Running FlexNet Publisher License Server as a System Service With Non-Elevated Privileges
lmadmin can be configured to run as a service under the LocalService account. This account is both necessary and sufficient for running the service. (The vendor daemon inherits these same privileges.) This practice ensures that any security vulnerabilities exploited by malicious users with access to the corporate network will have minimal impact beyond the licensing services.
The instructions below are examples for enabling the lmadmin operating-system service to run under a non-root or non-administrator user account. The instructions assume that you have lmadmin already installed.
Procedure Overview
Managing the license server as a system service typically requires three main phases:
| • | Phase 1—Install the license server as a system service. This step typically requires elevated privileges. See the previous section, Installing lmadmin License Server Manager as an Operating System Service. |
| • | Phase 2—Identify or create a user account with non-elevated privileges. You should create a user account (either a domain account or a local account) that is dedicated to running the license server system service. In the instructions that follow, this user account is referred to as the Service User account. Make sure that this Service User account has sufficient permissions to read the license files and write the log files in the designated folders. |
| • | Phase 3—Configure the installed license server system service to use the Service User account. This step requires elevated privileges as well. |
The following sections provide steps (based on the above procedure overview) for enabling the lmadmin license server to run with non-elevated user privileges on various operating-system platforms. Adjust these steps as needed for your specific platform or platform version.
Windows Systems
Use the following procedure to run the lmadmin system service with non-elevated privileges on Windows.
To configure the lmadmin system service to run with non-elevated user privileges:
| 1. | If lmadmin was not set up as a Windows service during the lmadmin installation process, install the service from the command line: |
lmadmin configDir <conf_path> –installService <servicename>
where <servicename> is the name of the lmadmin Windows service.
This step requires elevated user privileges.
| 2. | Create a Service User account either on the local system or on the domain. |
| 3. | Grant this lesser-privileged account the permissions to start and stop the service. Use any appropriate method, such as Security Descriptor Definition Language or a publicly available third-party tool such as SetACL. |
The following steps use SetACL to manage the permissions for the service:
| a. | Download and install the command-line SetACL utility. |
| b. | From the command-line, change to the directory where the SetACL utility is installed, and execute this command: |
SetACL.exe –on "<servicename>" –ot srv –actn ace –ace "n:\<domain>\<serviceuser>;p:start_stop"
where the following elements are defined as follows:
| • | servicename is the name of the installed lmadmin service. |
| • | domain is the domain to which the user belongs. |
| • | serviceuser is the user under which the lmadmin service is intended to run. |
| 4. | To designate the Service User, navigate to the Windows Services console (for example, on some Windows platforms, you access this console from the Task Manager or from Administrative Services on the Control Panel). |
| 5. | From the Services console, do the following: |
| a. | Right-click the lmadmin service, and select the Properties option. |
| b. | Under the Log On tab, select This account, and specify the Service User and its password. |
The procedure for setting up lmadmin as a system service and configuring it to run with non-elevated rights is platform dependent:
| • | Linux platforms that use the old BSD startup script: Use the sample script file lmadmin (located in the <lmadmin_install_dir>/examples/service directory). Follow the instructions under Procedure for Linux Platforms Using the Old BSD Startup Script. |
| • | Linux platforms that use the new systemd startup script: Use the sample script file lmadmin.service (located in the <lmadmin_install_dir>/examples/systemd directory). Follow the instructions under Procedure for Linux Platforms Using the New systemd Service Startup. |
Procedure for Linux Platforms Using the Old BSD Startup Script
If you have already configured lmadmin to start up as a system service, skip steps 1 and 2 in the following procedure. However, you must still access this script to make additional modifications, as described below.
To configure the lmadmin system service to run with non-elevated user privileges on platforms using the old BSD startup script:
| 1. | Copy the sample script file lmadmin to the /etc/rc.d/init.d directory. |
Important:Once the script is copied, make sure it has execution privilege.
| 2. | To update the run-level information for the service, execute the following command: |
chkconfig lmadmin on
| 3. | Modify the following line in the script to identify the lmdamin path: |
InstallDir="/opt/FNPlm/lmadmin"
where the installDir value is the directory location where the lmadmin binary is installed.
| 4. | Modify the following line in the script to identify the user under which the lmadmin system service will run: |
lmadminUser="lmadmin"
where the lmadminUser value is the name of the Service User account with the non-elevated privileges.
| 5. | Remove --pidfile=${pidFile} from the following line under the start() section: |
daemon --user $lmadminUser --pidfile=${pidFile} "$lmadmin" -root "$installDir"
| 6. | Save the changes in the script. |
| 7. | To start the lmadmin system service under the user you specified for lmadminUser, execute the following command: |
service lmadmin start
Procedure for Linux Platforms Using the New systemd Service Startup
If you have already configured lmadmin to start up as a system service, skip Step 1 through Step 6 in the following procedure. However, you must still access the appropriate script to make additional modifications, as described below.
To configure the lmadmin system service to run with non-elevated user privileges on platforms using the systemd startup script:
| 1. | Copy the sample script file lmadmin.service to the /etc/systemd/system directory. |
Important:Once the script is copied, make sure it has execution privilege.
| 2. | Modify the following line in the script to identify the lmadmin path: |
Environment="installDir=/opt/FNPlm/lmadmin"
where the installDir value is the directory location where the lmadmin binary is installed.
| 3. | Modify the following line in the script to identify the user under which the lmadmin system service will run: |
User=lmadmin
where the lmadmin value is the name of the Service User account with the non-elevated privileges.
| 4. | Modify the following line in the script to identify the group under which the lmadmin system service will run: |
Group=lmadmin
where the lmadmin value is the name of the group with the non-elevated privileges.
| 5. | Modify the following line in the script to identify the absolute lmadmin executable path: |
ExecStart=/opt/FNPlm/lmadmin/lmadmin -root ${installDir}
| 6. | Save the changes in the script. |
| 7. | To update the run-level information for the service, execute the following command: |
systemctl daemon-reload
| 8. | To start the lmadmin systemd service on boot, execute the following command: |
systemctl enable lmadmin.service
| 9. | To start the lmadmin system service under the user you specified for lmadminUser, execute the following command: |
systemctl start lmadmin.service
After configuring lmadmin to start up as a system service, as described in Installing lmadmin License Server Manager as an Operating System Service, modify the startup script (lmadmin or similar script) to run the lmadmin service with non-elevated privileges. Use the instructions in the previous section, Linux Systems, as a guide for editing the script. However, adjust the procedure as needed for your specific UNIX platform.
OS X Systems
See the previous section, OS X Systems, under Installing lmadmin License Server Manager as an Operating System Service.