Solved Make `service status` work for non-root

[Hornpipe2]

I have a service running on my server (in this case, audio/icecast) via rc scripts. I want the non-root user to be able to see that Icecast is running.

As root, if I type:
service icecast status
it gives me this response:

icecast is running as pid 74983.

As non-root, if I try the same:
service icecast status
instead I see:

icecast is not running.

This is (I guess) because security prevents non-root from seeing root's processes (e.g. ps a does not show Icecast as non-root). Changing these sysctl settings lets me see it:

# sysctl security.bsd.see_other_uids=0
# sysctl security.bsd.see_other_gids=0

and now non-root can get icecast status.

This seems very heavy-handed though! I don't know if I want to make every user able to see every process, just to get status for this one service. So here's the question. What is the best way to make service <name> status work for non-root?

 

[Argentum]

This seems very heavy-handed though! I don't know if I want to make every user able to see every process, just to get status for this one service. So here's the question. What is the best way to make service <name> status work for non-root?

This is a matter of taste, but in your position I would run icecast on a separate Bhyve virtual machine and give Icecast user access to that machine. You can allow seeing all processes inside the VM.

Icecast is not big and does not consume much disk space. The VM can be compact.
If you like, you can download one of my Bhyve images from Compact Bhyve images.

If your CPU supports virtualization, then this is my strong recommendation. In the past, I have been running Icecast several years.

Good point to start is installing the port sysutils/vm-bhyve/. This is a collection of useful shell scripts to handle VM-s.

 

[George]

Or elevate privileges with sudo or doas?

 

[SirDice]

Changing these sysctl settings lets me see it:

Those are the default, unless you increased security by specifically disallowing this (security options during install). The default is to allow anyone to see all processes. As with any security measure, enabling those security options will have consequences you need to be aware of. Some of those consequences may not be apparent at first glance.

 

[Hornpipe2]

Those are the default, unless you increased security by specifically disallowing this (security options during install). The default is to allow anyone to see all processes. As with any security measure, enabling those security options will have consequences you need to be aware of. Some of those consequences may not be apparent at first glance.

Interesting, I thought the defaults were to *hide* non-self processes instead.

It still seems like there should be a more granular way to do this but I have my answer now

EDIT: it occurs to me that the more "granular" way is to use a shared group for icecast and whatever other user wants to view its status