Using s6 and s6-rc tools with an unprivileged user

From: Guillermo <gdiazhartusch_at_gmail.com>
Date: Sun, 2 Feb 2020 15:42:30 -0300

Hello,

Because of the way s6, s6-rc and s6-linux-init tools set up
permissions, pretty much every operation that involves the init
system, even those that do not change the machine state, must be done
with root privileges. Other init systems allow some operations to be
done without those privileges. For example, with sysvinit + OpenRC,
runlevel, rc-status and 'rc-service describe' can be used by
unprivileged users, but shutdown, rc-update and 'rc-service start'
cannot. I know that changing group and permissions of specific files
and directories allows doing the same with s6 + s6-rc + s6-linux-init.
However, the fact that one can do it doesn't necessarily mean that one
should. So here are my questions, which are pretty much the same in
all cases:

* s6-rc-db: Changing the group of the 'lock' file in a compiled
dababase and making it group writable allows the group's members to
use the command. s6-rc-db cannot change the database or the service
states, so are there any drawbacks to doing this? Is there a better
way to use the command without being root?

* s6-rc: Changing the group of the 'lock' file in the live state
directory, the group of the 'lock' file in the compiled dababase that
is currently live, and making both group writable, allows the group's
members to use, for example, the 's6-rc -a list' and 's6-rc -a
listall' commands, but not the 's6-rc change' command, because
permissions in other files and directories still prevent it. So are
there any drawbacks to doing this? Is there a better way to use the
command in forms that do not change service states without being root?

* s6-svdt: Changing the group of the 'supervise' subdirectory of a
service directory, and making it group readable, allows the group's
members to use the command for the corresponding service.
s6-svdt-clear still needs root privileges. So are there any drawbacks
to doing this? Is there a better way to use the command without being
root?

* s6-svstat: This is a tough one. Because the 'control' FIFO in the
'supervise' subdirectory is only user-writable, this command can only
be run as root. As far as I can tell, opening the FIFO is needed to
check if the supervisor is running, and other daemontools-style
supervision suites use a separate FIFO for this purpose, customarily
named 'ok'. But changing the file's group and making it group writable
also allows using s6-svc without being root. So is there a way to
allow using s6-svstat, but not s6-svc, without being root?

* Logging directories and kernel environment store: if they don't
exist, s6-log creates logging directories with permissions 2700.
s6-linux-init with the -s option creates the environment store with
permissions 0700. Are there any drawbacks to changing their group to
allow more users to read and search those directories?

Thanks,
G.
Received on Sun Feb 02 2020 - 18:42:30 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC