System User, sudo Privileges and systemd
This topic describes system user, systemd user service and sudo privilege in the context of Tableau Server.
Privilege separation
Following standard security best practices, Tableau Server for Linux runs processes with the least privilege possible. During installation, the unprivileged user, tableau, is created in a server authorised group (tableau).
An example user entry in the /etc/passwd file is as follows:
tableau:x:993:991:Tableau Server:/var/opt/tableau/tableau_server:/bin/bash
All processes run as the unprivileged tableau user. This means that if one of the Tableau Server processes (such as a process displaying vizzes to users) were compromised in some fashion, it would only be able to impact Tableau Server, not the rest of the Linux system. For this reason, you should not add the tableau
unprivileged user to the tsmadmin
group. The tsmadmin
group should only contain accounts that require authorisation to access OS-related Tableau configurations.
The tableau
user and tsmadmin
group are created by the Tableau Server initialisation process. You can specify a different unprivileged user or TSM authorisation group during installation. For more information about system users and groups, in the context of installation and LDAP configuration, see Identity Store.
sudo privileges
The first version (10.5) of Tableau Server on Linux relied on sudo privileges by updating the sudoers file. Updating the sudoers file conflicts with some system management configuration best practices and security policies. Therefore, the 2018.1 version (and later) of Tableau Server no longer creates or uses a privileged user (tsmagent
). Nor does the current version of Tableau Server update or include a Tableau-specific sudoers file.
All privileged operations now occur during package and software installation.
systemd user service
In the 10.5 version of Tableau Server on Linux, sudo privileges were required to modify or restart the TSM services, which required systemctl commands. All TSM services were run from the normal system-wide systemd process (process ID 1
, which runs all processes on the operating system). In this scheme, systemd process runs as root. Therefore, the 10.5 version of Tableau Server required sudo privileges.
With the current 2018.1 (and later) releases, we have removed the need for sudo privileges by making use of the systemd capability to run as a user service. The systemd user service runs as a normal user, so it does not need any special privileges once it has been enabled.
In normal use cases, you will not need to issue commands to systemd because TSM takes care of that. However, for troubleshooting scenarios, you may need to interact with the TSM services. As with the previous versions, you will issue the same systemctl commands for these scenarios. However, commands should be run as the tableau
user, and not as root. If you specified a different unprivileged system user during Tableau Server setup, then run the commands as that user.
Running systemctl commands
Use the following syntax example to issue request to systemd with the systemctl commands.
Start a session as the unprivileged user. The -l
flag is critical to set environment variables properly.
sudo su -l tableau
Then issue commands. For example:
systemctl --user status tabadmincontroller_0
systemctl --user restart tabadmincontroller_0