I have a daemon sitting in my root directory that currently is being run as root. However, since this program can read the file system, this is clearly a security problem. How can I run it as nobody so that I can resolve this problem?
Doing "su – nobody -c /root/myscript" doesn't work, returning a permission denied error. The only ways I can seem to get around this are:
- Chmod -R 777 /root, which I don't want to do on my root dir and also messes up ssh.
- Move the script to /opt or /var and then do (1)
Of course, there may be an easy solution that I'm missing. I can chown it to nobody but that doesn't fix the problem either. Any ideas?
Best Answer
You don't want to do (1) -- Leave root's home directory alone. (2) is your best option - Create a new directory owned by the user the daemon will run as & have it do any disk I/O it needs to do in that directory.
Semi-related, please don't run things as "nobody" -- there's an old joke that nobody is usually the most privileged user on a *NIX system because all the daemons run as "nobody".
If you're really concerned about security you don't want to fall into that trap. It's worth taking the extra minute to create a dedicated user for your daemons with appropriate restrictions :-)