On Fri, 21 Feb 2003 19:21, Thomas Viehmann wrote: > I'd like to get some advice as to what the best solution for running a > daemon as not as root might be. > I need the following three on startup which seem to keep me from not > starting out as root: > - open devices (in my case tty?, ttyUSB?)
chmod > - open syslog (and/or logfile) /dev/log doesn't need any particular privs unless running SE Linux (and SE policy for the daemon that allows /dev/log access is trivial to write). For log files you can have the system create a directory for the application's logs that is owned by the application UID. > - write pidfile > In particular, I don't know how to write my pidfile under /var/run without > being root. Have a directory /var/run/chipcard which is owned by the chipcard UID. > If there isn't any way, is there documentation/good example on how to shed > the root privilege after starting? Is a simple setresuid/gid to > nobody/nogroup enough? No! You have to get your own UID. Having all daemons running as "nobody" would be almost as bad as having them all running as root. If you need to bind to a low port then the options are: 1) Bind as root then setuid() to another UID. 2) Authbind. 3) Run as root. 4) Inetd. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
