DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 267
Default How to add a user/group for a daemon

This might seem like an absurdly simple question and I'm surprised that I'm fumbling with it (maybe I have a brain tumor or something) but there are some subtleties that I don't know how to resolve.

I want to create a user and group for svnserve (the Subversion daemon). The repository will be located in /var/svn. The daemon should probably own that directory and have read/write access. I would like to maintain a consistent convention with other system daemons. Two examples I can use, for reference, are postgresql and clamav.

Code:
drwxr-xr-x   4 _clamav        _clamav         512 Feb 23 20:52 clamav/

login   _clamav
passwd  *
uid     539
groups  _clamav
change  NEVER
class   daemon
gecos   Clam AntiVirus
dir     /nonexistent
shell   /sbin/nologin
expire  NEVER
Code:
drwxr-xr-x   2 _postgresql    _postgresql     512 Apr  7 18:23 postgresql/

login   _postgresql
passwd  *
uid     503
groups  _postgresql
change  NEVER
class   daemon
gecos   PostgreSQL Manager
dir     /var/postgresql
shell   /bin/sh
expire  NEVER
My questions are:

1. What's the difference between having dir /nonexistent and dir /var/svn?
2. What's the difference between having shell /sbin/nologin and shell /bin/sh?
3. Is passwd left empty for either/both cases?
4. (and this is the really ridiculous question) How do I construct the command to create the _svn user and group?

Last edited by hanzer; 9th April 2016 at 07:57 PM. Reason: added questions 2 & 3
Reply With Quote
  #2   (View Single Post)  
Old 9th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 267
Default

This is what I have so far:

# groupadd _svn

# useradd -d /var/svn -m -c "Subversion svnserve" -g _svn -L daemon -s /sbin/nologin _svn

$ userinfo _svn
Code:
login   _svn
passwd  *
uid     1001
groups  _svn
change  NEVER
class   daemon
gecos   Subversion svnserve
dir     /var/svn
shell   /sbin/nologin
expire  NEVER
It seems OK so far except the daemon's directory was populated with the /etc/skel files.
$ ls -la /var/svn
Code:
total 36
drwxr-xr-x   3 _svn  _svn   512 Feb 13 19:43 ./
drwxr-xr-x  28 root  wheel  512 Apr  9 17:09 ../
-rw-r--r--   1 _svn  _svn    87 Aug 16  2015 .Xdefaults
-rw-r--r--   1 _svn  _svn   773 Aug 16  2015 .cshrc
-rw-r--r--   1 _svn  _svn   103 Aug 16  2015 .cvsrc
-rw-r--r--   1 _svn  _svn   398 Aug 16  2015 .login
-rw-r--r--   1 _svn  _svn   175 Aug 16  2015 .mailrc
-rw-r--r--   1 _svn  _svn   218 Aug 16  2015 .profile
drwx------   2 _svn  _svn   512 Feb 13 19:43 .ssh/
I don't see an option in useradd(8) to prevent this so I guess this isn't the conventional/typical way a daemon user/group is created. I'll manually delete those files (# rm -rf /var/svn/.* ) and move forward with the Subversion on OpenBSD: svnserve+sasl exploration and see what happens...
Reply With Quote
  #3   (View Single Post)  
Old 10th April 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,944
Default

There are a number of users who never log on, instead the uids (and gids) run processes. When these processes are used as a component of privilege separation, the unprivileged tasks run as the unprivileged user.

Take dhclient(8), for example, as it is a common program most of us use. Its subtasks are separated into those that require super user privileges, such as attaching low-numbered ports and writing to files as root, and those that do not, such as everything else. The unprivileged process is started by root, and the process runs as the user _dhcp, which is uid 77, gid 77. The user never logs on, and never uses a shell. It's $HOME is set to /var/empty.

When usernames and uid/gid numbers are needed for ports, they will be added by pkg_add(1) based on packing list instructions @newgroup and @newuser. These are documented in pkg_create(1), but I've never run pkg_create directly -- I just use my ports' PLIST files. (None of my ports have daemons, but I have manually edited some of my PLIST files to add custom requirements, or to adjust automatically created packing lists.)

The uid/gid numbers below 1000 for ports are reserved; the list of uids/gids is maintained in /usr/ports/infrastructure/db/user.list.

Last edited by jggimi; 10th April 2016 at 12:35 AM. Reason: typos
Reply With Quote
  #4   (View Single Post)  
Old 10th April 2016
TronDD TronDD is offline
Package Pilot
 
Join Date: Sep 2014
Posts: 155
Default

Quote:
Originally Posted by hanzer View Post
This is what I have so far:

# groupadd _svn

# useradd -d /var/svn -m -c "Subversion svnserve" -g _svn -L daemon -s /sbin/nologin _svn

I don't see an option in useradd(8) to prevent this
Don't specify -m and it won't create and populate a home directory. You'll have to create it yourself and set the permissions, though. Or you could probably use -k and specify some empty directory so there is nothing to populate the home with.

Tim.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User Store, Auth, VPN and Multi-user apps/software montie OpenBSD Packages and Ports 9 9th January 2015 09:51 PM
wheel group missing in group file nikolajg FreeBSD Security 6 5th October 2012 06:18 PM
duig script - delete user in group wesley Guides 14 16th December 2010 04:27 AM
Canadian BSD user group.. BSDfan666 Off-Topic 5 11th January 2009 03:37 PM
Run daemon as other user than root phreud FreeBSD General 8 11th November 2008 04:11 AM


All times are GMT. The time now is 08:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick