RunAs

Why Is This Important?

This directive allows you to configure EZproxy, running on Linux or Solaris, to startup automatically when the system boots with a non-root account and still open ports below 1024.

RunAs is a position-independent config.txt directive that is available in EZproxy for Linux and Solaris.

It is common for EZproxy to be set to startup automatically when the system is booted. Normally, this results in EZproxy running under the privileged root account. If you configure EZproxy to listen on any ports below 1024, EZproxy must be started as root to be able to open these ports. To increase security, it is desirable to have EZproxy run with a non-root account.

The RunAs directive allows you to tell EZproxy to change from the root user to a non-privileged user, and optionally a different group. EZproxy switches to the account specified at its earliest opportunity, after it has opened all low ports on which it needs to listen, but before it actually starts any proxying work.

 

 

To configure RunAs:

1. Stop EZproxy.


2. Edit config.txt to add the appropriate RunAs directive.

RunAs someuser
RunAs someuser:somegroup

Replacing someuser and somegroup with the unix user and group you would like to use to run EZproxy. Use a non-privileged unix production user and group for this purpose.


3. Issue a command to change the directory where EZproxy is installed and all the files within it so they are owned by the non-privileged user, such as:

chown -R someuser /usr/local/ezproxy

Note that the chown command is applied recursively to the directory where EZproxy is installed and all the files within, not just to the EZproxy binary program itself.


4. Restart EZproxy.


5. Check messages.txt to ensure there are no error messages recorded about not being able to access required files.


Once you have EZproxy configured to use RunAs, you may notice one EZproxy process still runs as root. The main EZproxy process is called Guardian. Guardian is responsible for starting up a separate process that does the actual proxying. If the worker process should stop for any reason, Guardian restarts the worker process. Guardian remains root through all of this since the restarted worker process may need to be root to open low ports.

 

The following directives interact with or control functions related to this directive.

LoginPort

Concepts

Proxy by Hostname Configuration

 

This page last revised: June 30, 2015