Running upstart jobs as unprivileged users

Question

What's the canonical way to have an upstart job change its userid and run the script as an unprivileged user?

Obviously one can use su or sudo, but this seems hacky (and can generate needless log lines).

score 110 · Answer 1 · answered Sep 09 '12 at 11:26

110

With upstart v1.4, setuid and setgid are supported natively in config file.

answered Sep 09 '12 at 11:26

qsun

1,201

score 88 · Answer 2 · edited Jul 02 '11 at 05:21

88

Asking on the #upstart channel on freenode, the official take on the matter is:

A future release of Upstart will have native support for that, but for now, you can use something like:
exec su -s /bin/sh -c 'exec "$0" "$@"' username -- /path/to/command [parameters...]

edited Jul 02 '11 at 05:21

Gareth

19,080

answered Jan 18 '11 at 01:41

Roman Gaufman

981
6
3

score 17 · Answer 3 · edited Nov 03 '12 at 15:58

How about using start-stop-daemon?

exec start-stop-daemon --start --chuid daemonuser --exec /bin/server_cmd

From Upstart cookbook:

The recommended method for Debian and Ubuntu systems is to use the helper utility start-stop-daemon. […] start-stop-daemon does not impose PAM ("Pluggable Authentication Module") limits to the process it starts.

Note: start-stop-daemon not supported in RHEL.

score 13 · Answer 4 · edited Oct 23 '17 at 15:53

There are several ways to do it, all with slightly different semantics, particularly relating to group membership:

setuidgid will put you in the group you specify.
- The original daemontools' setuidgid will put you only in that group, so you won't be able to access files belonging to other groups you're a member of.
- The setuidgid from daemontools-encore and the setuidgid from the nosh toolset both have an -s (a.k.a. --supplementary) option which will put you in that group, and also put you in all of the supplementary groups for the user that you specify.
Using newgrp once you've become the less privileged user will add a single group to your groupset, but also creates a new subshell, making it tricky to use inside scripts.
start-stop-daemon preserves your group membership, and does a whole lot more than just setuid/setgid.
chpst -u username:group1:group2:group3... commandname will let you specify exactly what group memberships to adopt, but (in Ubuntu) it only comes with the runit package, which is an alternative to upstart.
su -c commandname username picks up all of username's group memberships, as does sudo -u username commandname, so they're probably the route to least astonishment.

score 8 · Answer 5 · answered Mar 11 '09 at 15:50

8

Use setuidgid from the package daemontools.

Documentation here: http://cr.yp.to/daemontools/setuidgid.html

answered Mar 11 '09 at 15:50

aaronsw

1,647

score 4 · Answer 6 · edited Jan 10 '12 at 05:30

On an Ubuntu 10.10 instance on Amazon EC2, I had better luck with the start-stop-daemon command.

I also struggled with some of the other upstart stanzas. I am calling a python application with a specific virtualenv and some parameters to my executed program.

The following is what worked for me.

script
  export PYTHONPATH=.:/home/ubuntu/.local/lib/python2.7/site-packages/:/home/ubuntu/python/lib/python2.7/site-packages/
  exec start-stop-daemon --start  --chuid ubuntu --exec /home/ubuntu/python_envs/MyProj/bin/python /home/ubuntu/www/MyProj/MyProj.py -- --config-file-dir=/home/ubuntu/www/MyProj/config/ >> /home/ubuntu/startup.log 2>&1 &
end script

The PYTHONPATH is to get some packages installed from source into the PYTHON module path when this upstart job runs. I had to do everything in absolute paths because the chdir stanza didn't seem to do work.

score 3 · Answer 7 · answered Aug 27 '14 at 21:56

I was using CentOS 6, and I could not get the recommended hack (for Upstart 0.6.5) to work for me, nor the 'su' trick because the number of forks involved (4 I think) was not tracked by 'expect fork' or 'expect daemon'.

I eventually just did

chown user:group executable
chmod +s executable

(ie set the setuid bit and change the ownership).

It may not be the safest method, but for an internal R&D project, it didn't matter in our case.

score 2 · Answer 8 · answered Sep 30 '19 at 02:31

In CentOS 6, upstart 0.6.5, the following is what worked for me.

script

    exec su user_name << EOF
        exec /path/to/command [parameters...]
EOF

end script

or :

script

    exec su user_name << EOF
       ..... what you want to do ....
EOF

end script

When use

exec su -s /bin/sh -c 'exec "$0" "$@"' username -- /path/to/command [parameters...]

the job process can't be stopped by initclt stop . I think the reason is:

1. the job forked and the main process is not tracked.
2. the main process changed its process group,because of `su -c`

score 0 · Answer 9 · edited Jun 10 '15 at 21:58

There is a third possibility depending on what you are trying to accomplish. You may be able to loosen the access controls on the files/devices in question. This can allow an unprivileged user to mount or access items that they normally wouldn't be allowed to. Just be sure you aren't giving away the keys to the kingdom in the process.

You can also change the timeout of the sudo password cache. But I don't recommend it unless your machine is physically secure (i.e., you believe that it's unlikely that a passer-by would attempt to gain sudo access).

There's a good reason that there are very few ways to perform privileged actions and that they perform ~~needless~~ necessary logging. Loose restrictions would be a security hazard for your system, and a lack of logging would mean there's no way to know what happened when you've been compromised.

If the size of your log files is a concern then something is probably wrong. Sudo generates only one line per use under normal conditions.

Running upstart jobs as unprivileged users

9 Answers9

Linked