search

rbeckman-nextgen / test-mc4

0 stars 0 forks source link

mcservice requires root user or modification #1940

Open rbeckman-nextgen opened 4 years ago

rbeckman-nextgen commented 4 years ago

The mcservice script now shipping with Mirth Connect theoretically makes it very easy for a system administrator to add the service to the unix standard startup mechanisms, by simply creating a symbolic link from /etc/init.d and then using the OS calls to make it happen by default.

However, there's no way to configure for executing Mirth with a less privileged account. Running as 'root' is obviously not ideal from a security standpoint.

As an example of the changes necessary (if the system account 'mirthuser' is available), note the differences below. Essentially adding sudo -H -u mirthuser to the respective invocations:

diff mcservice mcservice-sudo 369c369 < $INSTALL4J_JAVA_PREFIX nohup "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" "-Dinstall4j.launcherId=144" "-Dinstall4j.swt=false" "$vmov_1" "$vmov_2" "$vmov_3" "$vmov_4" "$vmov_5" $INSTALL4J_ADD_VM_PARAMS -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher start com.mirth.connect.server.launcher.MirthLauncher false false "" "" true true false "" true true 0 0 "" 20 20 "Arial" "0,0,0" 8 500 "version 2.1.1.5490.b781" 20 40 "Arial" "0,0,0" 8 500 -1 > /dev/null 2>&1 &

$INSTALL4J_JAVA_PREFIX sudo -H -u mirthuser nohup "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" "-Dinstall4j.launcherId=144" "-Dinstall4j.swt=false" "$vmov_1" "$vmov_2" "$vmov_3" "$vmov_4" "$vmov_5" $INSTALL4J_ADD_VM_PARAMS -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher start com.mirth.connect.server.launcher.MirthLauncher false false "" "" true true false "" true true 0 0 "" 20 20 "Arial" "0,0,0" 8 500 "version 2.1.1.5490.b781" 20 40 "Arial" "0,0,0" 8 500 -1 > /dev/null 2>&1 & 376c376 < $INSTALL4J_JAVA_PREFIX "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" "-Dinstall4j.launcherId=144" "-Dinstall4j.swt=false" "$vmov_1" "$vmov_2" "$vmov_3" "$vmov_4" "$vmov_5" $INSTALL4J_ADD_VM_PARAMS -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher start com.mirth.connect.server.launcher.MirthLauncher false false "" "" true true false "" true true 0 0 "" 20 20 "Arial" "0,0,0" 8 500 "version 2.1.1.5490.b781" 20 40 "Arial" "0,0,0" 8 500 -1

$INSTALL4J_JAVA_PREFIX sudo -H -u mirthuser "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" "-Dinstall4j.launcherId=144" "-Dinstall4j.swt=false" "$vmov_1" "$vmov_2" "$vmov_3" "$vmov_4" "$vmov_5" $INSTALL4J_ADD_VM_PARAMS -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher start com.mirth.connect.server.launcher.MirthLauncher false false "" "" true true false "" true true 0 0 "" 20 20 "Arial" "0,0,0" 8 500 "version 2.1.1.5490.b781" 20 40 "Arial" "0,0,0" 8 500 -1 383c383 < $INSTALL4J_JAVA_PREFIX "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher stop

$INSTALL4J_JAVA_PREFIX sudo -H -u mirthuser "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher stop 390c390 < $INSTALL4J_JAVA_PREFIX "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher stop

$INSTALL4J_JAVA_PREFIX sudo -H -u mirthuser "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher stop 395c395 < $INSTALL4J_JAVA_PREFIX nohup "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" "-Dinstall4j.launcherId=144" "-Dinstall4j.swt=false" "$vmov_1" "$vmov_2" "$vmov_3" "$vmov_4" "$vmov_5" $INSTALL4J_ADD_VM_PARAMS -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher start com.mirth.connect.server.launcher.MirthLauncher false false "" "" true true false "" true true 0 0 "" 20 20 "Arial" "0,0,0" 8 500 "version 2.1.1.5490.b781" 20 40 "Arial" "0,0,0" 8 500 -1 > /dev/null 2>&1 &

$INSTALL4J_JAVA_PREFIX sudo -H -u mirthuser nohup "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" "-Dinstall4j.launcherId=144" "-Dinstall4j.swt=false" "$vmov_1" "$vmov_2" "$vmov_3" "$vmov_4" "$vmov_5" $INSTALL4J_ADD_VM_PARAMS -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher start com.mirth.connect.server.launcher.MirthLauncher false false "" "" true true false "" true true 0 0 "" 20 20 "Arial" "0,0,0" 8 500 "version 2.1.1.5490.b781" 20 40 "Arial" "0,0,0" 8 500 -1 > /dev/null 2>&1 & 401c401 < $INSTALL4J_JAVA_PREFIX "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher status

$INSTALL4J_JAVA_PREFIX sudo -H -u mirthuser "$app_java_home/bin/java" -Dinstall4j.jvmDir="$app_java_home" -Dexe4j.moduleName="$prg_dir/$progname" -classpath "$local_classpath" com.install4j.runtime.launcher.Launcher status

Imported Issue. Original Details: Jira Issue Key: MIRTH-1993 Reporter: pbugni Created: 2011-10-19T12:06:15.000-0700

rbeckman-nextgen commented 4 years ago

While applying this same patch to a new system, I realized that's exactly the point of the INSTALL4J_JAVA_PREFIX. This one line edit achieved my goal:

19c19 < INSTALL4J_JAVA_PREFIX=""

INSTALL4J_JAVA_PREFIX="sudo -H -u mirthuser"

In other words, there's no bug here other than user confusion.

Imported Comment. Original Details: Author: pbugni Created: 2012-04-03T20:13:08.000-0700

rbeckman-nextgen commented 4 years ago

Paul did you make that change in the unix.sh file? thanks

Imported Comment. Original Details: Author: rajesh Created: 2012-08-27T08:57:20.000-0700

rbeckman-nextgen commented 4 years ago

I made the one line change in /mcservice

Imported Comment. Original Details: Author: pbugni Created: 2012-08-27T10:34:40.000-0700

rbeckman-nextgen commented 4 years ago

Paul I have a file writer that reads file from one location and moves it to another folder. The ownership of the file is user:user since I run mcservice as user. How can I achieve ownership as user:group ?

thanks

Imported Comment. Original Details: Author: rajesh Created: 2013-01-22T11:33:41.000-0800