- Newest
- Most votes
- Most comments
By default Greengrass will run your component using ggc_user as the user and ggc_group as the group. Adding ggc_user to the tty group won't be sufficient because it isn't running using the dialout group, but as ggc_group. You can replicate Greengrass's behavior using sudo like "sudo -u ggc_user -g ggc_group -E <your command>". To address this you can setup your component to run using the dialout group, or to use all of the user's groups. To do this, create a new deployment and edit the runWith configuration for the component so that posixUser key is "ggc_user". This will run your component as ggc_user with all of that users's groups. To run with a specific group, use "ggc_user:<group name>".
Cheers,
Michael
Thank you very much for your answer. That make sense. So what is the recommended practice with accessing local resources? For example, if I need access to system directories, such as /opt, do I give gcc_user root access? or run the component as "root"? Thanks!
The best solution would be to change the directory's permissions so that the user has the minimum access that it can while still allowing it to do what is necessary. Sometime running as root is necessary which you should use the RequiresPrivilege keyword in the recipe to do (see: https://docs.aws.amazon.com/greengrass/v2/developerguide/component-recipe-reference.html#recipe-format). However, try to avoid running as root when you can for the best security posture.
Cheers,
Michael
Relevant content
- asked 5 years ago
