14

I want a user to run a specific process on the system with a negative nice value. I can't simply fork the process to background as this specific program is a minecraft server and I rely on the command line to control the server.

My current bash script looks like this (the important part):

sleep 10 && \
sudo renice -n $NICENESS $(ps -u $(id -u) -o "%p:%c" | sed -n "s/:java$//p") & \
java -Xmx8G -Xms2G -jar minecraft_server.jar nogui

sleep simply delays execution of renice. renice itself uses ps to check for a java process using the users own ID. There might be other instances of java spawning under different users, but the minecraft server runs under its own user minecraft.

I obviously don't want to enter a password every time I start the server.
from /etc/sudoers:

minecraft ALL = NOPASSWD: /etc/renice

Is there a more elegant way to do this? Simply using nice is not an option, sudo nice bash in combination with the NOPASSWD: option would be a great security issue.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Baarn
  • 882
  • 2
  • 11
  • 18

2 Answers2

12

The pam_limits.so module can help you there.

It allows you to set certain limits on specific individual users and groups or wildcards or ranges of users and groups.

The limits you can set are typically ulimit settings but also on the number of concurrent login sessions, processes, CPU time, default priority and maximum priority (renice). Check the limits.conf man page for more.

For example you can configure your mindcraft group to have all their processes started with an increased default priority and you can allow them to use the nice and renice commands to increase the priority of their important jobs manually as well instead of only reducing priority.

# /etc/security/limits.conf
# increase default and max prio for members of the mindcraft group
@mindcraft   hard priority -10
@mindcraft   hard nice     -18
HBruijn
  • 7,233
  • 23
  • 32
  • 4
    Setting only the hard limit for `nice` doesn't seem to do it, I had to set both, using `-`. – Baarn Nov 28 '13 at 14:38
  • 1
    Doesn't seem to work for me at all on Ubuntu 16.04. I've set `priority` to -10 and `nice` to -15 and I always get "permission denied" even when I try to use "nice -n -2" on something. Do I have to reboot? I just logged out and in again as per [this advice](https://unix.stackexchange.com/a/108605/83666). – IpsRich Jul 05 '19 at 12:25
  • 1
    Update on my previous post... Since rebooting I've discovered that the `priority` setting does have effect, but the `nice` setting only allows me to reduce the priority. When I start something with the default priority, it's now -10. I can `renice` the process to -9 but then can't `renice` it back to -10. – IpsRich Jul 08 '19 at 11:12
  • Update 2: I've worked it out! It was using `hard` that caused the problems. I changed it to `-` instead and all works fine now. [This answer](https://unix.stackexchange.com/a/300066/83666) helped me get to the bottom of it. I think the problem was that I had a soft limit that was getting in the way, perhaps overriding the hard limit somehow. Anyway, `-` instead of `hard` fixed it for me. – IpsRich Jul 08 '19 at 12:48
3

Using renice without sudo would be impossible. I quote from the renice(1) man page:

Users other than the super-user may only alter the priority of processes they own, and can only monotonically increase their ``nice value'' (for security reasons) within the range 0 to PRIO_MAX (20), unless a nice resource limit is set (Linux 2.6.12 and higher).

Joseph R.
  • 38,849
  • 7
  • 107
  • 143