[prev in list] [next in list] [prev in thread] [next in thread] 

List:       log
Subject:    Re: non-root doing "svc -o /service/root-owned-service"
From:       "Andy Bradford" <amb-sendok-1556553840.gjkeloedkafdkieclika () bradfords ! org>
Date:       2019-03-30 16:03:59
Message-ID: 20190330100359.5374.qmail () angmar ! bradfordfamily ! org
[Download RAW message or body]

Thus said Otavio Exel on Sat, 30 Mar 2019 12:16:34 -0300:

> now  in  order  to  allow  www-data  to  control  the  service  I  did
> (what  seemed to  me) the  bare  minimum to  give it  write access  to
> supervise/control like that:

That was my first thought while reading the description of the problem.

This is  probably the simplest approach,  however, it does mean  that if
you ever reinstall that service you'll  have to remember to repeat those
steps as part of the configuration for that service.

As  for  whether  or  not  there's a  better  way---each  method  has  a
trade-off. The permissions  based approah implies that not  only can the
www-data  group manage  the service,  but that  it can  also potentially
break the service if it tampers  with the files rather than just calling
svc. sudo  would prevent tampering but  then might expose the  system to
greater risk if  the sudo entry is too broad  or accidentally becomes to
broad.

Andy
-- 
TAI64 timestamp: 400000005c9f9394


[prev in list] [next in list] [prev in thread] [next in thread]