You are not logged in.

#1 2018-03-06 18:12:53

loserMcloser
Member
From: Canada
Registered: 2004-12-15
Posts: 127

[SOLVED] Systemd execute permissions

As a test I have

% cat /etc/systemd/system/nobody-test.service
[Unit]
Description=Testing nobody

[Service]
Type=oneshot
ExecStart=/usr/local/bin/nobody.test
User=nobody
Group=nobody

Executable /usr/local/bin/nobody.test is just a shell script that echos into a file in /tmp.

With permissions/ownership

% ls -l /usr/local/bin/nobody.test
-rwxr-x--- 1 nobody nobody 42 Mar  2 20:19 /usr/local/bin/nobody.test

I get

% systemctl status nobody-test.service
● nobody-test.service - Testing nobody
...
Mar 06 10:45:24 server systemd[1]: Starting Testing nobody...
Mar 06 10:45:24 server systemd[30245]: nobody-test.service: Failed to execute command: Permission denied
Mar 06 10:45:24 server systemd[30245]: nobody-test.service: Failed at step EXEC spawning /usr/local/bin/nobody.test: Permission denied
...

But if I

% chmod o+rx /usr/local/bin/nobody.test

then it works fine.

Can someone help me understand my error in thinking that if systemd runs a service as a particular user/group, then that service should be able to execute things that are owned by that user/group without having o+rx ?

Last edited by loserMcloser (2018-03-08 05:12:04)

Offline

#2 2018-03-07 10:00:58

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,274

Re: [SOLVED] Systemd execute permissions

systemd[30245]

Is this another user systemd manager?
Because if it is another manager than the init 1 process, the User=, Group= options don't work with the user manager of another user.

Look at the running process list to see which process it is.

Last edited by berbae (2018-03-07 10:40:16)

Offline

#3 2018-03-07 15:48:24

loserMcloser
Member
From: Canada
Registered: 2004-12-15
Posts: 127

Re: [SOLVED] Systemd execute permissions

The service seems to be started by systemd[1]:

Mar 06 10:45:24 server systemd[1]: Starting Testing nobody...

I assume the systemd[30245] is being spawned as User=nobody.

I added a sleep-loop to the nobody.test shell script so that it stays alive long enough for me to monitor it. When I add the world permissions to the executable so that the systemd service is able to start it, systemd does seem to be spawning the process as user nobody:

%ps aux
...
nobody    6450  0.0  0.1  24284  3972 ?        Ss   07:38   0:00 /bin/sh /usr/local/bin/nobody.test
...

Another note: Without world permissions I can do

su -s /bin/sh -c /usr/local/bin/nobody.test nobody

and I don't get permission denied.

Offline

#4 2018-03-07 16:17:07

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,274

Re: [SOLVED] Systemd execute permissions

Can you post the output of all the running processes, preferably using:

ps f -eo pid,user,suser,start,args:120

Because it doesn't help truncating the result to only one line.

Offline

#5 2018-03-07 23:02:45

loserMcloser
Member
From: Canada
Registered: 2004-12-15
Posts: 127

Re: [SOLVED] Systemd execute permissions

@berbae: OK, here is the output of your ps command when I have things in the "working" configuration (ie. with a+rx on the executable), with some minor edits:
* I have removed some lines associated to processes that are definitely not associated to this problem.
* I have obscured my local username.
Thanks for being willing to help.

  PID USER     SUSER     STARTED COMMAND
    2 root     root       Mar 01 [kthreadd]
    4 root     root       Mar 01  \_ [kworker/0:0H]
    6 root     root       Mar 01  \_ [mm_percpu_wq]
    7 root     root       Mar 01  \_ [ksoftirqd/0]
    8 root     root       Mar 01  \_ [rcu_preempt]
    9 root     root       Mar 01  \_ [rcu_sched]
   10 root     root       Mar 01  \_ [rcu_bh]
   11 root     root       Mar 01  \_ [rcuc/0]
   12 root     root       Mar 01  \_ [rcub/0]
   13 root     root       Mar 01  \_ [migration/0]
   14 root     root       Mar 01  \_ [watchdog/0]
   15 root     root       Mar 01  \_ [cpuhp/0]
   16 root     root       Mar 01  \_ [cpuhp/1]
   17 root     root       Mar 01  \_ [watchdog/1]
   18 root     root       Mar 01  \_ [migration/1]
   19 root     root       Mar 01  \_ [rcuc/1]
   20 root     root       Mar 01  \_ [ksoftirqd/1]
   22 root     root       Mar 01  \_ [kworker/1:0H]
   23 root     root       Mar 01  \_ [kdevtmpfs]
   24 root     root       Mar 01  \_ [netns]
   25 root     root       Mar 01  \_ [rcu_tasks_kthre]
   28 root     root       Mar 01  \_ [khungtaskd]
   29 root     root       Mar 01  \_ [oom_reaper]
   30 root     root       Mar 01  \_ [writeback]
   31 root     root       Mar 01  \_ [kcompactd0]
   32 root     root       Mar 01  \_ [ksmd]
   33 root     root       Mar 01  \_ [khugepaged]
   34 root     root       Mar 01  \_ [crypto]
   35 root     root       Mar 01  \_ [kintegrityd]
   36 root     root       Mar 01  \_ [kblockd]
   37 root     root       Mar 01  \_ [edac-poller]
   38 root     root       Mar 01  \_ [devfreq_wq]
   39 root     root       Mar 01  \_ [watchdogd]
   41 root     root       Mar 01  \_ [kswapd0]
   80 root     root       Mar 01  \_ [kthrotld]
   81 root     root       Mar 01  \_ [acpi_thermal_pm]
   82 root     root       Mar 01  \_ [nvme-wq]
   83 root     root       Mar 01  \_ [ipv6_addrconf]
   92 root     root       Mar 01  \_ [kstrp]
  101 root     root       Mar 01  \_ [charger_manager]
  143 root     root       Mar 01  \_ [ata_sff]
  145 root     root       Mar 01  \_ [scsi_eh_0]
  146 root     root       Mar 01  \_ [scsi_tmf_0]
  147 root     root       Mar 01  \_ [scsi_eh_1]
  148 root     root       Mar 01  \_ [scsi_tmf_1]
  149 root     root       Mar 01  \_ [scsi_eh_2]
  150 root     root       Mar 01  \_ [scsi_tmf_2]
  151 root     root       Mar 01  \_ [scsi_eh_3]
  152 root     root       Mar 01  \_ [scsi_tmf_3]
  153 root     root       Mar 01  \_ [scsi_eh_4]
  154 root     root       Mar 01  \_ [scsi_tmf_4]
  155 root     root       Mar 01  \_ [scsi_eh_5]
  156 root     root       Mar 01  \_ [scsi_tmf_5]
  165 root     root       Mar 01  \_ [kworker/0:1H]
  181 root     root       Mar 01  \_ [jbd2/sdb1-8]
  182 root     root       Mar 01  \_ [ext4-rsv-conver]
  222 root     root       Mar 01  \_ [rpciod]
  223 root     root       Mar 01  \_ [xprtiod]
  257 root     root       Mar 01  \_ [jbd2/sdb2-8]
  259 root     root       Mar 01  \_ [ext4-rsv-conver]
  261 root     root       Mar 01  \_ [jbd2/sda3-8]
  263 root     root       Mar 01  \_ [ext4-rsv-conver]
  264 root     root       Mar 01  \_ [jbd2/sda2-8]
  265 root     root       Mar 01  \_ [ext4-rsv-conver]
  279 root     root       Mar 01  \_ [cfg80211]
  281 root     root       Mar 01  \_ [led_workqueue]
  289 root     root       Mar 01  \_ [kdmflush]
  296 root     root       Mar 01  \_ [bioset]
  297 root     root       Mar 01  \_ [kcryptd_io]
  299 root     root       Mar 01  \_ [kcryptd]
  300 root     root       Mar 01  \_ [dmcrypt_write]
  301 root     root       Mar 01  \_ [bioset]
  303 root     root       Mar 01  \_ [kworker/u5:1]
  304 root     root       Mar 01  \_ [kworker/u5:2]
  308 root     root       Mar 01  \_ [ttm_swap]
  316 root     root       Mar 01  \_ [kworker/1:1H]
  345 root     root       Mar 01  \_ [ath9k-hwrng]
  475 root     root       Mar 01  \_ [lockd]
  479 root     root       Mar 01  \_ [nfsd]
  480 root     root       Mar 01  \_ [nfsd]
  481 root     root       Mar 01  \_ [nfsd]
  482 root     root       Mar 01  \_ [nfsd]
  485 root     root       Mar 01  \_ [nfsd]
  486 root     root       Mar 01  \_ [nfsd]
  488 root     root       Mar 01  \_ [nfsd]
  489 root     root       Mar 01  \_ [nfsd]
21860 root     root       Mar 02  \_ [kworker/0:2]
32717 root     root       Mar 06  \_ [kworker/1:2]
 7165 root     root     08:49:00  \_ [kworker/0:0]
 8773 root     root     11:58:51  \_ [kworker/1:0]
10300 root     root     14:57:46  \_ [kworker/u4:3]
10471 root     root     15:17:11  \_ [kworker/u4:2]
10591 root     root     15:31:07  \_ [kworker/u4:4]
10683 root     root     15:45:07  \_ [kworker/u4:0]
10725 root     root     15:51:48  \_ [kworker/u4:1]
10788 root     root     15:54:13  \_ [kworker/0:1]
    1 root     root       Mar 01 /sbin/init
  211 root     root       Mar 01 /usr/lib/systemd/systemd-journald
  225 root     root       Mar 01 /usr/lib/systemd/systemd-udevd
  332 root     root       Mar 01 /usr/sbin/rpc.idmapd
  336 dbus     dbus       Mar 01 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  339 root     root       Mar 01 /usr/lib/systemd/systemd-logind
  350 root     root       Mar 01 /usr/bin/gssproxy -D
  391 root     root       Mar 01 /usr/bin/dhcpcd -q -w ethF
  393 root     root       Mar 01 /usr/bin/sshd -D
10729 root     root     15:52:02  \_ sshd: MYUSER [priv]
10737 MYUSER   MYUSER   15:52:02      \_ sshd: MYUSER@pts/0,pts/2
10738 MYUSER   MYUSER   15:52:02          \_ -zsh
10743 root     root     15:52:06          |   \_ su
10744 root     root     15:52:07          |       \_ zsh
10791 root     root     15:54:54          |           \_ systemctl start nobody-test.service
10792 root     root     15:54:54          |               \_ /usr/bin/systemd-tty-ask-password-agent --watch
10750 MYUSER   MYUSER   15:52:27          \_ -zsh
10755 root     root     15:52:28              \_ su
10756 root     root     15:52:30                  \_ zsh
10815 root     root     15:55:01                      \_ ps f -eo pid,user,suser,start,args:120
  405 ntp      ntp        Mar 01 /usr/bin/ntpd -g -u ntp:ntp
  410 root     root       Mar 01 /usr/bin/hostapd /etc/hostapd/hostapd.conf
  412 dnsmasq  dnsmasq    Mar 01 /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file
  420 rpc      rpc        Mar 01 /usr/bin/rpcbind -w -f
  438 root     root       Mar 01 /usr/sbin/rpc.statd
  463 root     root       Mar 01 /usr/sbin/rpc.mountd
26908 polkitd  polkitd    Mar 02 /usr/lib/polkit-1/polkitd --no-debug
10731 MYUSER   MYUSER   15:52:02 /usr/lib/systemd/systemd --user
10732 MYUSER   MYUSER   15:52:02  \_ (sd-pam)
10793 nobody   nobody   15:54:54 /bin/sh /usr/local/bin/nobody.test
10797 nobody   nobody   15:55:00  \_ sleep 4

Last edited by loserMcloser (2018-03-08 05:30:21)

Offline

#6 2018-03-07 23:11:50

loqs
Member
Registered: 2014-03-06
Posts: 4,965

Re: [SOLVED] Systemd execute permissions

What is the output of

id nobody

Online

#7 2018-03-08 05:21:39

loserMcloser
Member
From: Canada
Registered: 2004-12-15
Posts: 127

Re: [SOLVED] Systemd execute permissions

@loqs: thanks for the hint, I figured it out. (Though I'm still stumped on what the heck systemd is doing and why.)

As part of my mucking around with running a service as user nobody, I made the following service file.

[Unit]
Description=Testing nobody

[Service]
Type=oneshot
ExecStart=/usr/local/bin/nobody.test
User=nobody
Group=nobody
RuntimeDirectory=nobody.test
RuntimeDirectoryMode=0700
RuntimeDirectoryPreserve=yes

This created a directory /run/nobody.test. Check this out:

% ls -ld /run/nobody.test
drwx------ 2 nobody nobody 60 Mar  7 08:10 /run/nobody.test/

% ls -nd /run/nobody.test
drwx------ 2 65534 65534 60 Mar  7 08:10 /run/nobody.test/

% id nobody
uid=99(nobody) gid=99(nobody) groups=99(nobody)

WTF? I have no user id 65534 on my system. Why does ls convert this nonexistent UID to nobody in the ls -ld output?

Anyway, I get the behaviour I want with

User=99
Group=99

in the service file. Don't know why systemd takes User=nobody to mean something other than the nobody user in /etc/passwd ....  other than to try to confuse people ....

Offline

#8 2018-03-08 09:43:07

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,274

Re: [SOLVED] Systemd execute permissions

From https://en.wikipedia.org/wiki/Nobody_(username) 'nobody´ is a special user name.
So it is not a good idea to create another 'nobody' user in your system. You'd better choose another name.

Offline

#9 2018-03-08 10:03:54

loqs
Member
Registered: 2014-03-06
Posts: 4,965

Re: [SOLVED] Systemd execute permissions

https://bugs.archlinux.org/task/56828
@berbae filesystem used to provide nobody with UID/GID 99 then it was removed and is assigned 65534 by systemd-sysusers by a conf provided by systemd.
That will not change existing systems with the UID/GID 99.  Systemd always resolves nobody to 65534 and root to 0 without performing any lookup.

Online

#10 2018-03-08 15:52:55

loserMcloser
Member
From: Canada
Registered: 2004-12-15
Posts: 127

Re: [SOLVED] Systemd execute permissions

@berbae: As loqs points out, I guess this is a "legacy" issue. I did not create user nobody(99), archlinux did. This particular system has been running since 2012. Systemd's penchant for changing things unilaterally can be frustrating.

@loqs: Thanks for the link to that bug report, it was informative.

Offline

Board footer

Powered by FluxBB