Jump to content
sacretagent

Run SABNZBD/ CouchPotato / Sickbeard as nobody at boot

35 posts in this topic Last Reply

Recommended Posts

since a few people PM'd me about this did i decide to do the whole write up in a new thread

 

Please be aware i am not a Linux Guru and just put things together with a lot of googling ... i accept no responsability if your unraid goes POOOFFF

running these things as nobody can be a security risk (although running as root i think is a bigger risk  :P ) but as far as i know i didn't see any issue

 

first of all...  i am running Unraid 5B2 and SABNZBD 0.5.6 and i have unmenu installed (might be important for the scripts later on)

than we go to the nasty stuff :

1. Change permissions and ownership on the sab/couchpoatato/sickbeard dependency package

mkdir /tmp/depend
cp /boot/custom/packages/SABnzbdDependencies-2.1-i486-unRAID.tgz /tmp/depend
cd /tmp/depend
tar -zxvf SABnzbdDependencies-2.1-i486-unRAID.tgz
chown -R nobody install
chown -R nobody usr
tar -zcvf /boot/custom/packages/SABnzbdDependencies-2.2-i486-unRAID.tgz usr install
cp SABnzbdDependencies-2.2-i486-unRAID.tgz /boot/custom/packages/

 

you can delete /tmp/depend if you want but it will delete automatically next reboot :P

if you want to do this now

rm -r /tmp/depend

 

2. Adapt GO file

better take a backup of it... if you mess up you can always go back :)

the go file should look something like this

 

#sleep for 10 seconds
sleep 10

#Sab/sickbeard/couchpotato dependencies
installpkg /boot/custom/packages/SABnzbdDependencies-2.2-i486-unRAID.tgz

#give nobody shell access
usermod -s /bin/bash nobody

#Start SABNZBD
su nobody -c "python /Path/to/your/servers/SABnzbd.py -d -f /boot/config/SABnzbd.ini -s IP:PORT"

#Start CouchPotato
su nobody -c "python /Path/to/your/servers/CouchPotato.py -d"

#Start SickBeard
su nobody -c "python /Path/to/your/servers/SickBeard.py -d"

 

this goes after the line from unmenu to install it's scripts

 

a few remarks though

1. put it at the end of your go script ... the 10 secs sleep is just to be sure that /mnt/cache has the time to be mounted

2. "nobody" needs to be able to access all files in the .custom dirs so better to chown -R nobody /mnt/cache/.custom (or wherever you installed your programs)

3. AGAIN i am a linux beginner and have no clue how safe this is ...  i tried to access the unraid by using nobody and no passwd and that didn't work so i guess it is pretty safe but don't take my word on it

 

It works from boot and i have tested this a few times

 

this is a piece of Top

 

top - 14:32:14 up  1:07,  2 users,  load average: 1.49, 1.31, 1.21
Tasks: 110 total,   3 running, 107 sleeping,   0 stopped,   0 zombie
Cpu(s):  1.0%us,  5.5%sy,  0.0%ni, 48.7%id, 44.0%wa,  0.2%hi,  0.7%si,  0.0%st
Mem:   3049788k total,  2636676k used,   413112k free,   534776k buffers
Swap:  5119992k total,        0k used,  5119992k free,  1797972k cached

 PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
14812 root      20   0  9816 8600  480 R   11  0.3   0:00.55 dd
[glow=red,2,300]2409 nobody    20   0  396m 122m 3392 S    2  4.1   2:32.51 python[/glow]
   1 root      20   0   704  332  288 S    0  0.0   0:01.85 init
   2 root      20   0     0    0    0 S    0  0.0   0:00.00 kthreadd
   3 root      RT   0     0    0    0 S    0  0.0   0:00.00 migration/0

 

shows clearly python is running under nobody

i downloaded already a bunch of files and they are all owned by nobody and i have all rights on them (2770)

i set 2770 also in the SAB settings

 

if you telnet into the server and do

root@p5bplus:~# su nobody
nobody@p5bplus:/root$ ps x
 PID TTY      STAT   TIME COMMAND
1599 ?        Ss     0:00 /sbin/rpc.statd
2409 ?        Sl     2:42 python /mnt/cache/.custom/sabnzbd/SABnzbd-0.5.6/SABnz
3600 ?        Sl     0:47 python /mnt/cache/.custom/couchpotato/couchpotato/Cou
15408 pts/3    S      0:00 bash
15446 pts/3    R+     0:00 ps x
nobody@p5bplus:/root$

then you see that they are running as Nobody (sickbeard is not all the time running yet on my unraid as i still need to move a bunch of shows to my unraid (need to add bigger disks or buy a bigger enclosure :P )

 

PLEASE NOTE that it is best to run all 3 or from a mounted disk or from your cache disk .... all 3 programs write quiet a bit to their respective folders and a lot of changes will wear your usb key down ... and if your usb is dead then unraid will die too :( ... all three programs of mine are on my cache disk under .custom folder

 

3. Unmenu Userscript buttons

 

ok now since it is running did i also make userscript buttons for all 3 so that you can stop and start all three from unmenu

 

i post the code underneath... BE AWARE you need to adapt them a bit to your setup

 

Start Sab

#701-unmenu_user_script_Start_Sabnzbd
#define USER_SCRIPT_LABEL Start SABNZBD as Nobody
#define USER_SCRIPT_DESCR start Sabnzbd as user Nobody
#move to nobody and start SABNZBD
su nobody -c "python /Path/to/your/servers/SABnzbd.py -d -f /boot/config/SABnzbd.ini -s IP:PORT"

 

first line is just the name i save it under in the /boot/unmenu folder so this one is saved as 701-unmenu_user_script_Start_Sabnzbd.cgi

all 6 unmenu button scripts are saved with .cgi extension

rest of the lines are per directions from the unmenu usermanual on user scripts

 

Sab's webpage can be opened in seconds after the start button is pushed ...

 

Stop Sab

#702-unmenu_user_script_Stop_Sabnzbd
#define USER_SCRIPT_LABEL Stop SABNZBD
#define USER_SCRIPT_DESCR Stop Sabnzbd
#stopping SABNZBD
wget -q --delete-after http://sablogin:sabpassword@IP:PORT/shutdown?session=YOUR_SAB_APIKEY_HERE

 

this is an easy way to do the same as on the webpage and click shutdown :P

-q = quiet .. you can delete that and you will get some output in unmenu userscript page at the bottom which is handy for troubleshooting

--delete-after = will delete any html crap wget will download from the shutdown page

sablogin and sabpassword is the login name for SAB and the password for sab ... if you don't use one then you can delete that part together with the @

ip:port = your sab ip and port should be same IP as your unraid :P

YOUR_SAB_APIKEY_HERE= SAB api key you can find under config/general

 

Start Sickbeard

#703-unmenu_user_script_Start_Sickbeard
#define USER_SCRIPT_LABEL Start SICKBEARD as Nobody
#define USER_SCRIPT_DESCR start Sickbeard as user Nobody
#move to nobody and start Sickbeard
su nobody -c "python /Path/to/your/servers/SickBeard.py -d"

 

Sickbeard can take up till 2 minutes before the webpage opens... (at least in my case with more then 500 shows and 25000 eps)

 

Stop Sickbeard

#704-unmenu_user_script_Stop_Sickbeard
#define USER_SCRIPT_LABEL Stop SICKBEARD
#define USER_SCRIPT_DESCR Stop Sickbeard
#stopping Sickbeard
wget -q --delete-after http://Sickbeardlogin:Sickbeardpassword@ip:port/home/shutdown/

 

Sickbeard login and password are the username and password you use to login into the sickbeard webpage if you don't use you can delete this....

 

Start CouchPotato

#705-unmenu_user_script_Start_Couchpotato
#define USER_SCRIPT_LABEL Start COUCHPOTATO as Nobody
#define USER_SCRIPT_DESCR start Couchpotato as user Nobody
#move to nobody and start Couchpotato
su nobody -c "python /Path/to/your/servers/CouchPotato.py -d"

 

couchpoatato takes at least 20 second before the webpage will open... this is because it loads first the database

 

Stop CouchPotato

#706-unmenu_user_script_Stop_Couchpotato
#define USER_SCRIPT_LABEL Stop COUCHPOTATO
#define USER_SCRIPT_DESCR Stop Couchpotato
#stopping Couchpotato
wget -q --delete-after http://couchpotatologin:couchpotatopassword@IP:PORT/config/exit/

 

again Couchpotato login and password are login and password that you use to get into the couchpotato webpage  if you don't use one you can delete...

 

guess this is it ... if you have problems i can try to help you when you post in this thread and if not maybe one of the other more advanced linux users will maybe help you out....

as i said before ... Only linux beginner (i hope not noob any more :P  ) ... there might be ways to do this more elegantly or faster but it works ....

 

Share this post


Link to post

Thanks sacretagent, I will be trying this tonight!

 

One related note... if you run couchpotato I don't think whatever drive you are running it from will sleep.  The other two will after a few changes to the configs.

Share this post


Link to post

running it on my cache drive... and he will never sleep i am affraid :P

sab downloads every month a lot of files for me :)

till now always has a queue from about 200 files LOL

Share this post


Link to post

sacretagent,

 

could you tell me what reasons would you have to run these programs with permissions other than root? If the root password is not default and constitutes a good password in itself, what are the risks running these processes as root?

Share this post


Link to post

biggest problem is that the downloaded files are ending up wit root permissions and you need to run a chmod/chown script against it to access them

for me this is the only real reason...

i see in every linux forum everybody saying not to run things as root and I know a few programs out there will not run as root for some security reason....

but i also have no idea what could be the real issue...

I am not a hacker and have no intentions to become one so no idea where the panic is all about ...

Share this post


Link to post

That's odd, I'm running SABnzbd as root along with Sick Beard and CouchPotato, both of which move the files to the shares.  SABnzbd doesn't do the moving, so having that run as another user wouldn't do anything for the permissions.

 

I'm also seeing the files that Sick Beard and CouchPotato put in place on the shares without issue, and they are owned by root:

 

drwxr-xr-x 1 root root  256 Jan 18 13:56 ./

drwxr-xr-x 1 root root 3.4K Jan 15 12:11 ../

-rwx------ 1 root root  46K Jan 18 13:56 Wanted.jpg*

-rw-r--r-- 1 root root 6.6G May  3  2010 Wanted.mkv

-rwx------ 1 root root 5.7K Jan 18 13:56 Wanted.nfo*

 

Perhaps there is some other configuration or issue that's causing root owned files to not be seen on shares?

Share this post


Link to post

Cool stuff.

 

FYI, sab doesn't need the "-s IP:PORT" switch after it has been run the first time. The IP and port are stored in the config file.

 

Peter

Share this post


Link to post

That's odd, I'm running SABnzbd as root along with Sick Beard and CouchPotato, both of which move the files to the shares.  SABnzbd doesn't do the moving, so having that run as another user wouldn't do anything for the permissions.

 

 

Are you running a 5.0 beta or one of the 4. versions Tybio?

Share this post


Link to post

I recently installed sabnzbd, sickbeard, and couchpotato and also had an issue with the applications setting the owner / group to root : root for newly downloaded files.

 

I am running unRAID 4.6 connected to Active Directory and I wanted the owner / group to be assigned to a domain user and group.

 

My solution was to write a custom shell script that is executed when the applications are finished processing the downloaded files.

 

Sickbeard supports the execution of custom scripts VIA the extra_scripts property in the config.ini file.

 

After reviewing the Sickbeard / sabnzbd documentation I learned that the first argument passed to the custom script is the newly downloaded file and therefore my custom script is:

 

#!/bin/bash
chown "DOMAIN\user"."DOMAIN\media users" "$1"

 

I saved this script in the /mnt/cache/.custom/sickbeard/autoProcess/media-setowner.sh so it could also be used by sabnzbd.

 

In sabnzbd I created a couple of custom categories for Media files that are not downloaded by Sickbeard or CouchPotato and assigned my custom script VIA the script drop down.

 

I am still testing it out but so far it appears to be working.

 

 

 

Share this post


Link to post

Wahey.  Finally got this working.

 

I was using port 88 for SABnzbd but it didn't like this running under nobody. 

 

I gave it a higher port number and now its working fine.  Thanks again sacretagent.

Share this post


Link to post

Oh, right... Only 'root' users can bind to ports below 1024. It's an old unix security adage.

 

The typical steps in other services are to invoke service as root to bind to any needed ports below 1024 then shed root privs and run under lower security user such as nobody or download.

 

There's another way of doing this, but I don't know if it's in unRAID or if it'll work for anything that's a script and I doubt you'd want to set it directly on python.

 

setcap 'cap_net_bind_service=+ep' /path/to/program

Share this post


Link to post

Oh, right... Only 'root' users can bind to ports below 1024. It's an old unix security adage.

 

Yes, I came across this magic number after researching the error. When you see this do you want to put a note in the opening post Sacretangent?

Share this post


Link to post

Are you running a 5.0 beta or one of the 4. versions Tybio?

 

I was running 4.5 (I believe, it's early) until yesterday when I moved up to 4.7Beta1

Share this post


Link to post

I had been running sickbeard with the log location of /var/log/ which meant my cache drive would spin down.

 

When running sickbeard as nobody I had to change the log directory to a folder on my cache drive otherwise it would generate permission errors with /var/log/.

 

After googling the issue it seems only root has access to /var/log/.  I have tried changing the permissions of /var/log/ to 775 but it still gives errors. 

 

Does anyone know if there is anyway to give nobody access to write to /var/log/ or some other solution to change the logging of sickbeard to allow the cache drive to spin down?

Share this post


Link to post

With a permission mode of 775 you only opened it up to the same group. The /var/log/ directory is owned by 'root' user and is in the 'root' group.

 

The user 'nobody' is in the group 'nobody'.

 

To allow 'nobody' to have write permissions to the /var/log/ directory, you could possibly open up the other users permissions with a mode like 777.

 

Security warnings and all that apply when opening up directories to an account that was designed to be restrictive.

Share this post


Link to post

ah, OK.  Cheers Brit, I'll give it a go tonight.

 

My suggestion would be to NOT mess with /var/log and print it to something like /tmp/log

Share this post


Link to post

thanks pro but using /tmp/log doesn't appear to let the drive spindown.

 

I've 777'd my /var/log directory and its working now.  Nothing has blown up just yet but I'll keep an eye on it...

Share this post


Link to post

thanks pro but using /tmp/log doesn't appear to let the drive spindown.

 

I've 777'd my /var/log directory and its working now.  Nothing has blown up just yet but I'll keep an eye on it...

 

There is no log directory in /tmp by default, you would need to create it.  I suggested /tmp/log as to keep things consistent with /var/log.

 

If you create the log folder in /tmp and then put the log files there the drives should spin down like they did previously.

Share this post


Link to post

The user scrips above (modified to match my settings, obviously) are not working for me... I'm not using the 'nobody' user and attempted to just use root --> anyone know what may be the issue?

 

The buttons appear and look fine but clicking one does not lead to a start or stop.

Share this post


Link to post

So I've never encountered a problem with accessing my downloaded files.  Is this because I haven't changed the unRAID basic security settings?  If I end up having user-level access, is this when I'll have to go down this road?  And having SAB add 777 permissions to my downloaded files won't fix that?

Share this post


Link to post

So I've never encountered a problem with accessing my downloaded files.  Is this because I haven't changed the unRAID basic security settings?  If I end up having user-level access, is this when I'll have to go down this road?  And having SAB add 777 permissions to my downloaded files won't fix that?

 

I have user level security and no problem with root running the python servers.

Share this post


Link to post

So I've never encountered a problem with accessing my downloaded files.  Is this because I haven't changed the unRAID basic security settings?  If I end up having user-level access, is this when I'll have to go down this road?  And having SAB add 777 permissions to my downloaded files won't fix that?

 

I have user level security and no problem with root running the python servers.

 

It is only an issue in 5 series i think :0

 

different way of setting things up...  i never tried the 4 series so i am not sure but i read something like that  in the release notes

Share this post


Link to post

The user scrips above (modified to match my settings, obviously) are not working for me... I'm not using the 'nobody' user and attempted to just use root --> anyone know what may be the issue?

 

The buttons appear and look fine but clicking one does not lead to a start or stop.

if you add what you are using then we can advice you but in the quoted post is not eough information

basicly your last line should be something like this

 

python /Path/to/your/servers/SickBeard.py -d

 

maybe with Quotes around them

 

Share this post


Link to post

This was just what I was looking for.  I am in the process of installing all of my drives and copying stuff over to my new unraid.  I use all of these on windows, so this would be great to get running on the unraid pc. 

 

Has anyone had success with this?  I am new to linux, so let me know if you had to change anything.

I will give it a go in a couple of days and let you know what happens.

 

Thanks again.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.