0.6.3 tricks to run task as specific user?

Scott James Remnant scott at netsplit.com
Mon Jan 10 13:03:06 UTC 2011

Upstart's own exec stanza spawns a shell, and interprets the given
command string in the shell as well.

The nominal difference between 'su' and a simple 'setuidgid' is that
'su' invokes a full PAM session, which I think is preferable as this
is necessary to correctly set up environment, limits and soforth.


On Mon, Jan 10, 2011 at 12:08 PM, Enrico Scholz
<enrico.scholz at sigma-chemnitz.de> wrote:
> Scott James Remnant <scott-Umf49k1wg4FWk0Htik3J/w at public.gmane.org>
> writes:
>> While there is direct support for this coming in Upstart, it pretty
>> much amounts to exec'ing "su" for you...
> Are you really executing 'su' or something like setuidgid[1]?  'su'
> would be bad because it spawns a shell (which is usually /sbin/nologin
> or so for system accounts) and interpretes the given command string in
> the shell.  'setuidgid' would be much better because it simply execv's
> its arguments after changing the id.
> Enrico
> Footnotes:
> [1]  http://cr.yp.to/daemontools/setuidgid.html
> --
> upstart-devel mailing list
> upstart-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/upstart-devel

More information about the upstart-devel mailing list