Running OpenDeploy as Non-Root

It's been a while since I've had to do this - and I may find the answer to this empirically myself, but just in case ...

Environment: TS / LS / OD 7.4.1.0 (potentially going to 7.4.1.2) on RHEL 6

Task: The customer does not want OpenDeploy running as root

Generally speaking, I know about the iwodnonroot CLT and have read the OD Admin Guide - but am a bit confused about two parts of the instructions:

1) After you run the iwodnonroot command, the documentation says:

"Start the OpenDeploy service as the non-root user ..." followed closely by: "NOTE: if you start the OpenDeploy service as root from the command line after configuring it to be run as non-root user, you must re-run the iwodnonroot command ...."

2) Following that is the section on configuring OpenDeploy to automatically start up as non-root after reboot. After you go through the whole process of creating the iwodserver_boot and iwodserver_boot_wrap and making all the symlinks and such, it says:

"To start and stop OpenDeploy after booting, use the following script:

/etc/init.d/iwodserver

rather than the script:

/etc/init.d/iwodserver_boot_wrap

..."

It doesn't state it clearly (to me) but since we would be using a sevice-account, where we don't have the password, and thus cannot login as them - we'd probably be using sudo, and if we run /etc/init.d/iwodserver via sudo (as root) - doesn't that defy the earlier "Note" and mean that we'd have to re-run the whole iwodnonroot process over again?

Or does it somehow magically set things up so after reboot, running /etc/init.d/iwodserver will actually perform the "su <non-root-user> -c ...." command??

I'm concerned because it's very easy to forget you have something set up as non-root and to run the commands you are used to running via sudo (as root) and not realize that you just broke something that was previously configured to run as non-root.

Find more posts tagged with

Comments

Adam Stoller

Follow on query:

It says to make sure that /var/lock/subsys (a directory) is world-executble (775) - however, right now I'm looking at a directory that is 755 (so not group-writable) and is owned by root:root.

Is it sufficient that everyone can read / execute within that directory, or will the non-root user that is being used to run OpenDeploy need to have write permissions within that directory too?

I.e.: should we make sure that the mode bits are 775 instead of 755 and also make sure to chgrp the directory to be owned by the same group as the service account's primary group?

David Smith

I realize this is a month old, but I rarely venture outside the TS forum. For what it's worth, we have only ever used iwodserver_boot_wrap to run OD as a non-root user and it just works. The mode on the /var/lock/subsys directory is, and always has been, 755 and I see this message everytime we start OD: touch: cannot touch `/var/lock/subsys/iwod': Permission denied

Bottom line, OD runs as our non-root user and I've noticed no issues regarding the lock file. I've never used any other script than iwodserver_boot_wrap to start or stop OD. It just works.

Adam Stoller

I forgot I had posted this :-)

We ended up doing a chmod 775 and chgrp <non-root-group> on the /var/lock/subsys directory - seems to work just fine with no errors in the od.log file.

Also, with regard to the dire warning about having to do things over again if you started the process as root: as near as I can tell, if you [accidently] run /etc/init.d/iwodserver start (as root), you can can stop it and then run /etc/init.d/iwodserver_boot_wrap start without any problems, though it is possible that some log files might have their ownership changed as part of the root-startup - and that's probably the only thing you'd need to fix (a simple chown of the log files should be sufficient).

Although not really definitive, I guess I'll mark this post as the "solution"