How can I drop privileges and still clean up my pid file in /var/run?

linux daemon

Solution 1:

Don't put the PID file in /var/run/foo.pid, put it in /var/run/foo/foo.pid and have /var/run/foo owned by user foo and group foo. That way you can delete the pid file before exiting and you don't have to raise your privilege level.

Note, however, that this is a bad security practice since allowing your unprivileged application mangle with its file will open a security hole: imagine that your application is hijacked (after all what was the point of dropping privileges if not to anticipate that the application can be attacked?) -- now, the attacker updates the pid file and puts, say, sshd's pid number there. Now, when system-wide scripts (running as root) will try to stop your application using that pid file, they will shutdown sshd instead. This is just an example, there are more ways to abuse your system. All in all, the pid file should be created before dropping privileges and cleanup of the pid files should be performed by the system-wide scripts. -- Dmitry D. Khlebnikov

An even better idea would be to switch to an init system like systemd or Upstart that doesn't require PID files to manage services.

Solution 2:

You can fork a new process before running your daemon. The parent process remains with privileged user root. The child process drops its privileges to foo user. This process does the real daemon work.

The parent process will create the PID file after forking its child and will remove it when its child terminates.

Solution 3:

Taking a peek at my Ubuntu system, I see that some installed software has created directories under /var/run owned by a non-root user like jcollie suggests.

Another option is to have the pidfile owned by the non-root user and zero the file instead of deleting it.

Related

How does a client find the DHCP server on network if DHCP is disabled on the router? [closed]
How can I make my libvirt/KVM guest see all IPv4/UDP multicast traffic?
Is it possible to access Kibana (Elasticsearch) via ssh tunnel?
Prevent varnish from caching cookie response
Different DNS answer from 2 local servers configured the same way
Is there a limit on the length of URLs when using Amazon ELBs? If so, is there a way to increase it?
Logic for decomposing a permutation into different products composed of transpositions
Differential Forms and Vector Fields correspondence
Largest determinant of a real $3\times 3$-matrix
Elegant proof of $\int_{-\infty}^{\infty} \frac{dx}{x^4 + a x^2 + b ^2} =\frac {\pi} {b \sqrt{2b+a}}$?
Standard notation for sum of vector elements?
What does the Tate module of an elliptic curve tell us?