init.d for Non-root Processes

When installing third-party applications, they often default to running as root. The server applications for TeamSite/LiveSite are among those. I have applied a simple modification to the init.d scripts that start them as a non-root user. It also allows the scripts to be run by members of an administration group via sudo. This approach applies to other applications.

This script does not assume root can run any command as root. (Some system administrators do not implement the rule root ALL=(ALL:ALL) ALL.) Replace the variables <application_user> and <application_admin_group> with the appropriate values. The application admin group will need an appropriate rule in /etc/sudoers or a file in /etc/sudoers.d. I recommend using a file in /etc/sudoers.d such as the sample below.

Add this snippet into the init.d file near the top of the file. If the init.d script supports a file in /etc/default, you may want to place the three variable definitions before the /etc/default file is read, and the if block just after.

# Run the script using appropriate user
# Replaces separate boot_wrap script
WRAPPED_USER=<application_user>
RUNFROM_GROUP=<application_admin_group>
LOCKDIR=/var/lock/subsys
if [ "$(id -un)" != ${WRAPPED_USER} ]; then
    if [ "$(id -u)" = 0 ]; then
        LOCKFILE=${LOCKDIR{/${SCRIPTNAME}
        if [ "${1}" = start ]; then
            [ -w ${LOCKDIR} ] && touch ${LOCKFILE}
        elif [ "${1}" = stop ]; then
            [ -w ${LOCKDIR} ] && rm -f ${LOCKFILE}
        fi
        su ${WRAPPED_USER} -c "${0} ${1}"
    elif expr "$(groups)" : ".*${RUNFROM_GROUP}" 1>/dev/null; then
        sudo -u ${WRAPPED_USER} ${0} ${1}
    else
        echo "${LOGNAME} is not permitted to run this script"
    fi
    exit $?
fi

The corresponding sudoers definition will allow users of the application admin group to run any command as the application user. You may want to restrict the commands they can run. Replace the variables as described above. As noted in the definition comments replace APP with an appropriate value throughout the file.

As written this specification allows application administrators to run all commands on all hosts as the application user. Modify the aliases as required for your application or admin group. See man sudoers for details on the value that can be used in the file.

# Generic sudoers specification to allow application administrators 
#    to run commands as the application user. 
# Replace APP with an application specific value throughout this file.

# Modify these aliases as appropriate
User_Alias APP_ADMINS = %<application_admin_group>
Runas_Alias APP_USER = <application_user>
Host_Alias APP_SERVER = ALL
Cmnd_Alias APP_COMMANDS = ALL

# Allow access
APP_ADMINS APP_SERVER = (APP_USER) APP_COMMANDS

# EOF

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Cookie Consent with Real Cookie Banner