You are not logged in.
As a test I have
% cat /etc/systemd/system/nobody-test.service
[Unit]
Description=Testing nobody
[Service]
Type=oneshot
ExecStart=/usr/local/bin/nobody.test
User=nobody
Group=nobody
Executable /usr/local/bin/nobody.test is just a shell script that echos into a file in /tmp.
With permissions/ownership
% ls -l /usr/local/bin/nobody.test
-rwxr-x--- 1 nobody nobody 42 Mar 2 20:19 /usr/local/bin/nobody.test
I get
% systemctl status nobody-test.service
● nobody-test.service - Testing nobody
...
Mar 06 10:45:24 server systemd[1]: Starting Testing nobody...
Mar 06 10:45:24 server systemd[30245]: nobody-test.service: Failed to execute command: Permission denied
Mar 06 10:45:24 server systemd[30245]: nobody-test.service: Failed at step EXEC spawning /usr/local/bin/nobody.test: Permission denied
...
But if I
% chmod o+rx /usr/local/bin/nobody.test
then it works fine.
Can someone help me understand my error in thinking that if systemd runs a service as a particular user/group, then that service should be able to execute things that are owned by that user/group without having o+rx ?
Last edited by loserMcloser (2018-03-08 05:12:04)
Offline
systemd[30245]
Is this another user systemd manager?
Because if it is another manager than the init 1 process, the User=, Group= options don't work with the user manager of another user.
Look at the running process list to see which process it is.
Last edited by berbae (2018-03-07 10:40:16)
Offline
The service seems to be started by systemd[1]:
Mar 06 10:45:24 server systemd[1]: Starting Testing nobody...
I assume the systemd[30245] is being spawned as User=nobody.
I added a sleep-loop to the nobody.test shell script so that it stays alive long enough for me to monitor it. When I add the world permissions to the executable so that the systemd service is able to start it, systemd does seem to be spawning the process as user nobody:
%ps aux
...
nobody 6450 0.0 0.1 24284 3972 ? Ss 07:38 0:00 /bin/sh /usr/local/bin/nobody.test
...
Another note: Without world permissions I can do
su -s /bin/sh -c /usr/local/bin/nobody.test nobody
and I don't get permission denied.
Offline
Can you post the output of all the running processes, preferably using:
ps f -eo pid,user,suser,start,args:120
Because it doesn't help truncating the result to only one line.
Offline
@berbae: OK, here is the output of your ps command when I have things in the "working" configuration (ie. with a+rx on the executable), with some minor edits:
* I have removed some lines associated to processes that are definitely not associated to this problem.
* I have obscured my local username.
Thanks for being willing to help.
PID USER SUSER STARTED COMMAND
2 root root Mar 01 [kthreadd]
4 root root Mar 01 \_ [kworker/0:0H]
6 root root Mar 01 \_ [mm_percpu_wq]
7 root root Mar 01 \_ [ksoftirqd/0]
8 root root Mar 01 \_ [rcu_preempt]
9 root root Mar 01 \_ [rcu_sched]
10 root root Mar 01 \_ [rcu_bh]
11 root root Mar 01 \_ [rcuc/0]
12 root root Mar 01 \_ [rcub/0]
13 root root Mar 01 \_ [migration/0]
14 root root Mar 01 \_ [watchdog/0]
15 root root Mar 01 \_ [cpuhp/0]
16 root root Mar 01 \_ [cpuhp/1]
17 root root Mar 01 \_ [watchdog/1]
18 root root Mar 01 \_ [migration/1]
19 root root Mar 01 \_ [rcuc/1]
20 root root Mar 01 \_ [ksoftirqd/1]
22 root root Mar 01 \_ [kworker/1:0H]
23 root root Mar 01 \_ [kdevtmpfs]
24 root root Mar 01 \_ [netns]
25 root root Mar 01 \_ [rcu_tasks_kthre]
28 root root Mar 01 \_ [khungtaskd]
29 root root Mar 01 \_ [oom_reaper]
30 root root Mar 01 \_ [writeback]
31 root root Mar 01 \_ [kcompactd0]
32 root root Mar 01 \_ [ksmd]
33 root root Mar 01 \_ [khugepaged]
34 root root Mar 01 \_ [crypto]
35 root root Mar 01 \_ [kintegrityd]
36 root root Mar 01 \_ [kblockd]
37 root root Mar 01 \_ [edac-poller]
38 root root Mar 01 \_ [devfreq_wq]
39 root root Mar 01 \_ [watchdogd]
41 root root Mar 01 \_ [kswapd0]
80 root root Mar 01 \_ [kthrotld]
81 root root Mar 01 \_ [acpi_thermal_pm]
82 root root Mar 01 \_ [nvme-wq]
83 root root Mar 01 \_ [ipv6_addrconf]
92 root root Mar 01 \_ [kstrp]
101 root root Mar 01 \_ [charger_manager]
143 root root Mar 01 \_ [ata_sff]
145 root root Mar 01 \_ [scsi_eh_0]
146 root root Mar 01 \_ [scsi_tmf_0]
147 root root Mar 01 \_ [scsi_eh_1]
148 root root Mar 01 \_ [scsi_tmf_1]
149 root root Mar 01 \_ [scsi_eh_2]
150 root root Mar 01 \_ [scsi_tmf_2]
151 root root Mar 01 \_ [scsi_eh_3]
152 root root Mar 01 \_ [scsi_tmf_3]
153 root root Mar 01 \_ [scsi_eh_4]
154 root root Mar 01 \_ [scsi_tmf_4]
155 root root Mar 01 \_ [scsi_eh_5]
156 root root Mar 01 \_ [scsi_tmf_5]
165 root root Mar 01 \_ [kworker/0:1H]
181 root root Mar 01 \_ [jbd2/sdb1-8]
182 root root Mar 01 \_ [ext4-rsv-conver]
222 root root Mar 01 \_ [rpciod]
223 root root Mar 01 \_ [xprtiod]
257 root root Mar 01 \_ [jbd2/sdb2-8]
259 root root Mar 01 \_ [ext4-rsv-conver]
261 root root Mar 01 \_ [jbd2/sda3-8]
263 root root Mar 01 \_ [ext4-rsv-conver]
264 root root Mar 01 \_ [jbd2/sda2-8]
265 root root Mar 01 \_ [ext4-rsv-conver]
279 root root Mar 01 \_ [cfg80211]
281 root root Mar 01 \_ [led_workqueue]
289 root root Mar 01 \_ [kdmflush]
296 root root Mar 01 \_ [bioset]
297 root root Mar 01 \_ [kcryptd_io]
299 root root Mar 01 \_ [kcryptd]
300 root root Mar 01 \_ [dmcrypt_write]
301 root root Mar 01 \_ [bioset]
303 root root Mar 01 \_ [kworker/u5:1]
304 root root Mar 01 \_ [kworker/u5:2]
308 root root Mar 01 \_ [ttm_swap]
316 root root Mar 01 \_ [kworker/1:1H]
345 root root Mar 01 \_ [ath9k-hwrng]
475 root root Mar 01 \_ [lockd]
479 root root Mar 01 \_ [nfsd]
480 root root Mar 01 \_ [nfsd]
481 root root Mar 01 \_ [nfsd]
482 root root Mar 01 \_ [nfsd]
485 root root Mar 01 \_ [nfsd]
486 root root Mar 01 \_ [nfsd]
488 root root Mar 01 \_ [nfsd]
489 root root Mar 01 \_ [nfsd]
21860 root root Mar 02 \_ [kworker/0:2]
32717 root root Mar 06 \_ [kworker/1:2]
7165 root root 08:49:00 \_ [kworker/0:0]
8773 root root 11:58:51 \_ [kworker/1:0]
10300 root root 14:57:46 \_ [kworker/u4:3]
10471 root root 15:17:11 \_ [kworker/u4:2]
10591 root root 15:31:07 \_ [kworker/u4:4]
10683 root root 15:45:07 \_ [kworker/u4:0]
10725 root root 15:51:48 \_ [kworker/u4:1]
10788 root root 15:54:13 \_ [kworker/0:1]
1 root root Mar 01 /sbin/init
211 root root Mar 01 /usr/lib/systemd/systemd-journald
225 root root Mar 01 /usr/lib/systemd/systemd-udevd
332 root root Mar 01 /usr/sbin/rpc.idmapd
336 dbus dbus Mar 01 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
339 root root Mar 01 /usr/lib/systemd/systemd-logind
350 root root Mar 01 /usr/bin/gssproxy -D
391 root root Mar 01 /usr/bin/dhcpcd -q -w ethF
393 root root Mar 01 /usr/bin/sshd -D
10729 root root 15:52:02 \_ sshd: MYUSER [priv]
10737 MYUSER MYUSER 15:52:02 \_ sshd: MYUSER@pts/0,pts/2
10738 MYUSER MYUSER 15:52:02 \_ -zsh
10743 root root 15:52:06 | \_ su
10744 root root 15:52:07 | \_ zsh
10791 root root 15:54:54 | \_ systemctl start nobody-test.service
10792 root root 15:54:54 | \_ /usr/bin/systemd-tty-ask-password-agent --watch
10750 MYUSER MYUSER 15:52:27 \_ -zsh
10755 root root 15:52:28 \_ su
10756 root root 15:52:30 \_ zsh
10815 root root 15:55:01 \_ ps f -eo pid,user,suser,start,args:120
405 ntp ntp Mar 01 /usr/bin/ntpd -g -u ntp:ntp
410 root root Mar 01 /usr/bin/hostapd /etc/hostapd/hostapd.conf
412 dnsmasq dnsmasq Mar 01 /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file
420 rpc rpc Mar 01 /usr/bin/rpcbind -w -f
438 root root Mar 01 /usr/sbin/rpc.statd
463 root root Mar 01 /usr/sbin/rpc.mountd
26908 polkitd polkitd Mar 02 /usr/lib/polkit-1/polkitd --no-debug
10731 MYUSER MYUSER 15:52:02 /usr/lib/systemd/systemd --user
10732 MYUSER MYUSER 15:52:02 \_ (sd-pam)
10793 nobody nobody 15:54:54 /bin/sh /usr/local/bin/nobody.test
10797 nobody nobody 15:55:00 \_ sleep 4
Last edited by loserMcloser (2018-03-08 05:30:21)
Offline
What is the output of
id nobody
Offline
@loqs: thanks for the hint, I figured it out. (Though I'm still stumped on what the heck systemd is doing and why.)
As part of my mucking around with running a service as user nobody, I made the following service file.
[Unit]
Description=Testing nobody
[Service]
Type=oneshot
ExecStart=/usr/local/bin/nobody.test
User=nobody
Group=nobody
RuntimeDirectory=nobody.test
RuntimeDirectoryMode=0700
RuntimeDirectoryPreserve=yes
This created a directory /run/nobody.test. Check this out:
% ls -ld /run/nobody.test
drwx------ 2 nobody nobody 60 Mar 7 08:10 /run/nobody.test/
% ls -nd /run/nobody.test
drwx------ 2 65534 65534 60 Mar 7 08:10 /run/nobody.test/
% id nobody
uid=99(nobody) gid=99(nobody) groups=99(nobody)
WTF? I have no user id 65534 on my system. Why does ls convert this nonexistent UID to nobody in the ls -ld output?
Anyway, I get the behaviour I want with
User=99
Group=99
in the service file. Don't know why systemd takes User=nobody to mean something other than the nobody user in /etc/passwd .... other than to try to confuse people ....
Offline
From https://en.wikipedia.org/wiki/Nobody_(username) 'nobody´ is a special user name.
So it is not a good idea to create another 'nobody' user in your system. You'd better choose another name.
Offline
https://bugs.archlinux.org/task/56828
@berbae filesystem used to provide nobody with UID/GID 99 then it was removed and is assigned 65534 by systemd-sysusers by a conf provided by systemd.
That will not change existing systems with the UID/GID 99. Systemd always resolves nobody to 65534 and root to 0 without performing any lookup.
Offline
@berbae: As loqs points out, I guess this is a "legacy" issue. I did not create user nobody(99), archlinux did. This particular system has been running since 2012. Systemd's penchant for changing things unilaterally can be frustrating.
@loqs: Thanks for the link to that bug report, it was informative.
Offline