... just start the application as the user you want to run it as and don't try to access anything that would require root (like privileged ports, files that can only be read by root, etc.)?

If you want to automatically start these daemons and control them via the SysV init process you're going to need to create an init script for each one that specifies the parameters (or reads them from a file that the unprivileged user has write access to) and launches the daemon using su -c or similar, but BEWARE: Doing this has SERIOUS security implications (a carefully-crafted "parameters" file can let the user execute arbitrary code as the user running your init sequence, which is usually root).
DerfK mentioned the cron @reboot option, which may be a better choice (less of a security risk), but your admins need to be aware that these programs are going to be started by cron...

voretaq7
  • 80,749