is it a bug in systemd? - linux

I'm trying to run my utility using systemd. The settings have the following values:
[Unit]
Description="My Service"
[Service]
WorkingDirectory=/etc/myutil
Group=user1
User=user1
ExecStart=/bin/myutil
TimeoutSec=120 Restart=always
[Install]
WantedBy=multi-user.target
So the service starts, but I need the StandardInput=tty parameter to be specified. If you can specify this parameter, the service will start by the root user, not by the specified user. I am using Ubuntu 18.04 LTS.

Check permission for /dev/tty, and user1 groups
$ ls -l /dev/tty
$ id user1
I expect something like:
$ ls -l /dev/tty
crw-rw-rw- 1 root tty 5, 0 Jul 9 13:48 /dev/tty
$ id user1
uid=1234(user1) gid=10001(user1) groups=10001(user1),some_group(10002)
If I'm right You need add user1 to tty group
$ sudo usermod -a -G tty user1
Now You should can use tty as user1.

Related

How to set specific user can run certain root command in redhat

i want to ask for a specific user to use certain root commands in redhat?
my server run redhat OS 7.6. i dont have any idea how to set a user that can run certain commands from root.
let say i have one user id name MY_CIT, so MY_CIT can run certain commands for example to create print queue #lpadmin -p printer -v socket://printer:9100 -E
so MY_CIT no need root access to trigger the command.
Anyone experience on this? kindly help. thanks
You'll be able to use file ACLs. As a test I removed execute permissions from the nano command, just to show how this will work.
You won't need to do this, however, you will need root permissions to the machine. Instead of nano, use 'lpadmin' as per your requirements
[root#server bin]# chmod o-x /bin/nano
[root#server bin]# ls -lah /bin/nano
-rwxr-xr-- 1 root root 202K Jun 10 2014 nano
To test, we change to user1 and try use nano to edit a file:
[user1#server ~]$ nano file1
-bash: /bin/nano: Permission denied
Now, as root again, we add an ACL to the nano program. This allows only user1 to execute the program.
[root#server bin]# setfacl -m u:user1:x /bin/nano
Display ACL with getfacl:
[root#server bin]# getfacl /bin/nano
getfacl: Removing leading '/' from absolute path names
# file: bin/nano
# owner: root
# group: root
user::rwx
user:user1:--x <<-- Note this
group::r-x
mask::r-x
other::r--
As user1, we are able to use the nano program, but not as user2:
[user1#server ~]$ nano file1
[user1#server ~]$ ls
file1
[user1#server ~]$ exit
logout
[root#server bin]# su - user2
[user2#server ~]$ nano file1
-bash: /bin/nano: Permission denied
ACLs allow admins to extend permissions past just user/group/other. You're able to set permissions for specific users on the system.
Run command with a root privilege:
sudo visudo
It opens file /etc/sudoers for edit.
Add this line at the end of the file (and after keep one blank line):
MY_CIT ALL = NOPASSWD: /usr/sbin/lpadmin
where:
MY_CIT - name of your user
/usr/sbin/lpadmin - path to executible file. Note please that in your distro path can be different. You can check this with command whereis lpadmin.
After user can run command lpadmin with arguments with sudo without password:
sudo lpadmin ...

-su: /dev/tty: No such device or address

could please someone explain to me why this happens?
# su - someone -s /bin/bash -c "ls -la /dev/tty"
crw-rw-rw- 1 nobody nogroup 5, 0 Dec 7 20:53 /dev/tty
# BUT:
# su - someone -s /bin/bash -c "echo hello > /dev/tty"
-su: /dev/tty: No such device or address
I'm trieng to build a docker Container which has two services inside. Those services a startet by a Shell-Script:
CMD ["./starter.sh"]
Withing the Dockerfile I have redirected the Logs to /dev/stderr or /dev/tty
# None of the following works:
RUN ln -sf /dev/tty /var/log/thelog.log
RUN ln -sf /dev/stdout /var/log/thelog.log
RUN ln -sf /dev/stderr /var/log/thelog.log
The problem is that I'm trying to run one of the services as not root (su -
someone -c "service"), which give's the following error:
unable to open log file [/var/log/thelog.log]: [6] No such device or address
How could I solve this problem? I want the logs to be linked to /dev/* AND want to run the User as non-root. Also I tried to add the User to the group tty, which did not work out.
Thanks.
The manpage for su states that the executed command will have no controlling terminal. Any writes to /dev/tty will return the ENXIO error:
$ errno ENXIO
ENXIO 6 No such device or address
sudo does allocate a controlling terminal:
sudo -u someone /bin/bash -c "echo hello > /dev/tty"
There's no need for you to make a symbolic link to /dev/tty (/dev/stdout and /dev/stderr is enough) or use sudo if you use the USER directive in the Dockerfile or supervisor.

Handle permissions with groups in linux

I can't understand how exactly this works in Linux.
For example, I want only users in some group have access to execute some file (I hope this is possible without visudo).
I create a system user and system group like:
useradd -K UID_MIN=100 -K UID_MAX=499 -K GID_MIN=100 -K GID_MAX=499 -p \* -s /sbin/nologin -c "testusr daemon,,," -d "/var/testusr" testusr
I add my current user user to the group testusr (may be not cross platform):
adduser user testusr
I create some test shell file and set permissions:
touch test.sh
chmod ug+x test.sh
sudo chown testusr:testusr test.sh
But I still can't start test.sh as user:
./test.sh
-> Error
Now I look for some system groups like cdrom to check how they work. My user is in cdrom group and can use the cd rom on my computer:
$ ls -al /dev/cdrom
lrwxrwxrwx 1 root root 3 апр. 17 12:55 /dev/cdrom -> sr0
$ ls -al /dev/sr0
brw-rw----+ 1 root cdrom 11, 0 апр. 17 12:55 /dev/sr0
Addition:
./test.sh command starts to work as I want after system reboot. Strange...
I'm on Ubuntu Studio 15.10
The group changes are reflected only upon re-login.

Execute under different user on FreeBSD

I am logged in as root in a freebsd (10) box and I am trying to execute a script (or any command) as another user, but I get: "su: Sorry"
root#vm ~ # whoami
root
root#vm ~ # cat /etc/passwd
#...
myuser:*:1001:1001:my name:/home/myuser:/usr/local/bin/bash
#...
root#vm ~ # su -m myuser -c '/bin/ls /tmp'
su: Sorry
root#vm ~ # su -m myuser
su: Sorry
su - is used to elevate access level. for example myuser executes as root.
You are trying it reverse way. myuser is not member of "wheel" group.
Also it looks like root is not am member of "wheel" too.
post what do you have in passwd for root?
Run as different user under FreeBSD
I figured out how to do it: I installed the port security/sudo, and then I used sudo -u myuser.

Permission denied writing in directories with g+w mode on ubuntu

On ubuntu 10.04.4 server, I did this:
sudo mkdir -p /data/somedir
sudo chown -R www-data.www-data /data/somedir
sudo chmod -R g+w /data/somedir
sudo usermod -a -G www-data john ##john is current login user.
. With these operations done, I suppose to have write permission in /data/somedir. But when I did this:
echo "123" > /data/somedir/123
, I got:
-bash: /data/somedir/123: Permission denied
The ls -l output:
$ ls -l /data/
total 4
drwxrwxr-x 2 www-data www-data 4096 2012-04-24 22:30 somedir
Question is: why? Is there something I still need to do after that?
Changes made with usermod only take effect on following logins; your existing login session does not yet have the www-data group, as you can verify with id. It is not easy to alter the identity of running processes (newgrp might work); the easiest way to deal is to log out and back in.

Resources