[launchd-dev] Launchd and logging and users and groups

Damien Sorresso dsorresso at apple.com
Wed Jul 15 14:09:55 PDT 2009 

On Jul 15, 2009, at 1:44 PM, Scott Haneda wrote:
> On Jul 15, 2009, at 1:34 PM, Damien Sorresso wrote:
>
>> On Jul 15, 2009, at 1:06 PM, Scott Haneda wrote:
>>> Please be gentle, this is outside my comfort level in launchd.
>>>
>>> I have a spam proxy written in perl that needs to be started by  
>>> launchd.
>>>
>>> When it starts, a few 100 lines of startup data is sent to  
>>> whatever started it.  If I start with with launchd, all that data  
>>> will end up in /var/log/system.log
>>>
>>> I set the 'StandardOutPath'
>>> 	<key>StandardOutPath</key>
>>> 	<string>/dev/null</string>
>>> but I am not sure that is the correct way to deal with this.  All  
>>> the startup data is also sent to the proxy's log file, so to me,  
>>> it seems redundant.  However, I think the above StandardOutPath  
>>> change may also mask away some important bits of launchd that may  
>>> be desirable to be seen.
>>
>> launchd doesn't do anything to changethe log data it redirects. It  
>> just blurts it out to syslog. You should set your StandardOutPath  
>> to your log file path.
>
> The proxy logs to /opt/local/var/ASSP/logs/maillog.txt
> I have not tested, and I will shortly, but I believe, I would then  
> get the log data from launchd being sent there, as well as the log  
> data from the proxy.  I did not want to double up the log data.

By default, launchd redirects the job's stdout to syslog. If the job  
has a StandardOutPath specified, this behavior does not apply.

>>> All the files the proxy uses are owned by _assp:_assp, so I set:
>>> 	<key>UserName</key>
>>> 	<string>_assp</string>
>>> according to the docs, I need not se the group, it will auto set  
>>> to the user.  When I do that, launchd restarts repeatedly,
>>
>> Do you mean that the job restarts repeatedly?
>
> Exactly.
>
>>> and the logs that the perl file logs to aka: the proxy logs, will  
>>> get this line repeated:
>>>
>>> Jul-14-09 23:58:03 Requested to switch to user/group '_assp/_assp'  
>>> but cannot set effective uid to 0 -- quitting; uid is 504
>>>
>>> If the proxy is automatically dropping into the correct user and  
>>> group, then does that mean there is no need to run with the  
>>> lunachd settings for UserName?
>>>
>>> Can I get some guidance on the best way to deal with this?  Any  
>>> suggestions on how this should be set up to be most ideal, is most  
>>> appreciated.
>>
>> Your daemon is calling setuid(2), but you've requested that you be  
>> run as the _assp user, which will cause setuid(2) to fail. launchd  
>> does not save your EUID when applying the UserName key. See the  
>> setuid(2) man page.
>>
>> Also please see launchd.plist(5). Daemons should not call setuid 
>> (2). Your daemon should decide what set of credentials (root or non- 
>> root) it wants and stick with that decision.
>
> If I interpret that correct, and of course, I will read the man  
> pages shortly, but you are stating to simply let the daemon decide?

Decide which set of credentials it wants to run with? Yes. But it  
sounds like the developer has made that decision for you by including  
a call to setuid(2) that aborts the program if it fails.

> I will have a follow up question about daemons, and if this proxy is  
> even a daemon, but will need clarification from the proxy developer  
> first.


Only daemons can set the UserName key.
-- 
Damien Sorresso
BSD Engineering
Apple Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/launchd-dev/attachments/20090715/d8beb773/attachment.bin>

More information about the launchd-dev mailing list