How to Log from a Non-Root Debian Linux Daemon

How should I log from a non-root Debian Linux daemon?

You should create a subdirectory like /var/log/mydaemon having the daemon's user ownership

Linux journal daemon log and/or persist only the error/critical event logs

Use MaxLevelStore=crit

This controls the maximum log level of messages that are stored in the journal.
Messages equal or below the log level specified are stored, messages above are dropped. Defaults to "debug".

Disabling Auto root login on a Debian-based distro?

Got it !

The file to edit is :

/lib/systemd/system/getty@.service

You need to replace 'root' by the user you want on the EXEC line !

Hope it will help you if the struggle tends to be too real !

design pattern for logging from a web server worker as an unprivileged user in python

By creating a folder for your process inside the /var/log and /var/run folders, you can change the owner and group from within the init script (as it's ran by root), so the process will have write access to it. For /var/log, it is enough to create the folder once, but the /var/run folder will have to be recreated on every system restart. This is how I solved it (for simplicity I recreate here both folders):

DAEMON_USER='unprivilegeduser'
DAEMON_GROUP='unprivilegedgroup'
DAEMON_PID_DIR='/var/run/myprocessname'
DAEMON_LOG_DIR='/var/log/myprocessname'
PIDFILE="$DAEMON_PID_DIR/gunicorn.pid"
LOGFILE="$DAEMON_LOG_DIR/gunicorn.error.log"

mkdir -p $DAEMON_PID_DIR
mkdir -p $DAEMON_LOG_DIR
chown $DAEMON_USER:$DAEMON_GROUP $DAEMON_PID_DIR
chown $DAEMON_USER:$DAEMON_GROUP $DAEMON_LOG_DIR

[...]
gunicorn -u nobody -b 127.0.0.1:8000 \
    --error-logfile=$LOGFILE --pidfile=$PIDFILE -D

I have a server which is used by my team with same user name. I want to trace who has triggered a perticular command?

You are out of luck. All the logs and even the bash history file would be a total mess because it does not record the virtual terminal interface (tty) the command did come from. A proper usage would be using different users. If those users did have need to launch command using root privileges, you can manage that, you have sudo command.

I would suggest checking super user for more specialized answers, stack overflow is more oriented to programming.

running python-daemon as non-priviliged user and keeping group-memberships

my current solution involves dropping root priviliges before starting the actual daemon, using the chuid argument for start-stop-daemon:

 start-stop-daemon \
      --start \
      --chuid daemonuser \
      --name testdaemon \
      --pidfile /var/run/testdaemon/test.pid \
      --startas /tmp/testdaemon.py \
     -- \
      --pidfile /var/run/testdaemon/test.pid \
      --logfile=/var/log/testdaemon/testdaemon.log

the drawback of this solution is, that i need to create all directories, where the daemon ought to write to (noteably /var/run/testdaemon and /var/log/testdaemon), before starting the actual daemon (with the proper file permissions).

i would have preferred to write that logic in python rather than bash.

for now that works, but me thinketh that this should be solveable in a more elegant fashion.

How to access as root with WinSCP to Debian 8 server

If you are trying to login to sftp via password as root, and not with rsa key edit

nano /etc/ssh/sshd_config

and change line

PermitRootLogin without-password

PermitRootLogin yes