Upstart: Run service as unprivileged user and pre-start script as root

upstart has no facility equivalent to systemd's PermissionsStartOnly setting. All processes in the job run as the user set via the setuid stanza, as the Cookbook says.

So do things the daemontools way.

Use setuidgid, setuidgid, s6-setuidgid, chpst, runuid, or setuidgid in the exec stanza:

exec \
setuidgid somebody \
unicorn -D -c /opt/posty_api/unicorn.rb --env production >> /var/log/posty/upstart.log 2>&1

That's a terrible logging mechanism, by the way. The daemontools way would have a proper, automatically cycled, rotateable-on-demand, size-capped, log using multilog, multilog, s6-log, svlogd, tinylog, or cyclog. upstart is tricky to integrate with those, however, given its expect mechanism.

expect fork
exec \
setuidgid somebody \
unicorn -D -c /opt/posty_api/unicorn.rb --env production 2>&1 | \
/usr/local/bin/chdir /var/log/ \
setuidgid log \
cyclog posty/unicorn/

(The chdir here is the chain-loading one from the nosh package, and isn't strictly necessary. But it makes things somewhat tidier.)

Upstart: Run service as unprivileged user and pre-start script as root

Tags:

Linux

Upstart

Related

Recent Posts