1. 技术文章
  2. Running monit as a restricted user and making it watch a process that needs root privileges

Running monit as a restricted user and making it watch a process that needs root privileges

旧街凉风 提交于 2019-12-06 10:33:08

问题


I have a specific script written in Ruby that needs root privileges. Most of the other processes don't need that and so were easy to setup in Monit. Not this one.

The server needs to listen at 386, and this port is only available for root. I won't get into the details of why, because 1) I'm not a low-level kind of guy, 2) It worked fine so far when using sudo.

The monit configuration file is simple and looks like this:

set logfile syslog facility LOG_daemon # Default facility is LOG_USER
set mailserver smtp.sendgrid.net
        username "blah", password "blah"
        with timeout 20 seconds
set alert blah@bleh.com
set logfile /home/deploy/monit.log


check process ldapserver
     with pidfile /var/pids/ldap_server.pid
     start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
     stop program = "/bin/sh"

Note: I've put /bin/sh in the stop program because there's not a stop program for this process.

If I put like this:

start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"

It fails to start. No hints.

start program = "/usr/bin/sudo -u deploy /usr/local/bin/ruby /var/lib/ldap_server.rb

Fails as well. No output.

start program = "/bin/su deploy -c '/usr/local/bin/ruby /var/lib/ldap_server.rb'

Fails to start.

I also tried redirecting the output using > ~/out.log 2 > &1 to capture stderr and stdout but it doesn't seem to work.

Now, I'm starting monit under the deploy user, which is restricted. So, I'd need to somehow run the ldap server as root, but turns out it's quite hard to do.

Could someone enlighten me ?

Cheers,

M>


回答1:


Using sudo or su to run the script as the 'deploy' user won't help (as monit is already running as that user anyway, and it needs to run as root).

Also, sudo will by default prompt for a password, which monit won't be able to provide.

One way to solve this would be to create a file /usr/bin/startLDAPServer.sh and make it executable (chmod a+x /usr/bin/startLDAPServer.sh) with the following contents:

#!/bin/sh
/usr/local/bin/ruby /var/lib/ldap_server.rb

and then add this line to your /etc/sudoers file:

deploy ALL =NOPASSWD:/usr/bin/startLDAPServer.sh

You can then use:

start program = "/usr/bin/sudo /usr/bin/startLDAPServer.sh"

in monit.



来源:https://stackoverflow.com/questions/6542830/running-monit-as-a-restricted-user-and-making-it-watch-a-process-that-needs-root

标签
bash
privileges
sudo
monit
su
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!