Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow ttrssd to run as a specified user (take two) #306

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

allow ttrssd to run as a specified user (take two) #306

wants to merge 3 commits into from

Conversation

rwv37
Copy link

@rwv37 rwv37 commented Oct 3, 2024

The Tiny Tiny RSS update daemon, ttrssd, from package www/tt-rss, currently runs as user www. This change is meant to enable (optionally) running as a different user, by setting a new flag ttrssd_run_as_user in /etc/rc.conf. For example, to run as the user mmm, add the following line to /etc/rc.conf:

ttrssd_run_as_user="mmm"

If this new flag is not specified, it defaults to running as www (reproducing the behavior from before this change).

I've modified my previous PR for this as suggested by @derekschrock:

@rwv37
Update ttrssd.in - allow ttrssd to run as a specified user
c16c693 
ttrssd (from www/tt-rss) currently runs as the user "www", and there doesn't seem to be a way to override that. This change adds an optional flag that can be specified in /etc/rc.conf to do so.

The flag is "ttrssd_run_as_user"; for example to run as the user "mmm", add the following line to /etc/rc.conf:

ttrssd_run_as_user="mmm"

If it is not specified, it defaults to "www" (reproducing the behavior from before this change).
@rwv37
Merge pull request #1 from rwv37/2024-10-01-www_tt-rss-RunAsUser
4c60d53 
Update ttrssd.in - allow ttrssd to run as a specified user
@rwv37
Allow any user to read/execute ttrssd update scripts
5322865 
Part of a change to allow ttrssd to run as a specified user rather than always as ``www`` - ``chmod`` the ``update*.php`` files at install time rather than relying on the user to do it manually (in which case it would be overwritten upon reinstall or update).

This part of the change was suggested by @derekschrock in response to [my earlier PR](freebsd#304).
@0mp
Copy link
Member

0mp commented Oct 7, 2024

Hey! Thanks for the patch!

Have you tried setting ttrssd_user=mmm in rc.conf? This is the canonical way of running a daemon as a specific user.

@derekschrock
Copy link
Contributor

I think I looked at that a while ago but thought it wouldn't work (or work as well) since daemon would be running as non-root and it was easier to to have root own all the logs, pids, etc...

Looking at other things in www that run a service (don't know how I missed them before) but they pre command install /dev/null with permissions/ownership for things like pids. However, that would leave logs to either /var/log to it own dir /var/log/tt-rss/... If so we would need add something to UIDs and/or GIDs? Otherwise continue with the default %%WWWOWN%% (www)?

@rwv37
Copy link
Author

rwv37 commented Oct 7, 2024

@0mp, I believe I did try that -- I think it was the first thing I tried -- but I can't say for sure at the moment, and unfortunately I don't have time to fall back from what I've got working and give it a try. I will try when I get a chance. But in the meantime, I can more confidently say a few things that may be related:

I took a look at my existing /etc/rc.conf/ and saw that I had previously explicitly set up caddy to run as a certain user, via caddy_user. I then looked at /usr/local/etc/rc.d/caddy to check out how it is set and used there, and tried to set up /usr/local/etc/rc.d/ttrssd in a similar way, adding ttrssd_user to it and using that to replace its hardcoded www.

That resulted in some sort of error that, to me, seemed very wacky. Unfortunately, I forget what it was, but in trying to figure it out, I was led to the function rc_run_command (in /etc/rc.subr). In there, I noticed something that seemed to indicate that variables of the form (pkg)_user are somehow treated specially. So, I tried just changing my ttrssd_user to ttrssd_run_as_user, and everything started working just fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rwv37 @0mp @derekschrock