Skip to content

SimpleDaemon - daemon_user option #27

Closed
berekuk opened this Issue Apr 12, 2012 · 3 comments

2 participants

@berekuk
Owner
berekuk commented Apr 12, 2012

User semantics in ubic isn't always what our users want.
Ubic drops privileges before doing anything with service — $service->start() gets called with non-root user, for example.
This feature allows non-root users operate services themselves — if service's user is www-data, then www-data user can start and stop this service.

But some people want the user to remain root and do some stuff using root before starting a daemon in their start method.
And they want to inherit from Ubic::Service::SimpleDaemon at the same time!
So, we need to implement daemon_user option in Ubic::Service::SimpleDaemon for them.

@berekuk
Owner
berekuk commented May 4, 2012

Things to think about:

  • who should be the owner of stdout, stderr and ubic_log logs?
  • who is the owner of pidfile?

If pidfile's owner is daemon_user, then we'll have to pass credentials to stop_daemon and check_daemon functions. Or be really careful in their code and never create/reinitialize pidfile.

On the other hand, if logs owner is root, then it's a potential security breach (imagine user with limited disk quota, for example).
It'll also make further features impossible, such as reopening ubic_log for rotating from guardian (or should we run guardian from root and only an actual daemon from daemon_user?)

@oktocat
oktocat commented May 19, 2012

or should we run guardian from root and only an actual daemon from daemon_user?

This is the right thing to do. All cool guys do it that way, i.e. nginx:
:~# ps fauxw| fgrep ngi
root 22688 0.0 0.0 7620 572 pts/0 S+ 22:01 0:00 \_ fgrep ngi
root 24166 0.0 0.0 59532 2176 ? Ss May18 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
www-data 24167 0.0 0.0 97420 10508 ? S May18 0:17 \_ nginx: worker process
www-data 24168 0.0 0.0 97420 10508 ? S May18 0:27 \_ nginx: worker process
www-data 24169 0.0 0.0 97420 10512 ? S May18 0:26 \_ nginx: worker process
www-data 24170 0.0 0.0 97420 10512 ? S May18 0:21 \_ nginx: worker process
www-data 24171 0.0 0.0 97420 10508 ? S May18 0:24 \_ nginx: worker process
www-data 24172 0.0 0.0 97420 10512 ? S May18 0:23 \_ nginx: worker process
www-data 24173 0.0 0.0 97420 10516 ? S May18 0:23 \_ nginx: worker process
www-data 24174 0.0 0.0 97420 10512 ? S May18 0:26 \_ nginx: worker process
www-data 24175 0.0 0.0 97420 10508 ? S May18 0:23 \_ nginx: worker process
www-data 24176 0.0 0.0 97420 10512 ? S May18 0:25 \_ nginx: worker process
www-data 24177 0.0 0.0 97420 10512 ? S May18 0:20 \_ nginx: worker process
www-data 24178 0.0 0.0 97420 10512 ? S May18 0:25 \_ nginx: worker process
:~# ls -l /var/run/nginx.pid
-rw-r--r-- 1 root root 6 2012-05-18 22:15 /var/run/nginx.pid

Logs must be owned by daemon_user

@berekuk
Owner
berekuk commented May 23, 2012

Thanks for the suggestions.

Implemented in 1.39.
Service user owns pidfile and ubic_log, daemon user owns daemon process, stdout and stderr. Hope this won't confuse anyone.

@berekuk berekuk closed this May 23, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.