Bug 431196 - qpidd should not run as root by default.
Summary: qpidd should not run as root by default.
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: beta
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Nuno Santos
QA Contact: Kim van der Riet
URL:
Whiteboard:
Keywords:
Depends On: 431135
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-01 14:28 UTC by Alan Conway
Modified: 2013-09-12 22:09 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Alan Conway 2008-02-01 14:28:09 UTC
Description of problem:

For security reasons qpidd should not run as root by default.

Solution:

The RPM installer for qpidd should 
 - create user qpidd
 - create default data dir /var/lib/qpidd owned by qpidd, writable by owner only
(readable also?)

The qpidd init script should run qpidd as the qpidd user.

Depends on https://bugzilla.redhat.com/show_bug.cgi?id=431135 (defines data dir
location)

Comment 1 Lana Brindley 2008-02-04 04:57:48 UTC
Documents currently instruct users to run rhmd (qpidd) as root. When this
problem is resolved, the docs will need to be updated accordingly. Adding myself
to the CC list. LKB

Comment 2 Nuno Santos 2008-04-01 15:45:32 UTC
Fixed at svn revision 643442: added user "qpidd" and modified init script to
start the qpidd daemon under that user.

Comment 3 Mike Bonnet 2008-05-16 15:08:16 UTC
qpidc-0.2.656926-1.el5, qpidd-0.2.656926-1.el5, and rhm-0.2.2058-1.el5 have been pushed to the staging repo for testing

Comment 4 Lana Brindley 2008-07-17 05:04:58 UTC
Nuno,

Can I please have updated instructions for documentation?

Cheers,
LKB

Comment 5 Nuno Santos 2008-07-17 17:15:20 UTC
Lana:

When using the init script (via "service qpidd start"), the daemon will be
started under the qpidd user, so there should be no changes there.

When starting on the command line (eg, when logged in as root), there are two
options: 
- use sudo, like:
  sudo -u qpidd <qpidd + args>

- use runuser, like:
  runuser -s /bin/sh qpidd -c "<qpidd + args>"

where <qpidd + args> would be the command line you'd use before.

Nuno



Note You need to log in before you can comment on or make changes to this bug.