Re: Service to start a go service as none-root

Fri, 12 Sep 2025 00:23:05 -0700 

Hi Michael,

Am 05.09.2025 um 22:01 schrieb Michael Osipov:
Instruct the RC system to do a "su - ...", and then daemon(8) tries to drop privs. It cannot work. I had the same issue with a custom Go service here at work. Remove "-u ..." from ${command} and it will work. 


I haven't investigated yet how to have only daemon(8) to drop privs. 
See "man 8 rc.subr" as well. It is documented.


thanks for that tip.

What I do now, is dropping priv (using su) before starting daemon and 
make sure, daemon can write the pid file and the logs.



I have a final problem, that gitlab has problems executing the restart 
command, it seems to hang, but restart happens, so I will look later 
into that.
If I execute the service monitorsolar restart as root or as user gitlab 
uses for that step, it works.


Here the script, maybe it helps also someone else:
#!/bin/sh
# PROVIDE: monitorsolar
# REQUIRE: DAEMON NETWORKING
# KEYWORD: shutdown

#
# Add these lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service
#
# monitorsolar_enable (bool):      Set to NO by default
#                                  Set it to YES to enable monitorSolar.
# monitorsolar_args (string):      Custom extra arguments for monitorSolar
# monitorsolar_user (string):      Set to gitlab_deploy_solar by default

#                                  The user to run the server (make sure 
user exists)

# monitorsolar_group (string):     Set to gitlab_deploy_solar by default

#                                  The group to run the server (make 
sure group exists)


. /etc/rc.subr

name="monitorsolar"
desc="Run Monitor Solar server"
rcvar="${name}_enable"

load_rc_config "${name}"

: ${monitorsolar_enable:="NO"}
: ${monitorsolar_user:="gitlab_deploy_solar"}
: ${monitorsolar_group:="gitlab_deploy_solar"}
: ${monitorsolar_args:=""}

logfile="/var/log/${name}/${name}.log"
pidfile="/var/run/${name}/${name}.pid"
configfile="/usr/local/etc/monitorsolar"
workingdir="/usr/home/http/solar.fechner.net/app"

command="/usr/sbin/daemon"
command_args="-H -o ${logfile} -t ${name} -P ${pidfile} \

  sh -c 'cd ${workingdir} && ./monitorSolarApi -config ${configfile} 
${monitorsolar_args}'"


start_precmd="${name}_precmd"
start_cmd="${name}_start"

monitorsolar_precmd()
{
  # Ensure pid directory exists

  install -d -g "${monitorsolar_group}" -o "${monitorsolar_user}" 
"$(dirname "${pidfile}")"


  # Ensure log directory exists

  install -d -g "${monitorsolar_group}" -o "${monitorsolar_user}" 
"$(dirname "${logfile}")"

}

monitorsolar_start()
{
  su -m ${monitorsolar_user} -c "${command} ${command_args}"
}

run_rc_command "$1"

























					Reply via email to