Why does my Upstart job work with sudo but not with setuid?

Question

I have an Upstart job for a Node.js application, and I want to make it run Node as the node user rather than root. When I use setuid in the job config, whenever I try to start the job, it says my-app stop/waiting. However, if I omit setuid but use exec with sudo, it works as I expect.

I have created node as a system user. As far as I know, all of the relevant files and directories are accessible by that user. The version of Upstart I am using is 1.12.1.

Config with setuid:

script
  setuid node
  chdir /var/app/my-app
  exec nodejs server.js
end script

versus the config with sudo:

script
  chdir /var/app/my-app
  exec sudo -u node nodejs server.js
end script

What differences are there between Upstart's setuid behavior and sudo behavior that would make one fail and the other succeed?

score 3 · Accepted Answer · answered Oct 06 '15 at 21:05

3

The setuid stanza should not be in script block, it's global. This is probably the reason your job fails for.

Note that using setuid will make all job phases run as the user specified and there's no way to change it. If you want to run only a daemon as a different user, avoid sudo and go with start-stop-daemon instead. This is especially important with forking daemons. Check Ubuntu's Upstart Cookbook, chapter 11.43.2 for details.

answered Oct 06 '15 at 21:05

sam_pan_mariusz

2,133
1
14
15

Reading now, thanks. For convenience, deep link to the section you mentioned: http://upstart.ubuntu.com/cookbook/#run-a-job-as-a-different-user – amacleod Oct 07 '15 at 14:40
Moving `setuid` outside the `script` block fixed it! – amacleod Oct 07 '15 at 14:48

Why does my Upstart job work with sudo but not with setuid?

1 Answers1