Upstart: Run service as unprivileged user and pre-start script as root

Question

I have following upstart job:

description "posty api"


start on mysql
stop on shutdown

env RACK_ENV=production

setuid vmail
setgid vmail

chdir /opt/posty_api

pre-start script
    mkdir -p /var/run/posty
    chown -R vmail:root /var/run/posty
end script

exec /usr/local/bin/unicorn -D -c /opt/posty_api/unicorn.rb --env production >> /var/log/posty/upstart.log 2>&1

post-stop exec kill `cat /var/run/posty/unicorn.pid`

respawn
respawn limit 1 10

To create the folder in /var/run I need root privileges. How can I run some parts of the upstart job as root, and the service itself as unprivileged user?

score 9 · Accepted Answer · edited Apr 13 '17 at 12:14

upstart has no facility equivalent to systemd's PermissionsStartOnly setting. All processes in the job run as the user set via the setuid stanza, as the Cookbook says.

So do things the daemontools way.

Use setuidgid, setuidgid, s6-setuidgid, chpst, runuid, or setuidgid in the exec stanza:

exec \
setuidgid somebody \
unicorn -D -c /opt/posty_api/unicorn.rb --env production >> /var/log/posty/upstart.log 2>&1

That's a terrible logging mechanism, by the way. The daemontools way would have a proper, automatically cycled, rotateable-on-demand, size-capped, log using multilog, multilog, s6-log, svlogd, tinylog, or cyclog. upstart is tricky to integrate with those, however, given its expect mechanism.

expect fork
exec \
setuidgid somebody \
unicorn -D -c /opt/posty_api/unicorn.rb --env production 2>&1 | \
/usr/local/bin/chdir /var/log/ \
setuidgid log \
cyclog posty/unicorn/

(The chdir here is the chain-loading one from the nosh package, and isn't strictly necessary. But it makes things somewhat tidier.)

score 0 · Answer 2 · answered Jun 23 '16 at 08:20

you can use setguid in script block and it will affect only given block. Something like this:

# Ubuntu upstart file at /etc/init/kafka.conf
description "kafka broker"

limit nofile 32768 32768

start on runlevel [2345]
stop on [!2345]

respawn
respawn limit 2 5

umask 007

kill timeout 300

pre-start script
    # here you are root
    ls -alh /root/
end script

chdir /usr/local/lib/kafka

script
    setuid kafka
    setgid kafka
    # here you are user/group kafka
    /usr/local/lib/kafka/bin/kafka-server-start.sh /usr/local/lib/kafka/config/server.properties
end script

Upstart: Run service as unprivileged user and pre-start script as root

2 Answers2