CentOS 7提取rpm文件到指定目录并用非root用户创建自定义Nessus service

背景

之前需要在一些某些特殊场景用非root用户配置Nessus扫描软件的 service, 虽然失败了但是过程值得记录一下. 友情提示创建service的过程中还是要用到root用户,不然非root用户启动service会报systemctl --user xxx: Failed to get D-Bus connection类似的错误

rpm2cpio命令提取rpm文件

执行rpm2cpio Nessus-10.3.0-es7.x86_64.rpm | cpio -ivd 提取Nessus-10.3.0-es7.x86_64.rpm源码包中的文件

$ rpm2cpio Nessus-10.3.0-es7.x86_64.rpm | cpio -ivd
./opt/nessus
./opt/nessus/bin
./opt/nessus/bin/nasl
./opt/nessus/bin/ndbg
./opt/nessus/com
./opt/nessus/com/nessus
./opt/nessus/com/nessus/CA
./opt/nessus/etc
./opt/nessus/etc/nessus
./opt/nessus/lib
./opt/nessus/lib/nessus
./opt/nessus/var/nessus/tenable-plugins-b-20210201.pem
./opt/nessus/var/nessus/tmp
./opt/nessus/var/nessus/tools
./opt/nessus/var/nessus/tools/bootstrap-from-media.nbin
./opt/nessus/var/nessus/tools/nessusd_www_server6.nbin
./opt/nessus/var/nessus/tools/tool_dispatch.ntool
./opt/nessus/var/nessus/users
./usr/lib/firewalld/services/nessus.xml
./usr/lib/systemd/system/nessusd.service
159318 块

rpm2cpio参数:

-i, --extract 从包中提取文件 (运行 copy-in 模式)
-v, --verbose 详细列出已处理的文件
-d, --make-directories 需要时创建目录

用tree命令可以看到提取文件的的大致结构

$ tree ./*
./opt
└── nessus
    ├── bin
    │   ├── nasl
    │   └── ndbg
    ├── com
    │   └── nessus
    │       └── CA
    ├── etc
    │   └── nessus
    ├── lib
    │   └── nessus
    │       ├── iconv
    │       │   ├── adobe-stdenc.so
    │       │   ├── adobe-symbol.so
    │       │   ├── adobe-zdingbats.so
    │       │   ├── big5.so
    │       ├── libjemalloc.so -> libjemalloc.so.2
    │       ├── libjemalloc.so.2
    │       ├── libnessus-glibc-fix.so
    │       └── plugins
    │           └── known_CA.inc
    ├── sbin
    │   ├── nessuscli
    │   ├── nessusd
    │   └── nessus-service
    └── var
        └── nessus
            ├── logs
            ├── nessus_org.pem            
            └── users
./usr
└── lib
    ├── firewalld
    │   └── services
    │       └── nessus.xml
    └── systemd
        └── system
            └── nessusd.service 
23 directories, 231 files                       

root用户下创建非root用户user@<uid>.service

直接在非root用户下执行systemctl --user status会报错

$ systemctl --user status
Failed to get D-us connection: no such file or directory.

原因如下:
https://help.tableau.com/current/server-linux/en-us/systemd_user_service_error.htm

The systemd user service is not used as commonly as the normal systemd
process manager. Red Hat disabled the systemd user service in RHEL 7
(and thereby all distros that come from RHEL, like CentOS, Oracle
Linux 7, Amazon Linux 2). However, RedHat has assured Tableau that
running the systemd user service is supported as long as the service
is re-enabled.

大致意思就是systemd用户服务不像正常的systemd进程管理工具那样常用. Red Hat禁用了RHEL 7版本中的systemd用户服务(包括所有基于RHEL的Linux发行版, 如CentOS、Oracle Linux 7、Amazon Linux 2). 而systemd用户服务可以被重新配置启用

启用步骤如下:

• 执行 id <非root用户名> 查看非root用户的uid, 例如deploy 的uid就是1000

[root@host ~]# id deploy
uid=1000(deploy) gid=1000(deploy) 组=1000(deploy),993(docker)

• 在root用户下创建/etc/systemd/system/user@<uid>.service, 注意uid需要替换成自己的, 例如 /etc/systemd/system/user@1000.service

cat > /etc/systemd/system/user@1000.service <<EOF
[Unit]
Description=User Manager for UID %i
After=systemd-user-sessions.service
# These are present in the RHEL8 version of this file except that the unit is Requires, not Wants.
# It's listed as Wants here so that if this file is used in a RHEL7 settings, it will not fail.
# If a user upgrades from RHEL7 to RHEL8, this unit file will continue to work until it's
# deleted the next time they upgrade Tableau Server itself.
After=user-runtime-dir@%i.service
Wants=user-runtime-dir@%i.service

[Service]
Environment="XDG_RUNTIME_DIR=/run/user/%i"
LimitNOFILE=infinity
LimitNPROC=infinity
User=%i
PAMName=systemd-user
Type=notify
# PermissionsStartOnly is deprecated and will be removed in future versions of systemd
# This is required for all systemd versions prior to version 231
PermissionsStartOnly=true
ExecStartPre=/bin/loginctl enable-linger %i
ExecStart=-/lib/systemd/systemd --user
Slice=user-%i.slice
KillMode=mixed
Delegate=yes
TasksMax=infinity
Restart=always
RestartSec=15

[Install]
WantedBy=default.target

EOF

• 在root用户下重新加载系统服务并启用用户服务

systemctl daemon-reload
systemctl enable user@<uid>.service
systemctl start user@<uid>.service

示例如下:

systemctl daemon-reload
systemctl enable user@1000.service
systemctl start user@1000.service

• 有可能还需要在非root用户的~/.bashrc 文件下添加下环境变量, 然后source ~/.bashrc导入环境变量

export XDG_RUNTIME_DIR="/run/user/$UID"
export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"

一切就绪, 接下来就可以创建自定义service了

非root用户下创建自定义systemctl service

在非root用户下执行mkdir -p ~/.config/systemd/user创建目录用于存放自定义service文件
将自定义service文件放入~/.config/systemd/user目录下, 以nessusd.service文件为例

[deploy@host nessus]$ cp usr/lib/systemd/system/nessusd.service ~/.config/systemd/user

[deploy@host nessus]$ cat ~/.config/systemd/user/nessusd.service 
# ---------------------------------------------------- #
#                                                      #
# WARNING: DO NOT EDIT                                 #
#                                                      #
# This file has been autogenerated, edits to this file #
# directly may be overwriten during a build            #
#                                                      #
# ---------------------------------------------------- #


[Unit]
Description=The Nessus Vulnerability Scanner
After=network.target

[Service]
Type=simple
PIDFile=/opt/nessus/var/nessus/nessus-service.pid
ExecStart=/opt/nessus/sbin/nessus-service -q --no-root
Restart=on-abort
ExecReload=/usr/bin/pkill nessusd
EnvironmentFile=-/etc/sysconfig/nessusd

[Install]
WantedBy=default.target
Alias=nessusd.service

• 非root用户执行systemctl --user daemon-reload重新加载服务

[deploy@host76 nessus]$ systemctl --user daemon-reload

• 非root用户执行systemctl --user enable nessusd设置开机自启自定义nessusd服务

[deploy@host nessus]$ systemctl --user enable nessusd

# 会在default.target.wants 下面创建一个软链接
deploy@host nessus]$ ls -al ~/.config/systemd/user/default.target.wants/nessusd.service
lrwxrwxrwx 1 deploy deploy 49 10月 22 23:45 /home/deploy/.config/systemd/user/default.target.wants/nessusd.service -> /home/deploy/.config/systemd/user/nessusd.service

• 非root用户执行systemctl --user start nessusd启动自定义nessusd服务

[deploy@host nessus]$ systemctl --user start nessusd
[deploy@host nessus]$ systemctl --user status nessusd 
● nessusd.service - The Nessus Vulnerability Scanner
   Loaded: loaded (/home/deploy/.config/systemd/user/nessusd.service; enabled; vendor preset: enabled)
   Active: active (running) since 六 2022-10-22 23:55:19 CST; 6s ago
 Main PID: 17246 (nessus-service)
   CGroup: /user.slice/user-1000.slice/user@1000.service/nessusd.service
           ├─17246 /opt/nessus/sbin/nessus-service -q --no-root
           └─17381 nessusd -q --no-root

实际上nessusd我并没有重启成功, 不过自定义服务可以按照这个思路启动,可能有些进程会将配置写死,如果没权限的话会比较麻烦

参考

1. https://wiki.archlinux.org/title/Systemd/User
2. https://help.tableau.com/current/server-linux/en-us/systemd_user_service_error.htm
3. https://forums.centos.org/viewtopic.php?t=59484
4. https://blog.csdn.net/weixin_38184741/article/details/118067373
5. https://wiki.archlinux.org/title/Systemd/User
6. https://bbs.archlinux.org/viewtopic.php?id=201543
7. https://unix.stackexchange.com/questions/615917/failed-to-get-d-bus-connection-connection-refused
8. https://serverfault.com/questions/936985/cannot-use-systemctl-user-due-to-failed-to-get-d-bus-connection-permission