我想在非 root 用户下将化石作为 systemd 服务运行。
useradd -r fossil
touch /etc/systemd/system/fossil.service
化石.服务文件:
[Unit]
User=fossil
Group=fossil
Description=Fossil Service
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
User=fossil
Group=fossil
WorkingDirectory=/opt/fossil/repos
ExecStart=/usr/bin/fossil server --localhost --port 9000 --repolist /opt/fossil/repos
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
Fossil user/group is an owner of /opt/fossil directory.
sudo systemctl daemon-reload
sudo systemctl stop fossil
sudo systemctl start fossil
sudo systemctl status fossil -l
输出:
fossil.service - Fossil Service
Loaded: loaded (/etc/systemd/system/fossil.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Mon 2022-09-26 17:59:10 CEST; 1s ago
Process: 2015 ExecStart=/usr/bin/fossil server --localhost --port 9000 --repolist /opt/fossil/repos (code=exited, status=200/CHDIR)
Main PID: 2015 (code=exited, status=200/CHDIR)
sudo journalctl -u fossil
打印输出:
.... systemd[12954]: fossil.service: Changing to the requested working directory failed: Permission denied
Sep 27 systemd[12954]: fossil.service: Failed at step CHDIR spawning /usr/bin/fossil: Permission denied
Sep 27 systemd[1]: fossil.service: Main process exited, code=exited, status=200/CHDIR
Sep 27 systemd[1]: fossil.service: Failed with result 'exit-code'.
Sep 27 systemd[1]: fossil.service: Service RestartSec=3s expired, scheduling restart.
Sep 27 systemd[1]: fossil.service: Scheduled restart job, restart counter is at 1.
Sep 27 systemd[1]: Stopped Fossil Service.
Sep 27 systemd[1]: Started Fossil Service.
ls -all /opt/fossil
drwxr-xr-x 4 fossil fossil 4096 Sep 27 repos
如果我删除线
User=fossil
一切工作正常。
作为化石用户我如何才能化石
答案1
我对此一无所知fossil,但你的问题显然与权限有关。
如果您曾经运行过sudo fossil ... /opt/fossil/repos,那么您现在可能在该目录中有一个文件,该文件由 拥有root且不可全局写入。
一个包罗万象的解决方案是:
sudo chown -R fossil:fossil /opt/fossil
一个更有针对性的方法是
sudo chown -R fossil:fossil /opt/fossil/repos
这将递归地更改它需要的所有文件/目录的所有权fossil。
这通常是安全的,/opt/<package>/因为/opt通常包含可重定位的包,这些包不依赖于其他包和内容,无论如何,这些包和内容都打算在自己的小世界中运行。
我对此更加满意,因为二进制文件/usr/bin/fossil不在其中/opt,因此fossil无法覆盖自身。
但最好提供尽可能窄的权限。那么看看里面有什么/opt/fossil。如果它被分成传统的bin/, etc/, lib/, var/, 则仅执行此操作var/。如果它具有不应触及自身的配置文件,请确保这些文件不属于fossil.如果它显然有一个读写数据目录,例如/opt/fossil/repos,则chown仅该目录。