I have a daemon sitting in my root directory that currently is being run as root. However, since this program can read the file system, this is clearly a security problem. How can I run it as nobody so that I can resolve this problem?
Doing "su - nobody -c /root/myscript" doesn't work, returning a permission denied error. The only ways I can seem to get around this are:
- Chmod -R 777 /root, which I don't want to do on my root dir and also messes up ssh.
- Move the script to /opt or /var and then do (1)
Of course, there may be an easy solution that I'm missing. I can chown it to nobody but that doesn't fix the problem either. Any ideas?
You don't want to do (1) -- Leave root's home directory alone. (2) is your best option - Create a new directory owned by the user the daemon will run as & have it do any disk I/O it needs to do in that directory.
Semi-related, please don't run things as "nobody" -- there's an old joke that nobody is usually the most privileged user on a *NIX system because all the daemons run as "nobody".
If you're really concerned about security you don't want to fall into that trap. It's worth taking the extra minute to create a dedicated user for your daemons with appropriate restrictions :-)
Well - the script currently resides in /root. Assuming that your target user is not root, then of course you'll get a permissions error when that user tries to read/execute the script.
What is your opposition to moving the script to a different directory? If you do that, then set the file ownership/mode correctly, you should have no issues.