how to start services as another user

[Scott James Remnant]

On Mon, 2007-03-26 at 16:28 -0400, Brian J. Murrell wrote:

> I was attempting to write an upstart script for mythtv-frontend and came
> to the point where it wants to run as a different user.  Is there any
> way to do this with an upstart directive and then "exec" rather than
> writing a "script" that uses su - mythtv -c "mythfrontend ..."?
> 
exec su mythtv -c "exec mythfronend ..."

That does exactly what you appear to want.

> Given the ability to set rlimits, do chroot and chdir, etc, a "uid"
> command seems suspiciously absent.
> 
User jobs are a planned feature, however there are a number of security
and usability implications about them, which is why they're on the TODO
list rather than the done list.

The plan is that a service should be registered as belonging to a
particular user; a large part of this will happen automatically when
upstart is started as it scans for jobs defined in user home directories
(actually probably in /var/spool to avoid NFS issues)

There will be likely a "user" stanza to allow global jobs to be
configured this way as well.

The following will apply:

 - the job will be run as that user,

 - and a PAM session will be set up; so all configured limits, etc.
   apply

 - users can use the "start", "stop", "status" etc. tools to start and
   stop their own jobs!

 - only root can change any job on the system

 - users can also use initctl to emit events, which will only affect
   their own jobs.


We think this is the best approach to this, rather than just sticking
setuid() and initgroups() in.

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/upstart-devel/attachments/20070326/14ef9d72/attachment-0001.pgp