Re: a questions about putting a process under it's own group and user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jul 14, 2007 at 04:11:28PM -0500, Scott Berry wrote:
> Hello guys and gals,
> 
> I just downloaded the teamspeak server and it recommends that it not
> be ran under root.  So I chowned and chgrped all the files and put
> it under my group and user's home directory called teamspeak.  Is
> this enough to ensure it runs under the right user and group or is
> ther more involved if so can some one help to ensure it runs under
> the teamspeak user please?

That's marginally better, but you can do much, much better. You have
conflated two concepts, file ownership and the user under which a
process executes. I suspect your teamspeak process is still running as
root. If so, your precaution is likely useless.

Instead create a new user, say "teamspeak:teamspeak" (System->
Administration-> Users and Groups). Don't give it a password or a home
directory, and change its shell to /sbin/nologin. Do give it its own
private group.

Having done that, change the ownership of the files for it back to
root:root, and make the files the teamspeak process has to read
readable but not writable by others. Any files it has to write (log
files, e.g.) should be owned and writable by teamspeak:teamspeak. The
idea is to minimize the damage a malicious attacker can do by denying
the process every possible privilege.

"man chown" and "man chmod" are your friends.

If teamspeak is designed to be run as a daemon, there should be a
script to place into /etc/rc.d/init.d. do so, then run:

chkconfig --add teamspeak

then:

service teamspeak start

Of course, this discussion ignores selinux issues entirely.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB

Attachment: pgpI5Fq5vn6vR.pgp
Description: PGP signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux