0

My goal is to manage the startup of a number of applications with an application executed by a user with elevated permissions.

The plan is to have the startup manager (a node.js script using require('child_process').exec) cd to the home dir of the app user & su <app user> and then execute the startup as <app user>.

My foremost concern is security. For instance, could the <app user> exit back to startup manager user?

Are there any other concerns worth considering or caution to take with this approach?

JBG
  • 3
  • 1

1 Answers1

0

Once started as <app user>, your running application will only have the permissions that user has.

As for being able to exit, once your application has terminated, there isn't going to be anything to issue the exit.

I don't know what your script does, but generally speaking, the startup of applications is better managed by something like systemd. You can create a service file which does all the stuff you explained your script would do.

You can specify the user the service runs as, the application to start, the directory to start it in, etc.

Here's some good examples to get started with systemd service files: https://www.shellhacks.com/systemd-service-file-example/

Jamie Scott
  • 133
  • 4
  • Thanks for the thoughtful answer! The mgmt script moves some credentials into the app dir, starts the app, but before the app server starts listening for requests, the mgmt script moves the credentials out of the directory. I couldn't figure out how to do something like that with systemd, pm2, forever. – JBG Oct 26 '19 at 19:51
  • I see, so to do that I suggest a different approach which a lot of applications do (I've written some myself which do this). Store the credentials as environment variables for the user you will run the service as, you can then access these in your app. – Jamie Scott Oct 28 '19 at 16:30
  • You might like to give this a read: https://unix.stackexchange.com/questions/455261/how-to-set-environmental-variable-in-systemd-service – Jamie Scott Oct 28 '19 at 16:31