I am attempting to create two /usr/local/etc/rc.d services, using rc.subr(8)() after reviewing https://docs.freebsd.org/en/articles/rc-scripting/. Service B's process must always run as
Problem 1:
After reboot,
What am I doing wrong? The following has been minimally modified from the actual code:
Problem 2:
(I think this is related, but can create a separate thread if needed.) When I start the service manually using
root
, while service A's process must always run as another less privileged user ( some_user
). The other user must be allowed to start and stop both services. The other user has been created and added to the wheel
group.Problem 1:
After reboot,
ps -A -j
shows actual_process_a
running as root
isntead of some_user
. If I change my service to use su some_user -c "actual_process_a start"
, then it shows running as some_user
, but according to rc.subr(8)(), setting the ${name}_user
should do that automatically. What am I doing wrong? The following has been minimally modified from the actual code:
Code:
#!/bin/sh
# PROVIDE: hello_world
# REQUIRE: LOGIN
. /etc/rc.subr
name="hello_world"
procname="hello_world"
desc="Hello World"
rcvar="hello_world_enable"
start_cmd="startit"
stop_cmd="stopit"
load_rc_config "${name}"
: ${hello_world_enable:="YES"}
: ${hello_world_user="some_user"}
# (Sourcing environment variables here...)
startit()
{
# (Extra preparation here)
# The following would work, but should not be necessary according to the man page:
# su some_user -c "actual_process_a start"
actual_process_a start
}
stopit()
{
actual_process_a stop
# (Cleanup here)
}
run_rc_command "$1"
Problem 2:
(I think this is related, but can create a separate thread if needed.) When I start the service manually using
service hello_world_a start
, the process always runs as the user I ran that command as. I'm hoping that will be solved with ${name}_user
(similar to how a Windows service has Log On configuration), but if not, is there a recommended way to handle this?- Using chmod() to set the
setuid
bit did not seem to work. I'm guessing that FreeBSD does not allow this for interpreted scripts. - Using
su
within the service directly works to always run the service assome_user
, but won't work forroot
- As a last resort, I could use sudo() and add
some_user
to sudoers (), but I think this is giving too many privileges to the restricted user.