Menu
What's new
By:
Filters Better Search

About non_root users

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

G

Gedeon30

Occasional Visitor
I'm finishing some of my configs in the router and I have successfully installed and configured several entware apps.

Now I'm wondering if it could be a good idea to add users for those apps in order to avoid security issues and to, eventually, allow interactive (ssh) connections to perform non-critical tasks as stop/start those app and/or copy files.... things like that...

¿ Any suggestions ?

Thanks !
 
Not a single answer ? Maybe I don't need those non_root users.

In fact I'm looking for some kind of "mini httpd" with a simple interface… like AMTM for terminal but web, to start/stop samba, minidlna, transmission, etc... So those could be invoked by non-admin users.
 
Gedeon30 said:
Not a single answer ?
Click to expand...
You were expecting an answer in less than 5 hours? :rolleyes: Patience is a virtue.

Maybe I don't need those non_root users.
Click to expand...
The router is designed to be a single-user machine. Almost everything runs as the "root" account. That's why there is no useradd, userdel, usermod, groupadd, groupdel, etc. If you want a traditional multi-user server you need to look at another device.
 
Thanks for the answer.

I just took a look and there are another non-interactive user defined like tor and nobody. That's why I asked.

In any case I'll probably take a look to the light-httpd option starting by modifying a transmission or amuled skin to add a few options.

EDIT: You are right about patience, another thing I have to work on...:(
 
ColinTaylor said:
The router is designed to be a single-user machine. Almost everything runs as the "root" account. That's why there is no useradd, userdel, usermod, groupadd, groupdel, etc. If you want a traditional multi-user server you need to look at another device.
Click to expand...

It's not just AsusWRT - it's pretty much every linux based consumer router and device out there. Much of this Linux development is very old, and based on a very small footprint - RAM and Flash...

Not good or bad - just is... starting to be a security issue these days, and adding repo's just compounds it.
 
sfx2000 said:
It's not just AsusWRT - it's pretty much every linux based consumer router and device out there. Much of this Linux development is very old, and based on a very small footprint - RAM and Flash...

Not good or bad - just is... starting to be a security issue these days, and adding repo's just compounds it.
Click to expand...

That's exactly my concern. My configs don't allow any wan access but for the downloaders (those torrent ports). If only could be easy to have an "entware" user, group or something like that, I'd feel a bit more comfortable. Sure a few utilities and services still could need to run as root but certainly not many of them.
 
On my router RT-AC86U, I made all possible to run these daemons as "nobody" user : mini_httpd, lighttpd, dhcpd, minidlna, mysqld, slapd (openldap), syslog-ng, transmission.
Unfortunately I've not found any way to run these services as "nobody" user : nut, xinetd.
 
Quadcore said:
On my router RT-AC86U, I made all possible to run these daemons as "nobody" user : mini_httpd, lighttpd, dhcpd, minidlna, mysqld, slapd (openldap), syslog-ng, transmission.
Click to expand...

Be careful with the "nobody" user as treatment for this has changed over the years on the mainline distros - in your configuration, since all those daemons are running as the same user "nobody", they can still touch each other.

In mainline distro's, and also in more forward looking embedded/small linux implementations, it's best to run each daemon as it's own user, and do things accordingly.
 
Quadcore said:
On my router RT-AC86U, I made all possible to run these daemons as "nobody" user : mini_httpd, lighttpd, dhcpd, minidlna, mysqld, slapd (openldap), syslog-ng, transmission.
Unfortunately I've not found any way to run these services as "nobody" user : nut, xinetd.
Click to expand...
How have you configured the scripts, config files, etc... to make those daemons to run as "nobody" ?

It would help me a lot in my tests...

Thanks in advance!
 
Gedeon30 said:
How have you configured the scripts, config files, etc... to make those daemons to run as "nobody" ?

It would help me a lot in my tests...

Thanks in advance!
Click to expand...

Generically I suggest the following points:
1) If daemon startup command has a parameter to run as unprivileged user (usually is "--user" or "-u"), use it.
2) If daemon startup command has not a parameter to run as unprivileged user, you need to install Entware package "daemonize" and use this package to execute the daemon with unprivileged user (user name is mandatory for "daemonize" command).
3) You need to set the proper files' owner and access rights with commands "chown" and "chmod" for all files used by the daemon.
4) Some daemons do not work due to "/dev/null" missing access rights. I simply use a "chown" command to change owner of "/dev/null" to solve this issue.
What here above is only for home goals, not for professional/enterprise targets.
If you are a home user and you have specific questions about one daemon, ask me here. Good luck.
 
Quadcore said:
Generically I suggest the following points:
1) If daemon startup command has a parameter to run as unprivileged user (usually is "--user" or "-u"), use it.
2) If daemon startup command has not a parameter to run as unprivileged user, you need to install Entware package "daemonize" and use this package to execute the daemon with unprivileged user (user name is mandatory for "daemonize" command).
3) You need to set the proper files' owner and access rights with commands "chown" and "chmod" for all files used by the daemon.
4) Some daemons do not work due to "/dev/null" missing access rights. I simply use a "chown" command to change owner of "/dev/null" to solve this issue.
What here above is only for home goals, not for professional/enterprise targets.
If you are a home user and you have specific questions about one daemon, ask me here. Good luck.
Click to expand...

Thanks for the info. I didn't know that utility. Granted I'll take a look at it as soon as I get the time to test it.
 
You must log in or register to reply here.

Similar threads

JGrana
chatai - version two - have a chat session with either Googles Gemini AI or Anthropics Claude (or both at once)
Replies
4
Views
815
JGrana
JGrana
J
ASUS setup (GT-AX6000 or AX86U) generating issues with work video calls only (Under stock or Merlin). Narrowed it to configuration
2
Replies
29
Views
3K
Ripshod
Ripshod
JGrana
New Addon for Starlink users - now using Entware grpcurl
Replies
8
Views
3K
JGrana
JGrana
Viktor Jaep
BACKUPMON BACKUPMON v1.8.20 -Oct 12, 2024- Backup/Restore your Router: JFFS + NVRAM + External USB Drive! CIFS/SMB/NFS! (Now available in AMTM!)
23 24 25
Replies
487
Views
61K
ExtremeFiretop
ExtremeFiretop
ExtremeFiretop
MerlinAU MerlinAU v1.3.6 - The Ultimate Firmware Auto-Updater (GNUTON SUPPORT!)
2 3
Replies
42
Views
5K
ExtremeFiretop
ExtremeFiretop
Similar threads
Thread starter Title Forum Replies Date
kaotic2499 Please add Asuswrt-merlin to GT-BE98 (Non-pro) version Asuswrt-Merlin 7
R Getting rc_service log non-stop Asuswrt-Merlin 16
D How would you go about syncing/symlinking root home folder to entware drive during system operation? Asuswrt-Merlin 12
J Samba Share Users Mixup Asuswrt-Merlin 4
M For AX68U and AX86S Merlin users: openvpn server - max user qty? Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 763 (members: 31, guests: 732)
Top