systemd：mkdir 和 ExecStartPre 的权限问题

Question 1

你需要添加

PermissionsStartOnly=true

到[Service]。您的用户FOOd当然无权在/var/run.引用手册页：

采用布尔参数。如果为 true，则使用 User= 和类似选项配置的与权限相关的执行选项（有关详细信息，请参阅 systemd.exec(5)）仅应用于使用 ExecStart= 启动的进程，而不应用于其他各种 ExecStartPre= 、ExecStartPost=、ExecReload=、ExecStop= 和 ExecStopPost= 命令。如果为 false，则该设置将以相同的方式应用于所有配置的命令。默认为 false。

Answer

你需要添加

PermissionsStartOnly=true

到[Service]。您的用户FOOd当然无权在/var/run.引用手册页：

采用布尔参数。如果为 true，则使用 User= 和类似选项配置的与权限相关的执行选项（有关详细信息，请参阅 systemd.exec(5)）仅应用于使用 ExecStart= 启动的进程，而不应用于其他各种 ExecStartPre= 、ExecStartPost=、ExecReload=、ExecStop= 和 ExecStopPost= 命令。如果为 false，则该设置将以相同的方式应用于所有配置的命令。默认为 false。

Question 2

这不是解释或修复权限问题的答案，但我认为您应该只使用 systemds RuntimeDirectory 选项。引用手册页:

RuntimeDirectory=, RuntimeDirectoryMode=
       Takes a list of directory names. If set, one or more directories by
       the specified names will be created below /run (for system
       services) or below $XDG_RUNTIME_DIR (for user services) when the
       unit is started, and removed when the unit is stopped. The
       directories will have the access mode specified in
       RuntimeDirectoryMode=, and will be owned by the user and group
       specified in User= and Group=. Use this to manage one or more
       runtime directories of the unit and bind their lifetime to the
       daemon runtime. The specified directory names must be relative, and
       may not include a "/", i.e. must refer to simple directories to
       create or remove. This is particularly useful for unprivileged
       daemons that cannot create runtime directories in /run due to lack
       of privileges, and to make sure the runtime directory is cleaned up
       automatically after use. For runtime directories that require more
       complex or different configuration or lifetime guarantees, please
       consider using tmpfiles.d(5).

因此，您所要做的就是将服务文件更改为：

[Unit]
Description=control FOO daemon
After=syslog.target network.target

[Service]
Type=forking
User=FOOd
Group=FOO
RuntimeDirectory=FOOd
RuntimeDirectoryMode=$some-mode
ExecStart=/usr/local/bin/FOOd -P /run/FOOd/FOOd.pid
PIDFile=/run/FOOd/FOOd.pid

[Install]
WantedBy=multi-user.target

Answer

这不是解释或修复权限问题的答案，但我认为您应该只使用 systemds RuntimeDirectory 选项。引用手册页:

RuntimeDirectory=, RuntimeDirectoryMode=
       Takes a list of directory names. If set, one or more directories by
       the specified names will be created below /run (for system
       services) or below $XDG_RUNTIME_DIR (for user services) when the
       unit is started, and removed when the unit is stopped. The
       directories will have the access mode specified in
       RuntimeDirectoryMode=, and will be owned by the user and group
       specified in User= and Group=. Use this to manage one or more
       runtime directories of the unit and bind their lifetime to the
       daemon runtime. The specified directory names must be relative, and
       may not include a "/", i.e. must refer to simple directories to
       create or remove. This is particularly useful for unprivileged
       daemons that cannot create runtime directories in /run due to lack
       of privileges, and to make sure the runtime directory is cleaned up
       automatically after use. For runtime directories that require more
       complex or different configuration or lifetime guarantees, please
       consider using tmpfiles.d(5).

因此，您所要做的就是将服务文件更改为：

[Unit]
Description=control FOO daemon
After=syslog.target network.target

[Service]
Type=forking
User=FOOd
Group=FOO
RuntimeDirectory=FOOd
RuntimeDirectoryMode=$some-mode
ExecStart=/usr/local/bin/FOOd -P /run/FOOd/FOOd.pid
PIDFile=/run/FOOd/FOOd.pid

[Install]
WantedBy=multi-user.target

Question 3

+在要以完全权限运行的命令之前添加。

例如：

ExecStartPre=+/bin/mkdir test

请参阅“特殊可执行前缀”部分：https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=

Answer

+在要以完全权限运行的命令之前添加。

例如：

ExecStartPre=+/bin/mkdir test

请参阅“特殊可执行前缀”部分：https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=

systemd：mkdir 和 ExecStartPre 的权限问题

答案1

答案2

答案3

相关内容