0

I have installed ircd-hybrid on my new CentOS 7 box, and I can run it fine via my normal user, but I want to run it as its own user with reduced permissions (ie, no write access outside /etc/ircd). After hours of trial and error and google, I've found these methods:

su - <user> -c <command>

This fails because I want to run as a user that doesn't have a shell or password, such as "nobody", and this asks for a password (thus always failing).

daemon --user=<user> <command>

This fails because "daemon" is a function in /etc/init.d/functions, not a command, so it's not found when running via sudo (which is required to run the script at all) or a boot script.

runuser -u <user> <command>
sudo -u <user> <command>

These are close, and so far as I can tell work the same way. If I run with no options, it works:

sudo -u nobody '/etc/ircd/ircd'

But because it has no config file, ircd just exits immediately, or at least I assume that's what happens. ps -aux | grep irc returns only the grep process, even when run as my normal user.

sudo -u nobody '/etc/ircd/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log'

This, however, with either 1 or both arguments, returns:

sudo: /etc/ircd/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log: command not found

If I run the same command, minus sudo -u nobody, it works exactly as expected.

What did I miss? Why in the bloody hells is it so hard to start a daemon as another user?

Update: Thanks to Arthur2e5's comment, this works as a direct command to start the daemon as "nobody" (omit quotes):

sudo -u nobody /etc/ircd/bin/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log

However, my original goal was to run this as a startup script, and sudo is not an option there (Jun 13 07:03:00 coldcandor.com sudo[5335]: sudo: sorry, you must have a tty to run sudo). runuser seems to be the only way to go in that case, but if I try that the same way, I get:

$ runuser -u nobody /etc/ircd/bin/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log
runuser: invalid option -- 'o'

Usage:
 runuser [options] -u <USER> COMMAND
 runuser [options] [-] [USER [arg]...]

Trying the alternate syntax isn't helping (When run from root account, since runuser requires root to run):

$ runuser - nobody /etc/ircd/bin/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log
runuser: invalid option -- 'o'


$ runuser - nobody '/etc/ircd/bin/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log'
This account is currently not available.

What's the last bit of magic?

Eric Shields
  • 1
  • 1
  • 1
  • 4
  • Use `sudo -u nobody /etc/ircd/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log` directly, without any quote. The argument pattern is passed directly through sudo, which doesn't act like `su -c` which passes its only argument to the command line of the su'ed shell. Remember, no one use `sudo 'yum install foo'`. – Mingye Wang Jun 13 '15 at 06:19
  • Gaaah! That must be the one combination I hadn't tried. runuser without quotes tries to interpret pretty much every letter as a new option. Adding this to the description, with a followup. – Eric Shields Jun 13 '15 at 10:53
  • You can get round the `sudo: sorry, you must have a tty to run sudo` problem by adding a line like `Defaults:apache !requiretty` (for user apache for example) to the /etc/sudoers file. Obviously this reduces security so it is best to explicitly list in the same file the commands the user is allowed to run. – meuh Jun 14 '15 at 14:20
  • @meuh Interesting. Actually, since this is being run as a bootup script, it's run as root. I wouldn't think it would be too much of a security hit to allow root to run sudo without a tty. What do you think? – Eric Shields Jun 15 '15 at 14:47
  • I suppose the argument must be if it's like that (no sudo without a tty) it's for a good reason. Probably the clean solution for you is to use your brand new login in its own group with limited permissions (not in group users, restricted shell, etc) and stop hijacking the login nobody. – meuh Jun 17 '15 at 13:07

1 Answers1

0

More playing around with the alternate syntax, as well as another deep dive into the man page led me to the -s option. Hallelujah! It runs as a startup service!

/sbin/runuser -s /bin/sh - nobody -c '/etc/ircd/bin/ircd -configfile /etc/ircd/ircd.conf -logfile /var/log/ircd/ircd.log'

Only thing I'm worried about: If I'm now forcing nobody to be run with a shell, does it make it less secure? It doesn't seem like it would, and there's no warning in the man page.

As a note, I realized this won't allow the writing of log files, so I created a new user:group called irc that owns the /var/log/ircd directory, has home set to /etc/ircd, and shell set to /sbin/nologin.

Eric Shields
  • 1
  • 1
  • 1
  • 4