From owner-freebsd-questions@FreeBSD.ORG Wed Feb 6 16:50:55 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB7F616A417 for ; Wed, 6 Feb 2008 16:50:55 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by mx1.freebsd.org (Postfix) with ESMTP id 5DDAC13C45D for ; Wed, 6 Feb 2008 16:50:55 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) X-Trace: 35199875/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$MX-ACCEPTED/pipex-infrastructure/62.241.163.7 X-SBRS: None X-RemoteIP: 62.241.163.7 X-IP-MAIL-FROM: xfb52@dial.pipex.com X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ao8CAI9zqUc+8aMH/2dsb2JhbACtVw X-IP-Direction: IN Received: from blaster.systems.pipex.net ([62.241.163.7]) by smtp.pipex.tiscali.co.uk with ESMTP; 06 Feb 2008 16:50:54 +0000 Received: from [192.168.23.2] (62-31-10-181.cable.ubr05.edin.blueyonder.co.uk [62.31.10.181]) by blaster.systems.pipex.net (Postfix) with ESMTP id 57698E0000A6; Wed, 6 Feb 2008 16:50:53 +0000 (GMT) Message-ID: <47A9E568.9040406@dial.pipex.com> Date: Wed, 06 Feb 2008 16:50:48 +0000 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20061205 X-Accept-Language: en MIME-Version: 1.0 To: Zbigniew Szalbot References: <94136a2c0802060751o7952c2f8w639139271c946e98@mail.gmail.com> In-Reply-To: <94136a2c0802060751o7952c2f8w639139271c946e98@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: /usr/local/etc/rc.d/ scripts and non-root user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2008 16:50:55 -0000 Zbigniew Szalbot wrote: >I have looked at my /usr/local/etc/rc.d/ and realized that the symlink >I put there has the root as owner. It all works but I would rather use >a non-root user for to run that script. > >$ ls -l /usr/local/etc/rc.d/ >lrwxr-xr-x 1 root wheel 40 May 9 2007 sender.sh -> >/usr/home/api/sender/start.sh > There's one more potential mistake you are making here. Who the script runs as has nothing at all to do with who owns the script unless setuid or setgid bits are set. They would be set on the script itself and not the symlink, so we'd need to see ls -lL /usr/local/etc/rc.d/sender.sh to know what was set or not. Specifically, startup scripts will always run as root and it will be up to the script to do things as another user if appropriate. E.g. by using su, or sudo, or by running a program which was setuid some-other-user, or because it runs as root, simply changing to another user when appropriate (see man 2 setuid). Setuid/gid bits on shell scripts aren't considered safe, however and may even be disabled. --Alex