Adrian Sevcenco
2021-Feb-09 17:21 UTC
[CentOS] el7 systemd service:: ensure var/log owner when User is specified
Hi! Does anyone have an idea how can i (in a nice way [1]) to ensure ownership/permissions of log directory in /var/log for a unit that drops privileges to a user (with User=/Group=) [1] The ugly way being with script in StartPre and sudo in Start so i want to use UserI'm aware of LogsDirectory= but is not available on EL7 Thanks a lot! Adrian
Jonathan Billings
2021-Feb-09 18:05 UTC
[CentOS] el7 systemd service:: ensure var/log owner when User is specified
On Tue, Feb 09, 2021 at 07:21:40PM +0200, Adrian Sevcenco wrote:> Hi! Does anyone have an idea how can i (in a nice way [1]) to ensure > ownership/permissions of log directory in /var/log for a unit > that drops privileges to a user (with User=/Group=) > > [1] The ugly way being with script in StartPre and sudo in Start > so i want to use User> I'm aware of LogsDirectory= but is not available on EL7Running sudo in a systemd service seems like a bad idea and should be avoided. It'll require disabling the RequireTTY feature in the sudo configuration anyway. Newer versions of systemd support adding a + or ! at the beginning of the ExecStart= command to tell systemd to run with elevated privileges, so you could have: [Service] Type=oneshot User=testuser ExecStartPre=!mkdir -p /var/log/test ExecStartPre=!chown testuser /var/log/test ExecStart=/bin/sh -c 'date > /var/log/test/test.log' However, those features aren't introduced into systemd until ~v231 so it isn't in EL7. I think you will have to do something like: ExecStartPre=mkdir -p /var/log/test ExecStartPre=chown testuser /var/log/test ExecStart=su testuser -c 'date > /var/log/test/test.log' Just don't use sudo. -- Jonathan Billings <billings at negate.org>
Anthony K
2021-Feb-10 11:34 UTC
[CentOS] el7 systemd service:: ensure var/log owner when User is specified
On 10/2/21 4:21 am, Adrian Sevcenco wrote:> Hi! Does anyone have an idea how can i (in a nice way [1]) to ensure > ownership/permissions of log directory in /var/log for a unit > that drops privileges to a user (with User=/Group=) > > [1] The ugly way being with script in StartPre and sudo in Start > so i want to use User> I'm aware of LogsDirectory= but is not available on EL7 > > Thanks a lot! > Adrian >If you know the username/group/directory beforehand, then you could use setfacl on the directory and permissions should trickle down to new directories/files. Not sure though what implications this has for SELinux. https://www.redhat.com/sysadmin/linux-access-control-lists
Simon Matter
2021-Feb-10 15:35 UTC
[CentOS] el7 systemd service:: ensure var/log owner when User is specified
> Hi! Does anyone have an idea how can i (in a nice way [1]) to ensure > ownership/permissions of log directory in /var/log for a unit > that drops privileges to a user (with User=/Group=) > > [1] The ugly way being with script in StartPre and sudo in Start > so i want to use User> I'm aware of LogsDirectory= but is not available on EL7Hi Adrian, I think such a fundamental lack should be addressed by adding it by upstream. Did you try to create a BZ so that this could be fixed? I guess a backport for systemd should help. Regards, Simon