Bug 1534030
| Summary: | no option to set user/group | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ade Lee <alee> | |
| Component: | nuxwdog | Assignee: | Ade Lee <alee> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.5 | CC: | alee, cfu, edewata, ftweedal, jmagne, lmiksik, mharmsen, msauton, nkinder, rpattath | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | nuxwdog-1.0.3-7.el7 | Doc Type: | Enhancement | |
| Doc Text: |
Feature:
A new option has been added to allow deployers to specify the user that the process spawned by nuxwdog will run as.
Reason:
When nuxwdog is invoked by systemd, it prompts for passwords using systemd-ask-password, but needs to be run as a privileged user to be able to access the tty-agent used by systemctl. Without this change, nuxwdog would then spawn the real server process as this privileged user, which is a security risk.
With this change, deployers can direct nuxwdog to spawn the real process using a specified user.
Result:
Deployers can add directive "User foo" to their nuxwdog.conf file. (foo is the username). The process spawned should be run as that user.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1540092 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 18:15:15 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1523410 | |||
| Bug Blocks: | 1540092 | |||
|
Description
Ade Lee
2018-01-12 20:51:04 UTC
commit 3d7adfbe0788f33a67c3ed65e12ba9d32074a674 (origin/master, origin/HEAD, gerrit/master, master)
Author: Ade Lee <alee>
Date: Mon Jan 15 15:25:36 2018 -0500
Add parameter to set the uid of the invoked process
QE Verification: This is most easily - and most usefully verified as part of the verfication for https://bugzilla.redhat.com/show_bug.cgi?id=1523410 You should be able to - 1) Use pkispawn to create an instance (either using a new user or the default pkiuser) For convenience I will use pki-tomcat as my insatnce name. 3)Shut down the instance systemctl stop pki-tomcatd 2) Enable nuxwdog for that instance: pki-server instance-nuxwdog-enable pki-tomcat 3) Confirm that the instance's nuxwdog.conf file contains User foo where foo is pkiuser or whatever your user was cat /etc/pki/pki-tomcat/nuxwdog.conf 4) Start the instance and enter passwords. Confirm that the instance is running as the foo user. systemctl restart pki-tomcatd-nuxwdog ps -ef |grep nuxwdog Note: the nuxwdog process will run a root, but tomcat will run as nuxwdog. [root@nocp1 ~]# rpm -qi nuxwdog Name : nuxwdog Version : 1.0.3 Release : 7.el7 Architecture: x86_64 Install Date: Fri 26 Jan 2018 02:34:55 PM EST Group : System Environment/Libraries Size : 103675 License : LGPLv2 and (GPL+ or Artistic) Signature : RSA/SHA256, Mon 22 Jan 2018 09:33:10 PM EST, Key ID 199e2f91fd431d51 Source RPM : nuxwdog-1.0.3-7.el7.src.rpm Build Date : Mon 22 Jan 2018 09:12:21 PM EST Build Host : x86-041.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.redhat.com/certificate_system Summary : Watchdog server to start and stop processes, and prompt for passwords Verification steps in comment 4 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0971 |