in reply to Re: How to run a perl script under "nobody" user?
in thread How to run a perl script under "nobody" user?

I try to do this, but faild:
[root@localhost]# su - nobody -c "./foo.pl"
This account is currently not available.

[download]

Replies are listed 'Best First'.
Re^3: How to run a perl script under "nobody" user?
by moritz (Cardinal) on Nov 19, 2008 at 10:30 UTC
    That's not a perl problem anymore, I'll try anyway...

    Probably the user nobody has the program /usr/sbin/nologin as its login shell, which prints the message you have quoted and then exits.

    Possible solutions are (1) use sudo as I suggested, not su (2) convince su not to spawn a login shell (no - in the command line) or (3) give the user nobody a different login shell.

[reply]
[d/l]
[select]

      What I really want is the script can run under "nobody" user like the Apache way.

      We usually start apache like this: 

      sudo /usr/local/apache2/bin/apachectl start

      [download]
      then, when we `ps aux | grep apache`, we can find that apache's user id is "nobody":
      root      1102  0.3  0.2   5972  2368 ?        Ss   18:35   0:00 /usr/
+local/apache2/bin/httpd -k start
root      1103  0.0  0.0   1620   300 ?        S    18:35   0:00 /usr/
+bin/cronolog /usr/local/apache2/logs/access_%Y-%m-%d-%H-%M.log
nobody     1109  0.0  0.1   5972  1496 ?        S    18:35   0:00 /usr
+/local/apache2/bin/httpd -k start
nobody     1110  0.0  0.1   5972  1496 ?        S    18:35   0:00 /usr
+/local/apache2/bin/httpd -k start
nobody     1111  0.0  0.1   5972  1496 ?        S    18:35   0:00 /usr
+/local/apache2/bin/httpd -k start
nobody     1112  0.0  0.1   5972  1496 ?        S    18:35   0:00 /usr
+/local/apache2/bin/httpd -k start
nobody     1113  0.0  0.1   5972  1496 ?        S    18:35   0:00 /usr
+/local/apache2/bin/httpd -k start

      [download]

      How can I make my perl script like this?
[reply]
[d/l]
[select]
        What I really want is the script can run under "nobody" user like the Apache way
        That requires root access. Apache starts as root, and then forks (repeatedly). The children then drop their privileges. For Perl processes to drop their privileges, assign to $<, $>, $( and $). Or use POSIX::setuid/POSIX::setgid.

        But from your OP, I don't see why you want to do it the "Apache way" and why su(do) won't do. Note that you'll need root access at some stage to set up permissions that allows you to run processes as a different user.

        Another option is to install the program owned by nobody, and use file (or acl) permissions to run it setuid.

[reply]
        With sudo.

        Afaict Apache does it differently, it starts as root and then drops privileges. That's better in Apache's case (because it has to set up log files in the parent process, for example, and it can't do that as user nobody), but for a simple perl script it's much easier to use an external program, be it sudo or su.

[reply]

        One other thing that root is needed for is binding to port 80 (<1024). But, as was said above, this is no longer a Perl issue.

        --MidLifeXis

[reply]

In Section Seekers of Perl Wisdom