How to start a process as another user in Tomato?

Discussion in 'Tomato Firmware' started by menses, Apr 21, 2013.

  menses

    menses LI Guru Member

    I would like to start a process automatically (i.e. through a script) as the user nobody.
    How to accomplish this in Tomato?
  darkknight93

    darkknight93 Networkin' Nut Member

  menses

    menses LI Guru Member

    Thanks, sudo does the job alright.

    But how to do this without sudo? I can see that in TomatoUSB dnsmasq is started as nobody so it is possible, but how?
  koitsu

    koitsu Network Guru Member

    Plain and simple: you can't. The only way to do this is through the setuid(), seteuid(), setgid(), and setegid() syscalls, which are historically only available via C (some other languages like PHP (with POSIX extension), etc. may offer equivalents).

    Programs like dnsmasq and other daemons use those functions/syscall natively and "switch UIDs" themselves.

    Newer Busybox comes with a utility that can do this called chpst (stands for "change program state", which is a bizarre/misleading name). However, it is not available in our version of Busybox. I have not looked at the Busybox source code repo to see when it was introduced.

    So your choice at this time is to write a C program that does this for you, or use one that does it for you -- the latter is one of the many purposes of sudo or su.

    Short reminder: the firmwares and routers are not intended to be "multi-user" environments, so make sure what you're doing is truly justified. Do not treat them like a standard desktop or server Linux box. I've warned darkknight93 about this as well.
  menses

    menses LI Guru Member

    Thank you koitsu! Great answer, learned a lot.

    The reason I asked my original question was because I do not like to run transmission-daemon as root. Now it's running as nobody. Just needed some additional file permission tweaks and everything seems to work fine. Are there some cases where transmission-daemon would fail because Tomato isn't a full multi-user environment?
  koitsu

    koitsu Network Guru Member

    You'd have to ask the transmission folks that question. I'd also ask them why their daemon doesn't support switching UIDs/GIDs natively (it's amazingly easy to do -- no joke, it's a few lines of C code, and since transmission already has a getopt() parser, I would say the total amount of code they'd need to write would be under 30 lines, including basic error checking).
