What's the canonical way to have an upstart job change its userid and run the script as an unprivileged user?
Obviously one can use su or sudo, but this seems hacky (and can generate needless log lines).
views:
960answers:
2
+1
A:
Use setuidgid from the package daemontools.
Documentation here: http://cr.yp.to/daemontools/setuidgid.html
aaronsw
2009-03-11 15:50:02
daemontools isn't a prerequisite of upstart, so this doesn't seem like the 'canonical' answer
Adam Nelson
2010-01-08 21:52:15
Further, daemontools is in universe (ubuntu 10.04), and upstart is in main.
jtimberman
2010-08-14 18:18:23
A:
There is a third possibility depending on what you are trying to accomplish. You may be able to loosen the access controls on the files/devices in question. This can allow an unprivileged user to mount or access items that they normally wouldn't. Just be sure you aren't giving away the keys to the kingdom in the process.
You can also change the timeout of the sudo password cache. But I don't recommend it unless your machine is physically secure. (i.e. You believe that it's unlikely that a passer-by would attempt to gain sudo access.)
There's a good reason that there are very few ways to perform privileged actions and that they perform -n-e-e-d-l-e-s-s- necessary logging. Loose restrictions would be a security hazard for your system and a lack of logging would mean there's no way to know what happened when you've been compromised.
If the size of your log files is a concern then something is probably wrong. Sudo only generates one line per use under normal conditions.
Chris Nava
2009-03-11 17:07:08