[macvillage.net]

I have a few customs cripts in StartupItems.

I want to run them as particular users.

script "abc.pl" as user "daemona" for example.

Can anyone enlighten me on how to get a startupitem running as a particular user?

[gorickey]

I am a little confused as to what you want....any startup item is going to run at startup (before choosing a particular user for example)....so if you want it too run as a particular user ONLY and not affect other users, I am not sure how that's possible....

[Earth Mk. II]

If it's a shell script you might be able to put sudo -u <username|uid> -c - <command> in there to get the desired results. Another alternative would be to use the su command.

But I've never done this so I don't know if it would actually work, or what implications it would have for your system's security.

consider this a hesitant suggestion.

[macvillage.net]

I have a few services (mostly perl scripts, a java app and a few others)... that boot thanks to StartupItems.


I don't want them running as root (for obvious security reasons). I would perfer they run as a user that I specify (with limited permissions).

So my question, is how can I have these items boot under a specific user, rather than as root?

[gorickey]

As far as I know, you cannot....they must be run as root...

[gorickey]

Also, which "StartUpItems" folder are you placing the scripts you want to run?

Their are (3) places you could choose from:

1.)

/Library/StartupItems

This directory contains user-installed startup items.


2.)

/Network/Library/StartupItems

This directory contains startup items available over the network.

Since the Network mounts are not yet established at the beginning of system startup, the StartupItems directory in /Network/Library is not searched. (A future version of SystemStarter may search this directory for items once it becomes available.)

3.)

/System/Library/StartupItems

This directory contains system-installed startup items.

[Arkham_c]

Originally posted by macvillage.net:
I have a few services (mostly perl scripts, a java app and a few others)... that boot thanks to StartupItems.


I don't want them running as root (for obvious security reasons). I would perfer they run as a user that I specify (with limited permissions).

So my question, is how can I have these items boot under a specific user, rather than as root?

It's pretty easy actually, and someone touched on it above. The startup script will always run as root, but the script can start the process as another user. Example (tomcat on my machine):

Code:
StartService() {
    if [ "${TOMCAT:=-NO-}" = "-YES-" ]; then
        ConsoleMessage "Starting Tomcat"
        su tomcat -c "cd /Library/WebServer/tomcat/bin/ && ./startup.sh"
    fi
    return 0
}

This script executes the startup.sh script as the "tomcat" user.

[Groovy]

Originally posted by macvillage.net:
I have a few customs cripts in StartupItems.

I want to run them as particular users.

script "abc.pl" as user "daemona" for example.

Can anyone enlighten me on how to get a startupitem running as a particular user?

very easy to do. Here is an example of one of my scripts that runs dnetc when my main account logs in.

Code:
#!/bin/tcsh

/Users/groovy/bin/dnetc

exit

I named the script file

dnetc.command

it is the .command that makes it runnable. (tells OS to pass it to terminal as a command to be run)

Now while logged in to that user go to your login items in the system prefs and add the script to your list and there you go.
There are many ways to do it but this one is the fastest and easy way IMHO

NOTE: this sets it up at that user level/space.



-

[Groovy]

Originally posted by Arkham_c:
It's pretty easy actually, and someone touched on it above. The startup script will always run as root, but the script can start the process as another user. Example (tomcat on my machine):

Code:
StartService() {
    if [ "${TOMCAT:=-NO-}" = "-YES-" ]; then
        ConsoleMessage "Starting Tomcat"
        su tomcat -c "cd /Library/WebServer/tomcat/bin/ && ./startup.sh"
    fi
    return 0
}

This script executes the startup.sh script as the "tomcat" user.

nice but wouldn't it be better to keep each user script in that user space? (depending on what the script does and if it is buggy etc...)

Also logout and back in startup items are not run but login items are and why I use login method. I do not want dnetc to keep running
when i go to other accounts so for me i would log out and do some stuff in another account and when i logged back in to main account
I was forced to start dnetc by hand because the -install to startup only runs at startup as it should.


-

[macvillage.net]

Originally posted by Arkham_c:
It's pretty easy actually, and someone touched on it above. The startup script will always run as root, but the script can start the process as another user. Example (tomcat on my machine):

Code:
StartService() {
    if [ "${TOMCAT:=-NO-}" = "-YES-" ]; then
        ConsoleMessage "Starting Tomcat"
        su tomcat -c "cd /Library/WebServer/tomcat/bin/ && ./startup.sh"
    fi
    return 0
}

That was exactly what I was looking for. Thanks!
This script executes the startup.sh script as the "tomcat" user.

[Earth Mk. II]

Originally posted by Groovy:
nice but wouldn't it be better to keep each user script in that user space? (depending on what the script does and if it is buggy etc...)

Also logout and back in startup items are not run but login items are and why I use login method. I do not want dnetc to keep running
when i go to other accounts so for me i would log out and do some stuff in another account and when i logged back in to main account
I was forced to start dnetc by hand because the -install to startup only runs at startup as it should.


-

No, because users that are used for running daemons (eg. user 'tomcat' for the tomcat server) should, under no circumstances, be allowed to login, an under no circumstances should they be given root permissions. And usually, you want a server to persist through system logins and logouts.

This means they have no shells to login to, and a passwd entry that can't be hashed against. So logging in as that user is virtually impossible.

It's a common practice in unix systems - that way if your httpd is cracked, the cracker only has the permissions of the httpd process and your system remains intact, even if your web pages are lost.