以受限用户身份运行 monit 并使其监视需要 root 权限的进程
我有一个用 Ruby 编写的特定脚本,需要 root 权限。大多数其他进程不需要它,因此很容易在 Monit 中设置。不是这个。
服务器需要监听386,这个端口只有root可用。我不会详细说明原因,因为 1)我不是一个低级的人,2)到目前为止,使用 sudo 时效果很好。
monit 配置文件很简单,如下所示:
set logfile syslog facility LOG_daemon # Default facility is LOG_USER
set mailserver smtp.sendgrid.net
username "blah", password "blah"
with timeout 20 seconds
set alert [email protected]
set logfile /home/deploy/monit.log
check process ldapserver
with pidfile /var/pids/ldap_server.pid
start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
stop program = "/bin/sh"
注意:我已将 /bin/sh 放入停止程序中,因为此进程没有停止程序。
如果我这样说:
start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
它无法启动。没有任何提示。
start program = "/usr/bin/sudo -u deploy /usr/local/bin/ruby /var/lib/ldap_server.rb
也失败了。无输出。
start program = "/bin/su deploy -c '/usr/local/bin/ruby /var/lib/ldap_server.rb'
无法启动。
我还尝试使用 > 重定向输出〜/out.log 2> &1 捕获 stderr 和 stdout 但它似乎不起作用。
现在,我在受限制的部署用户下启动 monit。因此,我需要以某种方式以 root 身份运行 ldap 服务器,但事实证明这很难做到。
有人可以启发我吗?
干杯,
M>
I have a specific script written in Ruby that needs root privileges. Most of the other processes don't need that and so were easy to setup in Monit. Not this one.
The server needs to listen at 386, and this port is only available for root. I won't get into the details of why, because 1) I'm not a low-level kind of guy, 2) It worked fine so far when using sudo.
The monit configuration file is simple and looks like this:
set logfile syslog facility LOG_daemon # Default facility is LOG_USER
set mailserver smtp.sendgrid.net
username "blah", password "blah"
with timeout 20 seconds
set alert [email protected]
set logfile /home/deploy/monit.log
check process ldapserver
with pidfile /var/pids/ldap_server.pid
start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
stop program = "/bin/sh"
Note: I've put /bin/sh in the stop program because there's not a stop program for this process.
If I put like this:
start program = "/usr/local/bin/ruby /var/lib/ldap_server.rb"
It fails to start. No hints.
start program = "/usr/bin/sudo -u deploy /usr/local/bin/ruby /var/lib/ldap_server.rb
Fails as well. No output.
start program = "/bin/su deploy -c '/usr/local/bin/ruby /var/lib/ldap_server.rb'
Fails to start.
I also tried redirecting the output using > ~/out.log 2 > &1 to capture stderr and stdout but it doesn't seem to work.
Now, I'm starting monit under the deploy user, which is restricted. So, I'd need to somehow run the ldap server as root, but turns out it's quite hard to do.
Could someone enlighten me ?
Cheers,
M>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用 sudo 或 su 作为“部署”用户运行脚本不会有帮助(因为 monit 已经以该用户身份运行,并且需要以 root 身份运行) )。
此外,sudo 默认情况下会提示输入密码,而 monit 无法提供该密码。
解决此问题的一种方法是创建一个文件
/usr/bin/startLDAPServer.sh并使其可执行(chmod a+x /usr/bin/startLDAPServer.sh)包含以下内容:然后将此行添加到您的
/etc/sudoers文件中:然后您可以使用:
in monit.
Using
sudoorsuto run the script as the 'deploy' user won't help (as monit is already running as that user anyway, and it needs to run as root).Also, sudo will by default prompt for a password, which monit won't be able to provide.
One way to solve this would be to create a file
/usr/bin/startLDAPServer.shand make it executable (chmod a+x /usr/bin/startLDAPServer.sh) with the following contents:and then add this line to your
/etc/sudoersfile:You can then use:
in monit.