#84 Running certmonger as non-root user
Opened a year ago by jremitz. Modified 7 months ago

I'm trying to override the default nature of certmonger by running it as a non-root user. I have not seen an easy way to do this, but I've been able to successfully get it up and running. I'm having issues though running post-save commands, which won't execute unless I leave this as root user. The error I'm seeing in journalctl are:
Oct 27 08:19:14 certmonger[12719]: 2017-10-27 08:19:14 [19676] Error on initgroups(root,0): Operation not permitted, continuing and running "update_jks.sh " anyway. Oct 27 08:19:14 certmonger[12719]: 2017-10-27 08:19:14 [19676] Error on setregid(0,0,0): Operation not permitted, not running "update_jks.sh". Oct 27 08:19:14 certmonger[12719]: Null message body; hope that's ok
I've set the group as root and got a different second attempt:
Error on setreuid(0,0,0): ...
Am I overthinking this? Is there an easier way to do it?

OS is RHEL 7.

Thanks!


Sorry for such a late response. You can try setting pre_certsave_uid and/or post_certsave_uid in your request.

I don't see a way to set this on the cli but if you stop certmonger you can manually update the request file to try this out.

@rcritten It would sure be nice to run pre/post save commands by default with the user that certmonger is running with. On the other hand, I don't find where to set these (pre|post)_certsave_ui options. It seems to me like it would be useful to expose them as command line options for the request command.

They are set in the request itself, in /var/lib/certmonger/requests/<id>

e.g.

/var/lib/certmonger/requests/20170706143313:pre_certsave_uid=0
/var/lib/certmonger/requests/20170706143313:post_certsave_uid=0

Login to comment on this ticket.

Metadata