[systemd-devel] forking PIDFile question
steve at goodey.org
steve at goodey.org
Wed Feb 21 15:25:10 UTC 2018
On Wednesday, 21 February 2018 06:31:23 GMT Jonathan de Boyne Pollard wrote:
> steve at goodey.org:
> > [Service]
> >
> > Type=forking
>
> Your program has an -f option to stop it from vainly trying to
> re-daemonize itself. Use it; and do not use Type=forking in the first
> place.
>
> *
> http://jdebp.eu./FGA/unix-daemon-design-mistakes-to-avoid.html#DoNotBackgrou
> ndise
>
> The supplied systemd service unit that comes packaged by Ubuntu/Debian
> does this. You can ignore its use of -s 1 , as systemd will log the
> program's standard output and -s 0 will do quite well.
>
> *
> https://sources.debian.org/src/lcdproc/0.5.9-2/debian/lcdproc.LCDd.service/
>
> steve at goodey.org:
> > [server]
> >
> > User=nobody
>
> Also, do not abuse nobody for dæmons. Use a dedicated unprivileged user
> account, such as (for example) lcdproc. Name the unprivileged user
> account in the service unit in a User= setting, and using filesystem
> ACLs or otherwise grant it nothing except the permission to open
> /dev/ttyUSB0 for writing and to open the configuration file for reading.
>
> * http://jdebp.eu./FGA/dont-abuse-nobody-for-daemons.html
>
> Currently, you are running your program as the superuser with a
> configuration file owned by an unprivileged user. This is a backdoor
> into your system, as anyone who compromises that unprivileged user
> account (which is the one that you run your WWW browser as, and that you
> use to run software build systems and other programs downloaded from
> other people that you do not know, ne?) can rewrite the configuration
> file and thereby persuade a superuser-privileged process to open an
> arbitrary file and write stuff (which it does before it attempts to
> detect whether it is running as the superuser).
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Thanks very much Jonathan for your help and in looking through the conf files and pointing
out my mistakes. I have altered them as per your instructions and all is now running fine.
Thanks to all who replied and my apologies if my little problem has cluttered up your list :-)
Regards, Steve Goodey
Colchester, England
mailto://steve@goodey.org
Registered Linux User #372670 http://counter.li.org
Hello to Jason Isaacs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180221/6b09a9cd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 372670.png
Type: image/png
Size: 5378 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180221/6b09a9cd/attachment.png>
More information about the systemd-devel
mailing list