El7 Systemd Service:: Ensure Var/log Owner When User Is Specified
Hi! Does anyone have an idea how can i (in a nice way [1]) to ensure ownership/permissions of log directory in /var/log for a unit that drops privileges to a user (with User=/Group=)
[1] The ugly way being with script in StartPre and sudo in Start so i want to use UserI’m aware of LogsDirectory= but is not available on EL7
Thanks a lot!
Adrian
4 thoughts on - El7 Systemd Service:: Ensure Var/log Owner When User Is Specified
Running sudo in a systemd service seems like a bad idea and should be avoided. It’ll require disabling the RequireTTY feature in the sudo configuration anyway.
Newer versions of systemd support adding a + or ! at the beginning of the ExecStart= command to tell systemd to run with elevated privileges, so you could have:
[Service]
Type=oneshot User=testuser ExecStartPre=!mkdir -p /var/log/test ExecStartPre=!chown testuser /var/log/test ExecStart=/bin/sh -c ‘date > /var/log/test/test.log’
However, those features aren’t introduced into systemd until ~v231 so it isn’t in EL7.
I think you will have to do something like:
ExecStartPre=mkdir -p /var/log/test ExecStartPre=chown testuser /var/log/test ExecStart=su testuser -c ‘date > /var/log/test/test.log’
Just don’t use sudo.
If you know the username/group/directory beforehand, then you could use setfacl on the directory and permissions should trickle down to new directories/files. Not sure though what implications this has for SELinux.
https://www.redhat.com/sysadmin/linux-access-control-lists
Hi Adrian,
I think such a fundamental lack should be addressed by adding it by upstream. Did you try to create a BZ so that this could be fixed? I guess a backport for systemd should help.
Regards, Simon
Is there any reason to use a service file to create the logs ?After all we got systemd-tmpfilesfor that purpose. Best Regards,Strahil Nikolov