Super User Asked by Ali Tou on February 10, 2021
I want to be able to send a SIGHUP signal to a Prometheus process from a CI tool that runs with a different user than Prometheus. Let’s say CI uses gitlab-runner
user and Prometheus uses prometheus
user. I thought that I can achieve sending a SIGHUP signal to the Prometheus process by following steps:
kill
command:$ cat `which promhup`
kill -HUP $(pgrep prometheus)
setuid
bit for this file:chown prometheus promhup
chmod +x promhup
chmod u+s promhup
Then, I expected that if I simply run promhup
, it can send the desired signal to the Prometheus process. However, I get the following error:
/usr/bin/promhup: line 1: kill: (602) - Operation not permitted
The permissions now look like this:
$ ls -l `which promhup`
-rwsr-xr-x 1 prometheus root 51 Jan 27 19:36 /usr/bin/promhup
What have I done wrong? How can I accomplish this without giving a sudo
access to my CI user?
Linux ignores setuid bit on scripts/interpreted executables (the ones that start with #!) for the reasons of security.
As a kind of hacky solution you can try to compile a simple binary out of your script using https://github.com/neurobin/shc and setuid it:
sudo add-apt-repository ppa:neurobin/ppa
sudo apt-get install shc
shc -f my_promhup_script -o promhup
sudo mv promhup /usr/bin/
Although I'd rather go for the sudo option - that's what it was designed for.
Update:
For the sudo option, you can add something like this to your sudoers:
gitlab-runner ALL = (ALL) ALL
gitlab-runner ALL = (root) NOPASSWD: /usr/bin/promhup
this will make your sudo not ask password only for your script, while asking it for the others
Answered by O.W.Grant on February 10, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP