为什么我必须从守护进程中对命令执行sudo命令?
[英]Why I have to sudo a command from daemon process?
问题描述
I have a problem about sudo . 
我对sudo有问题。
I call an Erlang script from a daemon process . 我从守护进程调用Erlang脚本。 (This daemon process is defined by xinetd, and this process will execute an bash script in it. I wrote my Erlang script command into the bash script). (该守护进程由xinetd定义,该进程将在其中执行bash脚本。我将我的Erlang脚本命令写入了bash脚本中)。 The Erlang script is like: Erlang脚本类似于:
#! /usr/bin/env escript
main(_) ->
ok.
The script is quite simple and it is ok when I execute it under the shell command line. 该脚本非常简单,在shell命令行下执行该脚本就可以了。
But when I call it from the daemon process , it failed with return code of non-zero. 但是,当我从守护进程调用它时,它失败,返回码为非零。 I really have no idea. 我真的不知道。
When I try sudo /path/to/my/erlang_script , it turns alright!! 当我尝试sudo /path/to/my/erlang_script ,一切正常!
I am the root myself. 我是我自己的root 。 Why I have to add sudo ? 为什么我必须添加sudo ?
My xinetd conf is like: (as you can see 'user' is setup to be 'root') 我的xinetd conf就像:(如您所见,“用户”被设置为“根”)
service gtpgwagent
{
type = UNLISTED
flags = REUSE
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
instances = UNLIMITED
server = /lab/subsysserv/sbin/in.gtpgwagent
server_args = gtpgw
log_type = FILE /tmp/ggsnagent_logfile
log_on_success += DURATION USERID HOST EXIT
log_on_failure += USERID HOST
env = /usr/bin:/bin
port = 1761
}
1 个解决方案
解决方案1
2 2015-03-20 04:45:56
The daemon process is neither running as root nor as a user that has permission to run that script (or, the most common case, is not allowed to do something that script does), so things don't work out. 守护进程既不是以root身份运行,也不是以具有运行该脚本的权限的用户身份运行(或者,在最常见的情况下,不允许执行该脚本可以执行的操作),因此无法正常工作。
You are running as root, so whatever you try always works (which is sort of scary, so be careful). 您以root用户身份运行,因此无论您尝试什么,总能奏效(这有点吓人,所以要小心)。
Change permissions on the script to accommodate whatever xinetd is setting the daemon process user to be, and make sure whatever you have the script do is something the daemon process user is allowed to do. 更改脚本的权限以适应xinetd将守护程序进程用户设置为的权限,并确保脚本具有的权限是允许守护进程用户执行的操作。 Whatever you do, though, do not set a daemon to run as root -- that is just an accident (or crack) waiting to happen. 不管你做什么,但是, 不设置守护进程以root身份运行-这只是意外(或裂缝)等待发生。
Edit 编辑
RHEL 6.x is almost guaranteed to prevent daemons running as root from doing almost anything . 几乎可以保证RHEL 6.x可以防止以root用户身份运行的守护程序执行几乎所有操作 。
- Try turning SELinux off and see if that changes the outcome (do
setenforce 0, then run your test, then dosetenforce 1to turn it back on).尝试关闭SELinux,看看是否会改变结果(执行setenforce 0,然后运行测试,然后执行setenforce 1将其重新打开)。 - Set the user to something different (create a system user for this purpose if you need:
useradd -r [blahblah]).将用户设置为其他用户(如果需要,可以为此创建一个系统用户: useradd -r [blahblah])。 - Check how role-based permissions work ( http://www.ibm.com/developerworks/library/l-rbac-selinux/ ). 检查基于角色的权限的工作方式( http://www.ibm.com/developerworks/library/l-rbac-selinux/ )。
- Look for threads related to this issue somewhere like unix.se or serverfault.se or a RHEL/SL/CentOS IRC channel or forum -- you're almost certainly not the only one who has run into this. 在unix.se或serverfault.se或RHEL / SL / CentOS IRC频道或论坛等地方查找与该问题相关的线程-几乎可以肯定,您不是唯一一个遇到此问题的线程。
- Whatever you do don't disable SELinux because of this ! 因此,无论如何,请不要禁用SELinux ! Seriously, don't . 说真的, 不要 。 As a developer or a sysop or as devops you should learn how it works -- it is a very important tool. 作为开发人员,系统管理员或开发人员,您应该了解它的工作原理 -这是非常重要的工具。 Don't stoop to the pixels-first mindset. 不要屈从于像素优先的心态。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.