1

I have a few upstart scripts which are run as a non-priviledged user using setuid. Pid files should be created in /var/run/my-service: /var/run/my-service/v1.pid, /var/run/my-service/v2.pid and so on.

The upstart scripts are created by a script, which also creates /var/run/my-service and sets the permissions, so everything works initially. But this folder will be gone after a reboot, and services will fail.

I tried this:

pre-start script
    [ -n $PID_DIR ] && [ ! -d $PID_DIR ] && mkdir $PID_DIR
    sudo chown my-user:my-group $PID_DIR
end script

setuid my-user

But it doesn't work:

sudo: no tty present and no askpass program specified
my-user is not in the sudoers file.  This incident will be reported.

I guess it's because setuid affects all processes, even though it's after the pre-start and sudo start my-service was used.

How can I create the folder and set permissions, before the service is started ?

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Mihai Rotaru
  • 113
  • 4
  • Disabling the `requiretty` flag in your `sudoers` file and/or adding the `NOPASSWD:` option should make that work... but I'm not saying that this is the right way to do it. – Flup Jul 24 '14 at 09:11

1 Answers1

3

  1. sudo is not the right tool for anything regarding init systems. please avoid using it if possible.

  2. setuid and setgid affect all stanzas of the upstart job, including the pre-start.

  3. This can easily be worked around with the following job, my-service-prep.conf:

    start on starting my-service

task

PIDDIR=/var/run/my-service

exec install -o my-user -g my-group -d $PIDDIR

With this, you can use setuid and setgid within the main upstart job and not face any permissions errors.

CameronNemo
  • 399
  • 1
  • 6
  • ended up storing the pid in the app folder; generally not a good idea but it works in my case. – Mihai Rotaru Aug 01 '14 at 20:11
  • The problem here (thanks to upstart's great design) is that if I need to have more than one process requiring the "/var/run/my-service" directory, then I need to add every job to the my-service-prep.conf file. I tried adding 'start on started my-service-prep' to the actual daemons I needed to spawn, but it did not work probably because my-service-prep is a task. – Asfand Qazi Jun 15 '15 at 12:53