Menu
▾
▴
Re: [Wrapper-user] Problem with RUN_AS_USER and nologin-shell
|
From: Dannes W. <da...@ex...> - 2014-10-19 20:38:17
|
Hi, > On 11 Oct 2014, at 0:27 , o....@we... wrote: > > I noticed that the checkUser function uses "su - $RUN_AS_USER -c ..." to switch to the target user. This fails if that user does not have a valid login shell, e.g. /bin/false or /usr/sbin/nologin. On the other hand, such "shells" are usually the default for daemon accounts in many UNIX systems. For GNU/Linux, this is easily fixed by using "su -s /bin/sh", overriding the user's default shell. Unfortunately, OS X's su does not have this option, so this is not a portable solution. > > The only portable way I found to circumvent the problem is to use "sudo -u $RUN_AS_USER ...", but I do not know whether this may cause problems on some systems/configurations. > > I think it would be nice to be able to use such restricted system accounts for Java services, so what do you think would be the best solution? Using the "-s" switch on systems that support it and ignore the problem on others? Or fall back to sudo on systems where the switch is missing? I can not think of a good work around either, I hope some one can……. regards Dannes |
