Menu
▾
▴
Re: [Moosefs-users] Caveats to running MFS under root
|
From: Michał B. <mic...@ge...> - 2010-07-07 10:50:12
|
Hi! Generally speaking, MooseFS should not be run as a user nobody. If user nobody has some other services running and if somebody gets control over one service, it can interfere other services run on the same user. We recommend just creating a user mfs and a group mfs. Regards Michał > -----Original Message----- > From: Laurent Wandrebeck [mailto:lw...@hy...] > Sent: Tuesday, July 06, 2010 3:23 PM > To: Stas Oskin; moo...@li... > Subject: Re: [Moosefs-users] Caveats to running MFS under root > > On Tue, 6 Jul 2010 15:30:06 +0300 > Stas Oskin <sta...@gm...> wrote: > > Don't forget the list™, grmbl :) > > > From a security point of view, do not ever do that if you can avoid > > > it, which is the case for every moosefs server. > > > > > > > It's clear, I'm just using in testing environment I wanted just to run > > it quickly. > you just need to put a value in line WORKING_USER = of the config file. > Difficult to make it quicker, isn't it ? :) > > > > By the way, can the MFS really run well under the nobody account? > Don't know, I only tested under a regular user. Try and tell us ? :) > > Just an advice, it worth adding the rights setting for metadata > > folders in the RPM you made. > It seems difficult to me, as user it runs with is configurable. Or did I > misunderstood your point ? > > The storage folders on chunkservers could be set manually later. > > > > > > > The cgi server does not have (yet ?) a config file to allow you to > > > specify which user you want to run the server with, but it runs fine > > > being launched by any regular user, as the port by default it uses > > > (9425) is unprivileged. > > > > > > > Speaking of, how you running the CGI? > > I've routed it through Lighttpd CGI interface, perhaps there is another way? > you can just run /usr/sbin/mfscgiserv > Regards, > -- > Laurent Wandrebeck > HYGEOS, Earth Observation Department / Observation de la Terre > Euratechnologies > 165 Avenue de Bretagne > 59000 Lille, France > tel: +33 3 20 08 24 98 > http://www.hygeos.com > GPG fingerprint/Empreinte GPG: F5CA 37A4 6D03 A90C 7A1D 2A62 54E6 EF2C D17C > F64C |
