|
|
StartupItems as a particular user
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Status:
Offline
|
|
I have a few customs cripts in StartupItems.
I want to run them as particular users.
script "abc.pl" as user "daemona" for example.
Can anyone enlighten me on how to get a startupitem running as a particular user?
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2001
Location: Retired.
Status:
Offline
|
|
I am a little confused as to what you want....any startup item is going to run at startup (before choosing a particular user for example)....so if you want it too run as a particular user ONLY and not affect other users, I am not sure how that's possible....
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Washington, DC
Status:
Offline
|
|
If it's a shell script you might be able to put sudo -u <username|uid> -c - <command> in there to get the desired results. Another alternative would be to use the su command.
But I've never done this so I don't know if it would actually work, or what implications it would have for your system's security.
consider this a hesitant suggestion.
|
/Earth\ Mk\.\ I{2}/
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Status:
Offline
|
|
I have a few services (mostly perl scripts, a java app and a few others)... that boot thanks to StartupItems.
I don't want them running as root (for obvious security reasons). I would perfer they run as a user that I specify (with limited permissions).
So my question, is how can I have these items boot under a specific user, rather than as root?
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2001
Location: Retired.
Status:
Offline
|
|
As far as I know, you cannot....they must be run as root...
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2001
Location: Retired.
Status:
Offline
|
|
Also, which "StartUpItems" folder are you placing the scripts you want to run?
Their are (3) places you could choose from:
1.)
/Library/StartupItems
This directory contains user-installed startup items.
2.)
/Network/Library/StartupItems
This directory contains startup items available over the network.
Since the Network mounts are not yet established at the beginning of system startup, the StartupItems directory in /Network/Library is not searched. (A future version of SystemStarter may search this directory for items once it becomes available.)
3.)
/System/Library/StartupItems
This directory contains system-installed startup items.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by macvillage.net:
I have a few services (mostly perl scripts, a java app and a few others)... that boot thanks to StartupItems.
I don't want them running as root (for obvious security reasons). I would perfer they run as a user that I specify (with limited permissions).
So my question, is how can I have these items boot under a specific user, rather than as root?
It's pretty easy actually, and someone touched on it above. The startup script will always run as root, but the script can start the process as another user. Example (tomcat on my machine):
Code:
StartService() {
if [ "${TOMCAT:=-NO-}" = "-YES-" ]; then
ConsoleMessage "Starting Tomcat"
su tomcat -c "cd /Library/WebServer/tomcat/bin/ && ./startup.sh"
fi
return 0
}
This script executes the startup.sh script as the "tomcat" user.
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Apr 2001
Status:
Offline
|
|
Originally posted by macvillage.net:
I have a few customs cripts in StartupItems.
I want to run them as particular users.
script "abc.pl" as user "daemona" for example.
Can anyone enlighten me on how to get a startupitem running as a particular user?
very easy to do. Here is an example of one of my scripts that runs dnetc when my main account logs in.
Code:
#!/bin/tcsh
/Users/groovy/bin/dnetc
exit
I named the script file
dnetc.command
it is the .command that makes it runnable. (tells OS to pass it to terminal as a command to be run)
Now while logged in to that user go to your login items in the system prefs and add the script to your list and there you go.
There are many ways to do it but this one is the fastest and easy way IMHO
NOTE: this sets it up at that user level/space.
-
(
Last edited by Groovy; Sep 20, 2003 at 09:59 PM.
)
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Apr 2001
Status:
Offline
|
|
Originally posted by Arkham_c:
It's pretty easy actually, and someone touched on it above. The startup script will always run as root, but the script can start the process as another user. Example (tomcat on my machine):
Code:
StartService() {
if [ "${TOMCAT:=-NO-}" = "-YES-" ]; then
ConsoleMessage "Starting Tomcat"
su tomcat -c "cd /Library/WebServer/tomcat/bin/ && ./startup.sh"
fi
return 0
}
This script executes the startup.sh script as the "tomcat" user.
nice but wouldn't it be better to keep each user script in that user space? (depending on what the script does and if it is buggy etc...)
Also logout and back in startup items are not run but login items are and why I use login method. I do not want dnetc to keep running
when i go to other accounts so for me i would log out and do some stuff in another account and when i logged back in to main account
I was forced to start dnetc by hand because the -install to startup only runs at startup as it should.
-
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Status:
Offline
|
|
Originally posted by Arkham_c:
It's pretty easy actually, and someone touched on it above. The startup script will always run as root, but the script can start the process as another user. Example (tomcat on my machine):
Code:
StartService() {
if [ "${TOMCAT:=-NO-}" = "-YES-" ]; then
ConsoleMessage "Starting Tomcat"
su tomcat -c "cd /Library/WebServer/tomcat/bin/ && ./startup.sh"
fi
return 0
}
That was exactly what I was looking for. Thanks!
This script executes the startup.sh script as the "tomcat" user.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Feb 2001
Location: Washington, DC
Status:
Offline
|
|
Originally posted by Groovy:
nice but wouldn't it be better to keep each user script in that user space? (depending on what the script does and if it is buggy etc...)
Also logout and back in startup items are not run but login items are and why I use login method. I do not want dnetc to keep running
when i go to other accounts so for me i would log out and do some stuff in another account and when i logged back in to main account
I was forced to start dnetc by hand because the -install to startup only runs at startup as it should.
-
No, because users that are used for running daemons (eg. user 'tomcat' for the tomcat server) should, under no circumstances, be allowed to login, an under no circumstances should they be given root permissions. And usually, you want a server to persist through system logins and logouts.
This means they have no shells to login to, and a passwd entry that can't be hashed against. So logging in as that user is virtually impossible.
It's a common practice in unix systems - that way if your httpd is cracked, the cracker only has the permissions of the httpd process and your system remains intact, even if your web pages are lost.
|
/Earth\ Mk\.\ I{2}/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|