From owner-freebsd-ports@FreeBSD.ORG  Sun Apr 27 08:08:28 2008
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6A4D0106566C
	for <freebsd-ports@freebsd.org>; Sun, 27 Apr 2008 08:08:28 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id C86A08FC17
	for <freebsd-ports@freebsd.org>; Sun, 27 Apr 2008 08:08:27 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id
	m3R88GRk060031; Sun, 27 Apr 2008 09:08:22 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.5.3 smtp.infracaninophile.co.uk m3R88GRk060031
Message-ID: <4814346A.5040207@infracaninophile.co.uk>
Date: Sun, 27 Apr 2008 09:08:10 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.12 (X11/20080310)
MIME-Version: 1.0
To: Walter Venable <weaseal@gmail.com>
References: <48132E31.8080204@gmail.com>
In-Reply-To: <48132E31.8080204@gmail.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig871974EB376F27C0614D6A21"
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
	milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]);
	Sun, 27 Apr 2008 09:08:22 +0100 (BST)
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,NO_RELAYS
	autolearn=ham version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-ports@freebsd.org
Subject: Re: Building new port, don't want to run as root
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Apr 2008 08:08:28 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig871974EB376F27C0614D6A21
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Walter Venable wrote:
> Hi all, I'm working on a patch to upgrade a port I maintain, however th=
e=20
> new version (smartly) refuses to be run by root.  I fished through the =

> Porter's Handbook a bit but was unable to find anything in particular o=
n=20
> running the port as another user.  Can anyone point me in the right=20
> direction?  Thanks...

I take it you're talking about a daemon process and you want to have the
rc.subr scripts start it as another user than root?  That's fairly simple=
=2E

To make rc.subr start a process using a different UserID, all you need to=

do is define variables

    name =3D foo				<-- standard rc script thing to
                                            setup the namespace
    foo_user =3D someone
    foo_group =3D somegroup

in the rc script (where 'foo' is typically your program name).

You should use a fixed username and group from /usr/ports/UIDs or
/usr/ports/GIDs -- unless there is already something suitable in that fil=
e,
just grab a UID and GID number no one else is already using and send in
patches to UIDs and GIDs along with the rest of your maintainer update.

For a long running process, you'll also probably need to make arrangement=
s
for the process to write a pid file.  If it is started as non-root then
it won't be able to write a file into /var/run -- one solution is to crea=
te
a sub-dir owned and writable by the user the script runs as.  Similar=20
considerations also apply to wrinting log files into /var/log

Take a look at textproc/sphinxsearch for an example.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig871974EB376F27C0614D6A21
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkgUNHAACgkQ8Mjk52CukIzRHwCfSB1CWdJ+s93CGE9nLNqGFIvh
XF8An15xSTeX/DB4A0o2fOudCb+03Lyu
=UDoM
-----END PGP SIGNATURE-----

--------------enig871974EB376F27C0614D6A21--