Menu
▾
▴
[Wrapper-user] Problem with RUN_AS_USER and nologin-shell
|
From: <o....@we...> - 2014-10-10 22:27:12
|
Hello list, I noticed that the checkUser function uses "su - $RUN_AS_USER -c ..." to switch to the target user. This fails if that user does not have a valid login shell, e.g. /bin/false or /usr/sbin/nologin. On the other hand, such "shells" are usually the default for daemon accounts in many UNIX systems. For GNU/Linux, this is easily fixed by using "su -s /bin/sh", overriding the user's default shell. Unfortunately, OS X's su does not have this option, so this is not a portable solution. The only portable way I found to circumvent the problem is to use "sudo -u $RUN_AS_USER ...", but I do not know whether this may cause problems on some systems/configurations. I think it would be nice to be able to use such restricted system accounts for Java services, so what do you think would be the best solution? Using the "-s" switch on systems that support it and ignore the problem on others? Or fall back to sudo on systems where the switch is missing? Thanks for your great work, opax |
