Linux - Run a daemon as 'nobody'
Solution 1
You don't want to do (1) -- Leave root's home directory alone. (2) is your best option - Create a new directory owned by the user the daemon will run as & have it do any disk I/O it needs to do in that directory.
Semi-related, please don't run things as "nobody" -- there's an old joke that nobody is usually the most privileged user on a *NIX system because all the daemons run as "nobody".
If you're really concerned about security you don't want to fall into that trap. It's worth taking the extra minute to create a dedicated user for your daemons with appropriate restrictions :-)
Solution 2
Well - the script currently resides in /root. Assuming that your target user is not root, then of course you'll get a permissions error when that user tries to read/execute the script.
What is your opposition to moving the script to a different directory? If you do that, then set the file ownership/mode correctly, you should have no issues.
Related videos on Youtube
07 : 20
24 : 20
37 : 01
05 : 03
17 : 13
Chris Bunch
I'm a co-founder at AppScale, located in Santa Barbara, California. I love programming and learning new programming languages. Some open source projects I've been involved in: AppScale - an open source implementation of the Google App Engine APIs. Runs App Engine apps written in Python, Java, Go, or PHP over Amazon EC2, Google Compute Engine, Eucalyptus, Xen, or KVM. Active Cloud DB - a software-as-a-service that exposes a REST API to any of the databases that AppScale supports (e.g., HBase, Cassandra, MongoDB) or the Datastore that App Engine supports. Neptune - a domain specific language that automatically configures and deploys high performance computing apps over AppScale. Run your MPI, MapReduce, X10, and other codes automatically over EC2 without needing to know how to start them and configure them!
Updated on September 17, 2022Comments
-
Chris Bunch almost 2 years
I have a daemon sitting in my root directory that currently is being run as root. However, since this program can read the file system, this is clearly a security problem. How can I run it as nobody so that I can resolve this problem?
Doing "su - nobody -c /root/myscript" doesn't work, returning a permission denied error. The only ways I can seem to get around this are:
- Chmod -R 777 /root, which I don't want to do on my root dir and also messes up ssh.
- Move the script to /opt or /var and then do (1)
Of course, there may be an easy solution that I'm missing. I can chown it to nobody but that doesn't fix the problem either. Any ideas?
-
Chris Bunch over 14 yearsI don't have any serious opposition to it, but I just was wondering if there was an easy way to leave it in /root (that is, I originally thought I could just give the file to 'nobody' and call it a day).
-
Zoredache over 14 years+1 creating for creating a task-specific service account.
-
Haozhun over 12 yearsHi voretaq7 and @Zoredache, can you provide a link or explain on the proper way of create a dedicated user for the daemon with appropriate restrictions? Thank you.
-
voretaq7 over 12 years@Gene "The same way you would create any user account on your system" is the best answer I can give you - Refer to the documentation for your system (or ask a question on unix.stackexchange.com, remembering to specify your OS)
