Run su -s with arguments












0















I run to run a command using the su -s command to start a process. Since I do not want the root user to own the process.



I try to do this by issuing the command



su -s "$CATALINA_HOME/bin/catalina.sh run" tomcat



which returns su: /opt/apache-tomcat/bin/catalina.sh run: No such file or directory



How can I run the su -s command along with arguments to not generate this error?










share|improve this question























  • I think you are looking for -c switch, not -s. -s switch is for running su with a different shell (if it is allowed in /etc/shells of course)

    – MelBurslan
    Jun 10 '16 at 18:33











  • @MelBurslan I can't use -c as the user has nologin set in the /etc/passwd file.

    – jgr208
    Jun 10 '16 at 18:34











  • then try su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat and see if it works for you

    – MelBurslan
    Jun 10 '16 at 18:36






  • 1





    @MelBurslan All these should go as an answer..please..

    – heemayl
    Jun 10 '16 at 18:37











  • @StephenKitt beat me to it.

    – MelBurslan
    Jun 10 '16 at 18:40
















0















I run to run a command using the su -s command to start a process. Since I do not want the root user to own the process.



I try to do this by issuing the command



su -s "$CATALINA_HOME/bin/catalina.sh run" tomcat



which returns su: /opt/apache-tomcat/bin/catalina.sh run: No such file or directory



How can I run the su -s command along with arguments to not generate this error?










share|improve this question























  • I think you are looking for -c switch, not -s. -s switch is for running su with a different shell (if it is allowed in /etc/shells of course)

    – MelBurslan
    Jun 10 '16 at 18:33











  • @MelBurslan I can't use -c as the user has nologin set in the /etc/passwd file.

    – jgr208
    Jun 10 '16 at 18:34











  • then try su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat and see if it works for you

    – MelBurslan
    Jun 10 '16 at 18:36






  • 1





    @MelBurslan All these should go as an answer..please..

    – heemayl
    Jun 10 '16 at 18:37











  • @StephenKitt beat me to it.

    – MelBurslan
    Jun 10 '16 at 18:40














0












0








0








I run to run a command using the su -s command to start a process. Since I do not want the root user to own the process.



I try to do this by issuing the command



su -s "$CATALINA_HOME/bin/catalina.sh run" tomcat



which returns su: /opt/apache-tomcat/bin/catalina.sh run: No such file or directory



How can I run the su -s command along with arguments to not generate this error?










share|improve this question














I run to run a command using the su -s command to start a process. Since I do not want the root user to own the process.



I try to do this by issuing the command



su -s "$CATALINA_HOME/bin/catalina.sh run" tomcat



which returns su: /opt/apache-tomcat/bin/catalina.sh run: No such file or directory



How can I run the su -s command along with arguments to not generate this error?







command-line sudo su arguments






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jun 10 '16 at 18:31









jgr208jgr208

473424




473424













  • I think you are looking for -c switch, not -s. -s switch is for running su with a different shell (if it is allowed in /etc/shells of course)

    – MelBurslan
    Jun 10 '16 at 18:33











  • @MelBurslan I can't use -c as the user has nologin set in the /etc/passwd file.

    – jgr208
    Jun 10 '16 at 18:34











  • then try su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat and see if it works for you

    – MelBurslan
    Jun 10 '16 at 18:36






  • 1





    @MelBurslan All these should go as an answer..please..

    – heemayl
    Jun 10 '16 at 18:37











  • @StephenKitt beat me to it.

    – MelBurslan
    Jun 10 '16 at 18:40



















  • I think you are looking for -c switch, not -s. -s switch is for running su with a different shell (if it is allowed in /etc/shells of course)

    – MelBurslan
    Jun 10 '16 at 18:33











  • @MelBurslan I can't use -c as the user has nologin set in the /etc/passwd file.

    – jgr208
    Jun 10 '16 at 18:34











  • then try su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat and see if it works for you

    – MelBurslan
    Jun 10 '16 at 18:36






  • 1





    @MelBurslan All these should go as an answer..please..

    – heemayl
    Jun 10 '16 at 18:37











  • @StephenKitt beat me to it.

    – MelBurslan
    Jun 10 '16 at 18:40

















I think you are looking for -c switch, not -s. -s switch is for running su with a different shell (if it is allowed in /etc/shells of course)

– MelBurslan
Jun 10 '16 at 18:33





I think you are looking for -c switch, not -s. -s switch is for running su with a different shell (if it is allowed in /etc/shells of course)

– MelBurslan
Jun 10 '16 at 18:33













@MelBurslan I can't use -c as the user has nologin set in the /etc/passwd file.

– jgr208
Jun 10 '16 at 18:34





@MelBurslan I can't use -c as the user has nologin set in the /etc/passwd file.

– jgr208
Jun 10 '16 at 18:34













then try su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat and see if it works for you

– MelBurslan
Jun 10 '16 at 18:36





then try su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat and see if it works for you

– MelBurslan
Jun 10 '16 at 18:36




1




1





@MelBurslan All these should go as an answer..please..

– heemayl
Jun 10 '16 at 18:37





@MelBurslan All these should go as an answer..please..

– heemayl
Jun 10 '16 at 18:37













@StephenKitt beat me to it.

– MelBurslan
Jun 10 '16 at 18:40





@StephenKitt beat me to it.

– MelBurslan
Jun 10 '16 at 18:40










3 Answers
3






active

oldest

votes


















3














If you're running su as root, you can use -s to specify a different shell (running as root is necessary here since your tomcat user doesn't have a valid shell), and -c to specify the command to run:



su -s /bin/sh -c "$CATALINA_HOME/bin/catalina.sh run" tomcat


You might find start-stop-daemon useful; it has a whole slew of options to specify the user and group to use, how to start the daemon etc. The tomcat8 initscript used in Debian might provide useful inspiration. Or you could look at writing a systemd unit or whatever is appropriate for your system's init.






share|improve this answer

































    3














    The -s switch for su command is to change the shell of the specified user. The command you want to run must be preceded by -c switch.



    So the command you are looking for is something like this:



    su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat





    share|improve this answer































      0














      Your other questions at https://stackoverflow.com/questions/37753783/ and Is there any way to tell if a shell script was killed with signal 9 indicate that what's missing from your question is that you are trying to run Tomcat under upstart.



      In such a case:





      • start-stop-daemon is not appropriate.

      • Nor is su.

      • Nor are Poor Man's Daemon Supervisor gyrations to do PID file management in shell script.


      All of those are attempting to duplicate stuff that upstart does directly. The use of su is particularly bad, because it isn't a tool for dropping privileges. It is a tool for adding privileges, in a login session. It nowadays has involvement under the covers with various login session management subsystems that makes it particularly inappropriate for the (much simpler) task of dropping superuser privileges in a dæmon. start-stop-daemon is just supererogatory. And upstart knows the process IDs of its children.



      In the upstart job file, use the setuid and (if appropriate) setgid stanzas to drop privileges to an unprivileged user:


      setuid tomcat


      And if you do invoke catalina.sh via sh -c, which isn't really necessary, don't wander into systemd House of Horror territory. (It's only marginally less horrendous when these sorts of things are done with upstart.) Do things the daemontools way and have the shell chain to the script, invoking it via the shell's exec command so that upstart sees the dæmon as its direct child process. (And make sure that upstart knows this with the correct expect stanza, too.)



      An explicit shell isn't necessary in the first place, though, because upstart can invoke catalina.sh directly itself, just as systemd and other service management tools can. You furthermore thus don't have the worry of ensuring that /bin/bash is actually the right interpreter for that script.


      exec $CATALINA_HOME/bin/catalina.sh run


      Further reading




      • James Hunt and Clint Byrum (2014). "setuid". Upstart Cookbook.

      • James Hunt and Clint Byrum (2014). "setgid". Upstart Cookbook.

      • James Hunt and Clint Byrum (2014). "console log". Upstart Cookbook.

      • Jonathan de Boyne Pollard (2014). Don't abuse su for dropping user privileges. Frequently Given Answers.

      • Jonathan de Boyne Pollard (2015). Wrapping Apache Tomcat in many pointless extra layers The systemd House of Horror.

      • Jonathan de Boyne Pollard (2015). The systemd House of Horror. Frequently Given Answers.

      • https://superuser.com/a/723333/38062

      • https://superuser.com/questions/683855/






      share|improve this answer


























      • I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

        – jgr208
        Jun 10 '16 at 19:50











      • Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

        – JdeBP
        Jun 10 '16 at 19:53











      • "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

        – jgr208
        Jun 10 '16 at 19:58











      • The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

        – JdeBP
        Jun 10 '16 at 20:12











      • never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

        – jgr208
        Jun 10 '16 at 20:15











      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f289037%2frun-su-s-with-arguments%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      3














      If you're running su as root, you can use -s to specify a different shell (running as root is necessary here since your tomcat user doesn't have a valid shell), and -c to specify the command to run:



      su -s /bin/sh -c "$CATALINA_HOME/bin/catalina.sh run" tomcat


      You might find start-stop-daemon useful; it has a whole slew of options to specify the user and group to use, how to start the daemon etc. The tomcat8 initscript used in Debian might provide useful inspiration. Or you could look at writing a systemd unit or whatever is appropriate for your system's init.






      share|improve this answer






























        3














        If you're running su as root, you can use -s to specify a different shell (running as root is necessary here since your tomcat user doesn't have a valid shell), and -c to specify the command to run:



        su -s /bin/sh -c "$CATALINA_HOME/bin/catalina.sh run" tomcat


        You might find start-stop-daemon useful; it has a whole slew of options to specify the user and group to use, how to start the daemon etc. The tomcat8 initscript used in Debian might provide useful inspiration. Or you could look at writing a systemd unit or whatever is appropriate for your system's init.






        share|improve this answer




























          3












          3








          3







          If you're running su as root, you can use -s to specify a different shell (running as root is necessary here since your tomcat user doesn't have a valid shell), and -c to specify the command to run:



          su -s /bin/sh -c "$CATALINA_HOME/bin/catalina.sh run" tomcat


          You might find start-stop-daemon useful; it has a whole slew of options to specify the user and group to use, how to start the daemon etc. The tomcat8 initscript used in Debian might provide useful inspiration. Or you could look at writing a systemd unit or whatever is appropriate for your system's init.






          share|improve this answer















          If you're running su as root, you can use -s to specify a different shell (running as root is necessary here since your tomcat user doesn't have a valid shell), and -c to specify the command to run:



          su -s /bin/sh -c "$CATALINA_HOME/bin/catalina.sh run" tomcat


          You might find start-stop-daemon useful; it has a whole slew of options to specify the user and group to use, how to start the daemon etc. The tomcat8 initscript used in Debian might provide useful inspiration. Or you could look at writing a systemd unit or whatever is appropriate for your system's init.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 31 at 15:57

























          answered Jun 10 '16 at 18:39









          Stephen KittStephen Kitt

          171k24386462




          171k24386462

























              3














              The -s switch for su command is to change the shell of the specified user. The command you want to run must be preceded by -c switch.



              So the command you are looking for is something like this:



              su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat





              share|improve this answer




























                3














                The -s switch for su command is to change the shell of the specified user. The command you want to run must be preceded by -c switch.



                So the command you are looking for is something like this:



                su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat





                share|improve this answer


























                  3












                  3








                  3







                  The -s switch for su command is to change the shell of the specified user. The command you want to run must be preceded by -c switch.



                  So the command you are looking for is something like this:



                  su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat





                  share|improve this answer













                  The -s switch for su command is to change the shell of the specified user. The command you want to run must be preceded by -c switch.



                  So the command you are looking for is something like this:



                  su -s /bin/bash -c "$CATALINA_HOME/bin/catalina.sh run" tomcat






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jun 10 '16 at 18:41









                  MelBurslanMelBurslan

                  5,30011533




                  5,30011533























                      0














                      Your other questions at https://stackoverflow.com/questions/37753783/ and Is there any way to tell if a shell script was killed with signal 9 indicate that what's missing from your question is that you are trying to run Tomcat under upstart.



                      In such a case:





                      • start-stop-daemon is not appropriate.

                      • Nor is su.

                      • Nor are Poor Man's Daemon Supervisor gyrations to do PID file management in shell script.


                      All of those are attempting to duplicate stuff that upstart does directly. The use of su is particularly bad, because it isn't a tool for dropping privileges. It is a tool for adding privileges, in a login session. It nowadays has involvement under the covers with various login session management subsystems that makes it particularly inappropriate for the (much simpler) task of dropping superuser privileges in a dæmon. start-stop-daemon is just supererogatory. And upstart knows the process IDs of its children.



                      In the upstart job file, use the setuid and (if appropriate) setgid stanzas to drop privileges to an unprivileged user:


                      setuid tomcat


                      And if you do invoke catalina.sh via sh -c, which isn't really necessary, don't wander into systemd House of Horror territory. (It's only marginally less horrendous when these sorts of things are done with upstart.) Do things the daemontools way and have the shell chain to the script, invoking it via the shell's exec command so that upstart sees the dæmon as its direct child process. (And make sure that upstart knows this with the correct expect stanza, too.)



                      An explicit shell isn't necessary in the first place, though, because upstart can invoke catalina.sh directly itself, just as systemd and other service management tools can. You furthermore thus don't have the worry of ensuring that /bin/bash is actually the right interpreter for that script.


                      exec $CATALINA_HOME/bin/catalina.sh run


                      Further reading




                      • James Hunt and Clint Byrum (2014). "setuid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "setgid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "console log". Upstart Cookbook.

                      • Jonathan de Boyne Pollard (2014). Don't abuse su for dropping user privileges. Frequently Given Answers.

                      • Jonathan de Boyne Pollard (2015). Wrapping Apache Tomcat in many pointless extra layers The systemd House of Horror.

                      • Jonathan de Boyne Pollard (2015). The systemd House of Horror. Frequently Given Answers.

                      • https://superuser.com/a/723333/38062

                      • https://superuser.com/questions/683855/






                      share|improve this answer


























                      • I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

                        – jgr208
                        Jun 10 '16 at 19:50











                      • Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

                        – JdeBP
                        Jun 10 '16 at 19:53











                      • "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

                        – jgr208
                        Jun 10 '16 at 19:58











                      • The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

                        – JdeBP
                        Jun 10 '16 at 20:12











                      • never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

                        – jgr208
                        Jun 10 '16 at 20:15
















                      0














                      Your other questions at https://stackoverflow.com/questions/37753783/ and Is there any way to tell if a shell script was killed with signal 9 indicate that what's missing from your question is that you are trying to run Tomcat under upstart.



                      In such a case:





                      • start-stop-daemon is not appropriate.

                      • Nor is su.

                      • Nor are Poor Man's Daemon Supervisor gyrations to do PID file management in shell script.


                      All of those are attempting to duplicate stuff that upstart does directly. The use of su is particularly bad, because it isn't a tool for dropping privileges. It is a tool for adding privileges, in a login session. It nowadays has involvement under the covers with various login session management subsystems that makes it particularly inappropriate for the (much simpler) task of dropping superuser privileges in a dæmon. start-stop-daemon is just supererogatory. And upstart knows the process IDs of its children.



                      In the upstart job file, use the setuid and (if appropriate) setgid stanzas to drop privileges to an unprivileged user:


                      setuid tomcat


                      And if you do invoke catalina.sh via sh -c, which isn't really necessary, don't wander into systemd House of Horror territory. (It's only marginally less horrendous when these sorts of things are done with upstart.) Do things the daemontools way and have the shell chain to the script, invoking it via the shell's exec command so that upstart sees the dæmon as its direct child process. (And make sure that upstart knows this with the correct expect stanza, too.)



                      An explicit shell isn't necessary in the first place, though, because upstart can invoke catalina.sh directly itself, just as systemd and other service management tools can. You furthermore thus don't have the worry of ensuring that /bin/bash is actually the right interpreter for that script.


                      exec $CATALINA_HOME/bin/catalina.sh run


                      Further reading




                      • James Hunt and Clint Byrum (2014). "setuid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "setgid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "console log". Upstart Cookbook.

                      • Jonathan de Boyne Pollard (2014). Don't abuse su for dropping user privileges. Frequently Given Answers.

                      • Jonathan de Boyne Pollard (2015). Wrapping Apache Tomcat in many pointless extra layers The systemd House of Horror.

                      • Jonathan de Boyne Pollard (2015). The systemd House of Horror. Frequently Given Answers.

                      • https://superuser.com/a/723333/38062

                      • https://superuser.com/questions/683855/






                      share|improve this answer


























                      • I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

                        – jgr208
                        Jun 10 '16 at 19:50











                      • Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

                        – JdeBP
                        Jun 10 '16 at 19:53











                      • "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

                        – jgr208
                        Jun 10 '16 at 19:58











                      • The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

                        – JdeBP
                        Jun 10 '16 at 20:12











                      • never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

                        – jgr208
                        Jun 10 '16 at 20:15














                      0












                      0








                      0







                      Your other questions at https://stackoverflow.com/questions/37753783/ and Is there any way to tell if a shell script was killed with signal 9 indicate that what's missing from your question is that you are trying to run Tomcat under upstart.



                      In such a case:





                      • start-stop-daemon is not appropriate.

                      • Nor is su.

                      • Nor are Poor Man's Daemon Supervisor gyrations to do PID file management in shell script.


                      All of those are attempting to duplicate stuff that upstart does directly. The use of su is particularly bad, because it isn't a tool for dropping privileges. It is a tool for adding privileges, in a login session. It nowadays has involvement under the covers with various login session management subsystems that makes it particularly inappropriate for the (much simpler) task of dropping superuser privileges in a dæmon. start-stop-daemon is just supererogatory. And upstart knows the process IDs of its children.



                      In the upstart job file, use the setuid and (if appropriate) setgid stanzas to drop privileges to an unprivileged user:


                      setuid tomcat


                      And if you do invoke catalina.sh via sh -c, which isn't really necessary, don't wander into systemd House of Horror territory. (It's only marginally less horrendous when these sorts of things are done with upstart.) Do things the daemontools way and have the shell chain to the script, invoking it via the shell's exec command so that upstart sees the dæmon as its direct child process. (And make sure that upstart knows this with the correct expect stanza, too.)



                      An explicit shell isn't necessary in the first place, though, because upstart can invoke catalina.sh directly itself, just as systemd and other service management tools can. You furthermore thus don't have the worry of ensuring that /bin/bash is actually the right interpreter for that script.


                      exec $CATALINA_HOME/bin/catalina.sh run


                      Further reading




                      • James Hunt and Clint Byrum (2014). "setuid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "setgid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "console log". Upstart Cookbook.

                      • Jonathan de Boyne Pollard (2014). Don't abuse su for dropping user privileges. Frequently Given Answers.

                      • Jonathan de Boyne Pollard (2015). Wrapping Apache Tomcat in many pointless extra layers The systemd House of Horror.

                      • Jonathan de Boyne Pollard (2015). The systemd House of Horror. Frequently Given Answers.

                      • https://superuser.com/a/723333/38062

                      • https://superuser.com/questions/683855/






                      share|improve this answer















                      Your other questions at https://stackoverflow.com/questions/37753783/ and Is there any way to tell if a shell script was killed with signal 9 indicate that what's missing from your question is that you are trying to run Tomcat under upstart.



                      In such a case:





                      • start-stop-daemon is not appropriate.

                      • Nor is su.

                      • Nor are Poor Man's Daemon Supervisor gyrations to do PID file management in shell script.


                      All of those are attempting to duplicate stuff that upstart does directly. The use of su is particularly bad, because it isn't a tool for dropping privileges. It is a tool for adding privileges, in a login session. It nowadays has involvement under the covers with various login session management subsystems that makes it particularly inappropriate for the (much simpler) task of dropping superuser privileges in a dæmon. start-stop-daemon is just supererogatory. And upstart knows the process IDs of its children.



                      In the upstart job file, use the setuid and (if appropriate) setgid stanzas to drop privileges to an unprivileged user:


                      setuid tomcat


                      And if you do invoke catalina.sh via sh -c, which isn't really necessary, don't wander into systemd House of Horror territory. (It's only marginally less horrendous when these sorts of things are done with upstart.) Do things the daemontools way and have the shell chain to the script, invoking it via the shell's exec command so that upstart sees the dæmon as its direct child process. (And make sure that upstart knows this with the correct expect stanza, too.)



                      An explicit shell isn't necessary in the first place, though, because upstart can invoke catalina.sh directly itself, just as systemd and other service management tools can. You furthermore thus don't have the worry of ensuring that /bin/bash is actually the right interpreter for that script.


                      exec $CATALINA_HOME/bin/catalina.sh run


                      Further reading




                      • James Hunt and Clint Byrum (2014). "setuid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "setgid". Upstart Cookbook.

                      • James Hunt and Clint Byrum (2014). "console log". Upstart Cookbook.

                      • Jonathan de Boyne Pollard (2014). Don't abuse su for dropping user privileges. Frequently Given Answers.

                      • Jonathan de Boyne Pollard (2015). Wrapping Apache Tomcat in many pointless extra layers The systemd House of Horror.

                      • Jonathan de Boyne Pollard (2015). The systemd House of Horror. Frequently Given Answers.

                      • https://superuser.com/a/723333/38062

                      • https://superuser.com/questions/683855/







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited May 23 '17 at 12:39









                      Community

                      1




                      1










                      answered Jun 10 '16 at 19:48









                      JdeBPJdeBP

                      34.8k470163




                      34.8k470163













                      • I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

                        – jgr208
                        Jun 10 '16 at 19:50











                      • Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

                        – JdeBP
                        Jun 10 '16 at 19:53











                      • "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

                        – jgr208
                        Jun 10 '16 at 19:58











                      • The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

                        – JdeBP
                        Jun 10 '16 at 20:12











                      • never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

                        – jgr208
                        Jun 10 '16 at 20:15



















                      • I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

                        – jgr208
                        Jun 10 '16 at 19:50











                      • Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

                        – JdeBP
                        Jun 10 '16 at 19:53











                      • "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

                        – jgr208
                        Jun 10 '16 at 19:58











                      • The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

                        – JdeBP
                        Jun 10 '16 at 20:12











                      • never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

                        – jgr208
                        Jun 10 '16 at 20:15

















                      I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

                      – jgr208
                      Jun 10 '16 at 19:50





                      I am using RHEL which uses upstart 0.9.4 and does not have the setuid stanza and yes i have already tried.

                      – jgr208
                      Jun 10 '16 at 19:50













                      Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

                      – JdeBP
                      Jun 10 '16 at 19:53





                      Then (a) start providing such information in questions and (b) read the Further Reading section and apply one of the several the tools pointed to there for dropping privileges.

                      – JdeBP
                      Jun 10 '16 at 19:53













                      "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

                      – jgr208
                      Jun 10 '16 at 19:58





                      "upstart script that is used to start apache tomcat on an RHEL 6.8 system" seems to be provided to me. Also this is a upstart so the systemd tools don't apply, the tools mentioned in others are not installed on my system and can not be, I don't have that version of upstart.

                      – jgr208
                      Jun 10 '16 at 19:58













                      The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

                      – JdeBP
                      Jun 10 '16 at 20:12





                      The tools that I just mentioned are not systemd tools. And the idea that these tools, many of which have been around for years, are not available for RedHat Linux is very wrong indeed.

                      – JdeBP
                      Jun 10 '16 at 20:12













                      never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

                      – jgr208
                      Jun 10 '16 at 20:15





                      never said they were not around i said they can not be installed on the system not by my choice. also some of the stuff is systemd some upstart i never said all.

                      – jgr208
                      Jun 10 '16 at 20:15


















                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f289037%2frun-su-s-with-arguments%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to make a Squid Proxy server?

                      Is this a new Fibonacci Identity?

                      19世紀