[ale] make some apps/scripts run as root

Michael B. Trausch mike at trausch.us
Wed Feb 23 13:55:10 EST 2011 

On Wed, 2011-02-23 at 13:05 -0500, Narahari 'n' Savitha wrote:
> See we dont want the Websphere to be running as a service.  This
> Websphere is for development and for devleopers.

To clear things up a little bit, what is called a "service" on Windows
is more appropriately called a dæmon (or a "server process") on
UNIX-like systems including Linux.

Any software that is written to run as a dæmon, will run as a dæmon, no
matter what.  There are some exceptions, such as Samba which allows you
to start it as a normal foreground process, and the only difference is
that it won't do the double-fork and tty-detach song and dance that
dæmon processes do.

> We dont want to be run as a service.  Inface we are going out of the
> way to make it NOT run as a service.
> 
> The IDE controls the start and stop of the server based on our
> development needs.
> 
> Is that possible to run it in a non-service mode and also can I just
> do chmod 777 on the entire folder I should be set.

Giving anything global rwx is bad.  You almost certainly do not want to
do that.

Binaries need to be owned by a system user (root:bin works), and should
have 755 (e.g., rwxr-xr-x) permissions.  If you are having problems
keeping the dæmon alive when it is run as a normal (unprivileged) user,
then what you need to do is either give it the capability to open a
privileged port, or you need to tell it to use an unprivileged port
(that is, a port number that is higher than 1023).  Ports that are lower
than 1024 require the CAP_NET_BIND_SERVICE capability (see the man page,
capabiliites(7)). CAP_NET_BIND_SERVICE is, of course, automatically
granted to processes that run as root.

But do not give the setuid permission to the binary; that is even worse
than giving it 777 permissions.

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110223/8f057fb3/attachment.bin

More information about the Ale mailing list