How to run daemons with reduced permissions

I want to run several services/daemons on my router. By default, some of them run as root. I am not ok with this.

  1. Some services have the option to change their user when they start. Mosquitto for example. This is easy. No help needed here.

  2. But some services don't have the option to drop privileges when they start. They must be started directly as a normal user. How do I change the startup scripts to run them as normal users? Is there a universal method that can be used for any startup script?

  3. How do I allow services started as normal users to create logs in /var/log/ directory? This directory is not persistent. Changing the owner of an existing log file won't survive after reboot. Is it possible to touch and chown a file before services are started?

  4. How do I allow services to create pid files in /var/run ?

  5. How do I change permissions to /dev devices to allow access from non-root services?

Thank you!

1 Like

procd_set_param user

mkdir + chown

chgrp

1 Like

Take dnsmasq (in current master or 21.02) as example.

1 Like