See my comments below, marked AndersW>
regards,
Anders Widell
On 07/25/2017 02:08 PM, William R Elliott wrote:
Hi Anders,
Thanks for the response. So I just want to make sure that I completely
understand what you are saying here, there's no way to make opensaf start an
application as a different user? I.e. opensaf will always start an application
as root, and the developer must change the application code to start as another
user?
AndersW> As far as I know, there is currently no support in OpenSAF for
specifying what user ID and/or group ID a component shall be started with.
The reason I'm asking is that we have an instantiation script that actually starts our
applications and I was hoping that by using the "su" command to change to the
correct user and group in that script, this would solve my problem.
AndersW> Yes, you should be able to use something like "su -c
your_application user_id" to launch your application from the CLC
script. Be aware that the su command probably does a lot more than just
setting the group ID and user ID, though.
thanks
-----Original Message-----
From: Anders Widell [mailto:[email protected]]
Sent: Monday, July 24, 2017 8:56 AM
To: William R Elliott; [email protected]
Subject: Re: [users] Issue with applications started as root user
I think I recall that this behaviour was changed so that applications can
choose themselves what user-id and group-id to run with.
OPENSAF_USER and OPENSAF_GROUP specify what user-id the OpenSAF processes
themselves shall run with, which may be different from the user-id the
applications shall run with.
So the application will be started as root:root and must call setgid() and
setuid() to change its user-id and group-id.
regards,
Anders Widell
On 07/20/2017 11:50 PM, William R Elliott wrote:
Hi All,
I have recently upgraded from opensaf version 4.4.0 to 5.1.0. In 4.4.0, when I
set the OPENSAF_GROUP and OPENSAF_USER variables in the nid.conf file and
unlocked a service unit the applications in each component were started as the
OPENSAF_USER which is what I needed. However, in 5.1.0 the applications are now
being started as the root user instead of the OPENSAF_USER in nid.conf.
I’ve read the config README file, as well as other README files, but I don’t
see any references concerning this problem, or what has changed in 5.1.0 that
would exhibit this kind of behavior. I’ve read through the opensaf documents
and I still have not found anything concerning this scenario.
I have verified the following:
1) OPENSAF_USER and OPENSAF_GROUP variables are set correctly in nid.conf
file
2) The user and group are set correctly on the instantiation scripts
3) opensaf was not built with: CPPFLAGS=-DRUNASROOT
I’ve even tried changing the amfnd main.cc file main function to directly call
daemonize instead of daemonize_as_user to ensure osafamfnd started as the
OPENSAF_USER, but for some reason osafamfnd hung and the opensaf services did
not come up.
I could be missing something simple here, but I can’t think what else to try.
I would appreciate any help with this problem.
Thanks
[https://www.netcracker.com/assets/img/netcracker-social-final.png] ƕ
________________________________
The information transmitted herein is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary and/or
privileged material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and delete the material from any computer.
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Opensaf-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-users
________________________________
The information transmitted herein is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary and/or
privileged material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and delete the material from any computer.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Opensaf-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-users
