Re: [Proposal] switching user and group id

[Jan-Henrik Haukeland]

Jan-Henrik Haukeland <address@hidden> writes:

> I was starting a program the other day from monit. The program should
> run as a special user but does not switch to a new uid and gid like
> apache does. So if monit is run by root the program also runs as the
> root user. It occured to me that switching uid (and gid) can be done
> by monit. 
> 
> Before monit starts a program it fork of a new process and in this
> process the uid/gid could be changed before monit starts the program.

I have added this feature to the cvs repository and it works fine. If
anyone wants to check it out before the next release you can checkout
the latest monit release from cvs (the latest code also include state
fullness and soon Martins promising file/directory/device check). How
to check out the latest monit code from CVS is explained on this page:
             http://savannah.nongnu.org/cvs/?group=monit

Here's an excerpt from the man file:

This example demonstrate how you can run a program as a specified user
(uid) and with a specified group (gid). Many daemon programs will do
the uid and gid switch by itself, but for those programs that does not
(e.g. java programs), monit's ability to start a program as a certain
user can be very useful.  In this example we start the Tomcat Java
Servlet Engine as the standard nobody user and group. Please note that
monit will only change uid and gid for a program if the super-user is
running monit, otherwise monit will simply ignore the request to
change uid and gid.

 check tomcat with pidfile /var/run/tomcat.pid
   start program = "/etc/init.d/tomcat start" 
      as uid nobody and gid nobody
   stop program  = "/etc/init.d/tomcat stop"
      # You can also use id numbers instead and write: 
      as uid 99 and with gid 99
   port 8080



-- 
Jan-Henrik Haukeland