Frequently we want a service to execute as a non-root user, this is pretty trivial in the context of the Service Management Facility in Solaris. This article will go over exactly what goes into that. The one complexity around that is the environment, if you have environment variables that the user will depend on those, they will need to be setup inside of the SMF. I will not be going into that in this article.
I am making the following assumptions as part of writing this article.
- Your user is ebsdev (feel free to substitute your own)
- Your group is ebsdev (feel free to substitute your own)
- Both the user and group have been created and have permissions to execute the application binaries
- Your service is application/xvfb
- Your service is single_instance, and the instance name is default
We will be using svccfg to navigate the SMF tree to find our service.
# svccfg svc:> select application/xvfb svc:/application/xvfb>
Now that we have found our service, we can look at all of our available instances, in this case we are using the default instance as it is a single instance service.
svc:/application/xvfb> list :properties default svc:/application/xvfb> select default svc:/application/xvfb:default>
Now lets set our user.
svc:/application/xvfb:default> setprop method_context/user = astring: ebsdev svc:/application/xvfb:default>
Lets also set the group for our user.
svc:/application/xvfb:default> setprop method_context/group = astring: ebsdev svc:/application/xvfb:default>
If you have additional groups that need to be setup you can use the method_context/supp_groups property to do so. I am not covering that in this article.
svc:/application/xvfb:default> end #
Here we can add our user using a single command
# svccfg -s application/xvfb:default setprop method_context/user = astring: ebsdev
Here we can add our group using a single command.
# svccfg -s application/xvfb:default setprop method_context/group = astring: ebsdev
INCLUDE IN A SERVICE DEFINITION
Assuming that you have not yet defined your service, then you can simply include the following in the service definition. I insert it after the property_group section or if you don’t use it then after the start/stop/refresh methods.
<instance enabled="true" name="default"> <method_context> <method_credential user='ebsdev' group='ebsdev'/> </method_context> </instance>
Now the user/group will be defined when you import the service.