I have a service running on a linux box, started with upstart, that runs as user

Question

I have a service running on a linux box, started with upstart, that runs as user "the_user", it has to read a config file. Having the file owned by root would make things more secure, but would prevent the service reading the file.

I know that nginx can read a private cert file owned by root while running as a non root user.

I read about the approach or sourcing a script that sets sensitive environment variables read from a root owned file, and then launching the service process as the service user, which then "inherits" from the environment variables.

What is the best approach ?

Explanation / Answer

Im unsure if this is the "correct" approach, but I would change the permissions of the file to owned by root but also owned by another group which only has read access. Making sure your upstart user is in this shared group.

# groupadd upstart
# usermod -G upstart the_user
# chown root:upstart the_file.conf
# chmod 740 the_file.conf

The above adds a new group "upstart" at which point user "the_user" is added. The file ownership is changed to user "root" group "upstart" and permissions set to "root" read, write, execute; and group "upstart" read.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.