systemd 以非 root 用户身份运行化石

tag-icon tag-icon systemd non-root-user
systemd 以非 root 用户身份运行化石

我想在非 root 用户下将化石作为 systemd 服务运行。

useradd  -r fossil

touch /etc/systemd/system/fossil.service

化石.服务文件:

[Unit]
User=fossil
Group=fossil
Description=Fossil Service
After=network.target
StartLimitIntervalSec=0
 
[Service]
Type=simple
User=fossil
Group=fossil
WorkingDirectory=/opt/fossil/repos
ExecStart=/usr/bin/fossil server --localhost  --port 9000 --repolist  /opt/fossil/repos
Restart=always
RestartSec=3
 
[Install]
WantedBy=multi-user.target

Fossil user/group is an owner of /opt/fossil directory.

sudo systemctl daemon-reload
sudo systemctl stop fossil
sudo systemctl start fossil
sudo systemctl status fossil -l

输出:

fossil.service - Fossil Service
       Loaded: loaded (/etc/systemd/system/fossil.service; enabled; vendor preset: enabled)
       Active: activating (auto-restart) (Result: exit-code) since Mon 2022-09-26 17:59:10 CEST; 1s ago
      Process: 2015 ExecStart=/usr/bin/fossil server --localhost --port 9000 --repolist /opt/fossil/repos (code=exited, status=200/CHDIR)
     Main PID: 2015 (code=exited, status=200/CHDIR)

sudo journalctl -u fossil

打印输出:

.... systemd[12954]: fossil.service: Changing to the requested working directory failed: Permission denied
Sep 27 systemd[12954]: fossil.service: Failed at step CHDIR spawning /usr/bin/fossil: Permission denied
Sep 27 systemd[1]: fossil.service: Main process exited, code=exited, status=200/CHDIR
Sep 27 systemd[1]: fossil.service: Failed with result 'exit-code'.
Sep 27 systemd[1]: fossil.service: Service RestartSec=3s expired, scheduling restart.
Sep 27 systemd[1]: fossil.service: Scheduled restart job, restart counter is at 1.
Sep 27 systemd[1]: Stopped Fossil Service.
Sep 27 systemd[1]: Started Fossil Service.

ls -all /opt/fossil
drwxr-xr-x 4 fossil fossil 4096 Sep 27 repos

如果我删除线

User=fossil

一切工作正常。

作为化石用户我如何才能化石

答案1

我对此一无所知fossil,但你的问题显然与权限有关。

如果您曾经运行过sudo fossil ... /opt/fossil/repos,那么您现在可能在该目录中有一个文件,该文件由 拥有root且不可全局写入。

一个包罗万象的解决方案是:

sudo chown -R fossil:fossil /opt/fossil

一个更有针对性的方法是

sudo chown -R fossil:fossil /opt/fossil/repos

这将递归地更改它需要的所有文件/目录的所有权fossil

这通常是安全的,/opt/<package>/因为/opt通常包含可重定位的包,这些包不依赖于其他包和内容,无论如何,这些包和内容都打算在自己的小世界中运行。

我对此更加满意,因为二进制文件/usr/bin/fossil不在其中/opt,因此fossil无法覆盖自身。

但最好提供尽可能窄的权限。那么看看里面有什么/opt/fossil。如果它被分成传统的bin/, etc/, lib/, var/, 则仅执行此操作var/。如果它具有不应触及自身的配置文件,请确保这些文件不属于fossil.如果它显然有一个读写数据目录,例如/opt/fossil/repos,则chown仅该目录。

相关内容