0.6.3 tricks to run task as specific user?
Scott James Remnant
scott at netsplit.com
Mon Jan 10 13:03:06 UTC 2011
Upstart's own exec stanza spawns a shell, and interprets the given
command string in the shell as well.
The nominal difference between 'su' and a simple 'setuidgid' is that
'su' invokes a full PAM session, which I think is preferable as this
is necessary to correctly set up environment, limits and soforth.
Scott
On Mon, Jan 10, 2011 at 12:08 PM, Enrico Scholz
<enrico.scholz at sigma-chemnitz.de> wrote:
> Scott James Remnant <scott-Umf49k1wg4FWk0Htik3J/w at public.gmane.org>
> writes:
>
>> While there is direct support for this coming in Upstart, it pretty
>> much amounts to exec'ing "su" for you...
>
> Are you really executing 'su' or something like setuidgid[1]? 'su'
> would be bad because it spawns a shell (which is usually /sbin/nologin
> or so for system accounts) and interpretes the given command string in
> the shell. 'setuidgid' would be much better because it simply execv's
> its arguments after changing the id.
>
>
> Enrico
>
> Footnotes:
> [1] http://cr.yp.to/daemontools/setuidgid.html
>
> --
> upstart-devel mailing list
> upstart-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/upstart-devel
>
More information about the upstart-devel
mailing list