On Tue, Feb 09, 2021 at 07:21:40PM +0200, Adrian Sevcenco wrote:
> Hi! Does anyone have an idea how can i (in a nice way [1]) to ensure
> ownership/permissions of log directory in /var/log for a unit
> that drops privileges to a user (with User=/Group=)
>
> [1] The ugly way being with script in StartPre and sudo in Start
> so i want to use User=
> I'm aware of LogsDirectory= but is not available on EL7
Running sudo in a systemd service seems like a bad idea and should be
avoided. It'll require disabling the RequireTTY feature in the sudo
configuration anyway.
Newer versions of systemd support adding a + or ! at the beginning of
the ExecStart= command to tell systemd to run with elevated
privileges, so you could have:
[Service]
Type=oneshot
User=testuser
ExecStartPre=!mkdir -p /var/log/test
ExecStartPre=!chown testuser /var/log/test
ExecStart=/bin/sh -c 'date > /var/log/test/test.log'
However, those features aren't introduced into systemd until ~v231 so
it isn't in EL7.
I think you will have to do something like:
ExecStartPre=mkdir -p /var/log/test
ExecStartPre=chown testuser /var/log/test
ExecStart=su testuser -c 'date > /var/log/test/test.log'
Just don't use sudo.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
