How to Run FileCatalyst Server as a Non-Root Service
Posted by Jeyram Sachchithananthan, Last modified by Aly Essa on 19 June 2019 02:15 PM

Overview


The FileCatalyst Server has the ability to run as a service on Linux installations. By default, the service runs as the root user to facilitate the install and configuration of the service and have read/write access to all mount points used.

Running the FileCatalyst Server as a non-root user can also be accomplished and this article will provide steps on how to achieve this.

Note:

  • Default ports used by the FileCatalyst Server must be on a port range above 1024. The port range of 1-1024 is restricted to root users.
  • Some features (such as chown on uploads) will not work, as the user running the application will no longer have file system access to perform the operations.
  • Please ensure that the user running the application will also have full access (read, read-write) to the user's home directories and any mount points used.
  • The instructions below are intended for a fresh install if you are converting an existing installation make sure all mount and storage paths are owned by the user running the FileCatalyst Server service.


Environment


FileCatalyst Server v3.4 and later.
Linux OS.

Resolution

Preliminary steps which are needed to be performed as root user:

  1. Install the FileCatalyst Server in the default recommended path which is /opt/utechsoft/server.

  2. Complete the rest of the installation such as licensing the FileCatalyst Server, enabling the Remote Admin and setting up a Remote Administration password as per standard instructions. For further information please refer to our Quickstart Guide.

  3. Install the service scripts found under the /opt/utechsoft/server/service_wrapper/ directory. You can use the /opt/utechsoft/server/service_wrapper/SERVICE_WRAPPER_README for assistance.

  4. Start the service script (it will run as root for now) and ensure remote admin connections work and the system is operational. Use the command service fcserver start.

  5. Stop the service using service fcserver stop.

    At this point, we know we have a working FileCatalyst server ready to be configured as non-root service. Please continue following the steps listed below.

  6. Ensure a user has been defined on the operating system.  For this article, the user is called administrator.

  7. Modify the application directory so that it is owned by the administrator user.

    [email protected]:/# cd /opt/utechsoft/server/
    [email protected]:/opt/utechsoft/server/# chown -R administrator:administrator

  8. Modify fcconf.conf, and ensure open ports are set above 1024.  Only the root user can open up lower level ports.

    These have standard values below 1024, so they need to be modified to use higher port values. For example:

    FCServer.server.config.port=2021
    FCServer.server.config.sftp.port=2022
    FCServer.server.config.ssl.port=2990

  9. Create an accessible directory where the service script can record PID.  By default, /var/run directory is owned by root, and any other non-root user cannot modify the content of that directory.

    [email protected]:/# mkdir -p /opt/utechsoft/var/run/
    [email protected]:/# chown -R administrator:administrator /opt/utechsoft/var/

  10. Modify service script /etc/init.d/fcserver to let the system know you need to run as another user.

    Add the following:
    # Location of the pid file.

    # PIDDIR="/var/run"
    PIDDIR="/opt/utechsoft/var/run"

    # If uncommented, causes the Wrapper to be shutdown using an anchor file.
    # When launched with the 'start' command, it will also ignore all INT and
    # TERM signals.
    #IGNORE_SIGNALS=true

    # If specified, the Wrapper will be run as the specified user.
    # IMPORTANT - Make sure that the user has the required privileges to write
    # the PID file and wrapper.log files. Failure to be able to write the log
    # file will cause the Wrapper to exit without any way to write out an error
    # message.
    # NOTE - This will set the user which is used to run the Wrapper as well as
    # the JVM and is not useful in situations where a privileged resource or
    # port needs to be allocated prior to the user being changed.
    #RUN_AS_USER=
    RUN_AS_USER=administrator

  11. Verify and change the ownership of the directories created by the FileCatalyst Server in /tmp to the new user:

    [email protected]:/# chown -R administrator:administrator /tmp/FileCatalystTemp/
    [email protected]:/# chown -R administrator:administrator /tmp/hsperfdata_administrator/

  12. Since we have made some changes to service package we have to restart the Linux server and run the command below in order for the changes to take effect:

    [email protected]:/#systemctl daemon-reload

    Right after the above step is executed, we should be able to start the FileCatalyst service as a non-root user. Run the following commands:

    [email protected]:/# service fcserver start
    [email protected]:/# service fcserver status


    ● fcserver.service - LSB: FileCatalyst Direct Server

    Loaded: loaded (/etc/init.d/fcserver; bad; vendor preset: enabled)
    Active: active (exited) since Tue 2018-08-21 11:18:06 EDT; 3s ago
    Docs: man:systemd-sysv-generator(8)
    Process: 6155 ExecStop=/etc/init.d/fcserver stop (code=exited, status=0/SUCCESS)
    Process: 6306 ExecStart=/etc/init.d/fcserver start (code=exited, status=0/SUCCESS)

    Aug 21 11:18:05 machine systemd[1]: Starting LSB: FileCatalyst Direct Server...
    Aug 21 11:18:05 machine su[6350]: Successful su for administrator by root
    Aug 21 11:18:05 machine su[6350]: + ??? root:
    administrator
    Aug 21 11:18:05 machine su[6350]: pam_unix(su:session): session opened for user administrator by (uid=0)
    Aug 21 11:18:05 machine fcserver[6306]: Starting FileCatalyst Direct Server...
    Aug 21 11:18:06 machine systemd[1]: Started LSB: FileCatalyst Direct Server.

  13. Verify that the FileCatalyst Server is running by executing the following command in the terminal:

    [email protected]:/# ps -ef | grep java

    adminis+ 6394 6392 99 11:18 ? 00:00:27 /usr/bin/java -XX:+IgnoreUnrecognizedVMOptions --add-modules=java.xml.bind -Dsun.java2d.d3d=false -XX:+UseConcMarkSweepGC -Dsun.java2d.noddraw=true -Xms1024m -Xmx1024m -Djava.library.path=./lib:. -classpath ./lib/wrapper.jar:./FileCatalystServer.jar -Dwrapper.key=w18mNoQ9ZEG68wrI -Dwrapper.port=32000 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=6392 -Dwrapper.version=3.2.3 -Dwrapper.native_library=wrapper -Dwrapper.service=TRUE -Dwrapper.cpu.timeout=10 -Dwrapper.jvmid=1 org.tanukisoftware.wrapper.WrapperSimpleApp unlimited.fc.server.FileCatalystServer
    root 6511 4613 0 11:18 pts/0 00:00:00 grep --color=auto java

  14. Use the wrapper log (/opt/utechsoft/server/logs/wrapper.log) to ensure that no permission errors are seen. These are indications that you need to take steps in giving file system access to the user running the FileCatalyst Server:

Comments (0)