I have a wildfly 10 install running on CentOS Linux 7.3.1611 with kernel3.10.0-514.16.1.el7.x86_64.
Initially when I started running wildfly I was doing so as root in a domain configuration. I have decided to change this practice and configure it as a service. After configuring it as a service, and letting it run for a while I decided to create a user "wildfly", and make the appropriate changes to the systemd service config and directory permissions. Wildfly starts up properly and the application runs fine.
My issue starts when I try and create another server instance from the management console. The console records the server but its never able to start. After some checking I found wildfly is unable to create server directories. This occurs even when having permissions to do so.
The only error I get is this one from /var/log/audit/audit.log;
type=ANOM_ABEND msg=audit(1507241312.223:19650): auid=4294967295 uid=994 gid=994 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 pid=8570 comm="java" reason="memory violation" sig=6
I have disabled SELinux, and checked the ACL's on all files in the directory structure. Any help would be greatly appreciated. Thanks in advance.
I installed shiny server in a virtual machine (ubuntu server 14.04.4 in VirtualBox)
shiny-server --version
Shiny Server v1.4.2.786
Node.js v0.10.40
All in all the server runs nicely and starts apps as intended.
The only thing I'm missing and failing to achieve is that shiny server is running as an unprivileged user. I even completely set up a new VM and shiny server to make sure no trial config changes still take effect.
I changed my config to not contain any folders one needs root permissions for:
$ cat /etc/shiny-server/shiny-server.conf
# Instruct Shiny Server to run applications as the user "shiny"
run_as shiny;
# Define a server that listens on port 3838
server {
listen 3838;
# Define a location at the base URL
location / {
# Host the directory of Shiny Apps stored in this directory
# site_dir /srv/shiny-server;
site_dir /home/shiny/shiny_sitedir/apps;
# Log all Shiny output to files in this directory
# log_dir /var/log/shiny-server;
log_dir /home/shiny/shiny_sitedir/logs;
# When a user visits the base URL rather than a particular application,
# an index of the applications available in this directory will be shown.
directory_index on;
}
}
# privileges of shiny user
uid=1000(shiny) gid=1000(shiny) groups=1000(shiny),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)
# owner of /etc/shiny-server
-rw-r--r-- 1 root root shiny-server.conf
# trying to start shiny server as user shiny without sudo
$ start shiny-server
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.6" (uid=1000 pid=1134 comm="start shiny-server ") interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init ")
The server log tells me the same I see from the htop output that shiny server runs as root. (A side note: shiny server still uses /var/log/shiny-server.log instead of /home/shiny/shiny_sitedir/logs, which annoys me as well)
[...] [INFO] shiny-server - Shiny Server v1.4.2.786 (Node.js v0.10.40)
[...] [INFO] shiny-server - Using pidfile /var/run/shiny-server.pid
[...] [INFO] shiny-server - Using config file "/etc/shiny-server/shiny-server.conf"
[...] [WARN] shiny-server - Running as root unnecessarily is a security risk! You could be running more securely as non-root.
[...] [INFO] shiny-server - Starting listener on 0.0.0.0:3838
The shiny server documentation http://docs.rstudio.com/shiny-server/#running-shiny-server-with-root-privileges ships out a list of requirements to be fulfilled for non-root usage. Actually it defines states in which the shiny server needs to run as root:
If user_apps or user_dirs is enabled for any location. In order to host applications as various users, Shiny Server must have root privileges.
check. My shiny-server.conf neither uses user_apps nor user_dirs
If your configuration uses run_as to spawn applications as multiple different users.
check. run_as defines shiny as the only user
If you're running any server on a privileged port (a port in the range of 1-1024).
check. shiny server listens on port 3838
Although I think the installation fulfils the requirements shiny server still runs as root.
How do I force shiny server to run as shiny user or even an user not part of the sudoers group?
Does the shiny-server.conf need to locate anywhere else?
How would I make shiny-server aware of this new location then?
Do I need to change anything in /opt/shiny-server/config/ or any permissions on /etc/shiny-server/?
Edit after a comment by #warmoverflow I moved /etc/init/shiny-server.conf to ~/.init. Now, shiny server does not start automatically at boot up. But neither does start shiny-server succeed, because upstart is not aware of the ~/.init folder. From some forum posts it seems that dbus needs start, which it usually does by starting a graphical environment. As I'm running Ubuntu server this doesn't happen. Creating the two files mentioned in the upstart manual http://upstart.ubuntu.com/cookbook/#session-init doesn't help either, because the jobs fail to start.
Does anybody have a hint how to proceed or where I could find some information?
If your only goal is to ensure that shiny-server is running as non-root, and you are okay with start shiny-server using sudo (even if it's started with sudo, it can be running as a non-root user).
Edit /etc/init/shiny-server.conf, and
Add the following two lines at the beginning
setuid shiny
setgid shiny
Change the 3rd last line to
exec shiny-server --pidfile=/home/shiny/shiny-server.pid >> /home/shiny/shiny-server.log 2>&1
Note that Shiny has two default log file locations.
/var/log/shiny-server.log contains the logs for the server itself, and is defined in /etc/init/shiny-server.conf
/var/log/shiny-server/ is the folder that contains log files for your applications, and is defined in /etc/shiny-server/shiny-server.conf.
Once you made the changes above and also changed the run_as user, start shiny-server again with sudo start shiny-server, and you'll notice that shiny-server is in fact running as the non-root user, and the warning in the log file will be gone too.
I'm running Shiny Server v1.4.4.801 (Node.js v0.10.46). On this version shiny initialization is done via systemd.
To run shiny as a non-root one have to edit /etc/systemd/system/shiny-server.service file.
Add setuid shiny and setgid shiny commands to ExecStart like this:
ExecStart=/bin/bash -c 'setuid shiny; setgid shiny; /opt/shiny-server/bin/shiny-server --pidfile=/var/run/shiny-server.pid >> /var/log/shiny-server.log 2>&1'
Now, one can start shiny server by typing systemctl start shiny-server.service.
Type systemctl enable shiny-server.service to autostart shiny-server on reboot.
Here's another way to do this with systemd, if you're willing to run shiny server on a higher port number (> 5000).
Run systemctl edit shiny-server.service and add:
[Service]
User=shiny
Group=shiny
UMask=027
Then systemctl stop shiny-server.service and edit /etc/shiny-server/shiny-server.conf and change it to listen 8383;.
If you haven't already, do:
chown -R shiny:shiny /var/log/shiny-server* /etc/shiny-server
chmod -R u+rwX,g+rX,o-rwx /var/log/shiny-server* /etc/shiny-server
Start the service and it should be running as the service account user/group.
I want to install and use prestashop but now it only works correctly when I set permissions to 777 (I can login to the server via shell with root privileges). While installing I get this error "recursive write permissions for apache user on..." and only works for permissions set to 777. I don't like this idea because after installation I can't even change back to 755 or 775. I also get problem partly solved when I change the user ownership to apache but then I can't do anything with my ftp client with that folder.
The user owner is ftp and the group owner is psacln? How should I change the membership of the folders so I can work both through ftp and allow apache to do things with presta files? (and of course have the permission set not higher then to 775). BTW, do I have to restart a server when adding or removing user's membership of the group?
This should fix your problem.
ssh root#ip_address
chown -R www-data:ftp /var/www/prestashop
You don't need to restart the server.
Optional :
service apache2 reload
Do I need to have root access for deploying my application on Linux through Chef-solo. Though the Chef solo was installed previously by user with root privileges.
Chef client is typical linux app. If someone install it for you and add +x privileges for your user on chef-client file and you can read and write to chef temp folder - you can use it.
If you want use chef-client with root privileges, but don't want use root user - you can set setuid and setguid bit on chef-client file.
I want to execute my scripts at boot time through systemd (OS is Fedora Core 16) from some non-root user (e.g. michael).
I don't need root privileges - I only want to run at boot time and at shutdown time some of my units in systemd. And I don't want to turn on a root user for this. I only want to use power of systemd syntax of units for starting and watching for my process (of course without root access). Is it possible?
I didn't find any help in the documentation. I only found in systemd(1) -> DIRECTORIES -> "User unit directories":
$ pkg-config systemd --variable=systemduserunitdir
/usr/lib/systemd/user
But the /usr/lib/systemd/user is:
drwxr-xr-x. 2 root root
I cannot imagine how I can use this directory as a non-root user...
This Arch Linux document may help.
systemd offers users the ability to run an instance of systemd to
manage their session and services. This allows users to start, stop,
enable, and disable units found within certain directories when
systemd is run by the user. This is convenient for daemons and other
services that are commonly run as a user other than root or a special
user, such as mpd.
They suggest starting a system --user instance via xinit, but I suppose you want to start the user services regardless of whether the user is logged in.
I would normally do that by adding an #reboot line to my crontab.
From Wikipedia:
#reboot can be useful if there is a need to start up a server or
daemon under a particular user, and the user does not have access to
configure init to start the program.
Maybe you can start systemd --user via #reboot!!!
Create a user systemd unit file for 'michael'.
Here's the magic to ensure users systemd process will kick off at boot instead of at login:
loginctl enable-linger michael
Full details