[prev in list] [next in list] [prev in thread] [next in thread]
List: log
Subject: Re: non-root doing "svc -o /service/root-owned-service"
From: "Andy Bradford" <amb-sendok-1556553840.gjkeloedkafdkieclika () bradfords ! org>
Date: 2019-03-30 16:03:59
Message-ID: 20190330100359.5374.qmail () angmar ! bradfordfamily ! org
[Download RAW message or body]
Thus said Otavio Exel on Sat, 30 Mar 2019 12:16:34 -0300:
> now in order to allow www-data to control the service I did
> (what seemed to me) the bare minimum to give it write access to
> supervise/control like that:
That was my first thought while reading the description of the problem.
This is probably the simplest approach, however, it does mean that if
you ever reinstall that service you'll have to remember to repeat those
steps as part of the configuration for that service.
As for whether or not there's a better way---each method has a
trade-off. The permissions based approah implies that not only can the
www-data group manage the service, but that it can also potentially
break the service if it tampers with the files rather than just calling
svc. sudo would prevent tampering but then might expose the system to
greater risk if the sudo entry is too broad or accidentally becomes to
broad.
Andy
--
TAI64 timestamp: 400000005c9f9394
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic