gnunet-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] service files

From: ng0
Subject: Re: [GNUnet-developers] service files
Date: Tue, 26 Mar 2019 17:48:26 +0000 
address@hidden transcribed 6.2K bytes:
> Mx. ng0 paging all GNUnet hackers :) This is the last major bit
> which prevents a merge of gnunet into pkgsrc proper.
> 
> Anything helps. Expected environment of the arm process.
> access levels. pgid etc. Anything.
> 
> Thanks!

More info, as I started thinking about why an otherwise
okay config throws errors in rc (with changes to start
it after LOGIN).

This is the same rc script but with the addition of
executing env and then starting gnunet-arm.

[running /etc/rc.d/gnunet]
Starting gnunet.
PWD=/
TMP=/tmp
HOME=/var/chroot/gnunet
PATH=/sbin:/bin:/usr/sbin:/usr/bin
_rc_original_stdout_fd=7
USER=gnunet
_rc_original_stderr_fd=8
SU_FROM=root
RC_PID=   8
_rc_pid=2
_rc_postprocessor_fd=9
Mar 26 17:36:30-520209 gnunet-arm-530 ERROR Unreadable or malformed 
configuration file `/usr/pkg/etc/gnunet/gnunet.conf', exit ...
/etc/rc.d/gnunet exited with code 1

 
> address@hidden transcribed 5.6K bytes:
> > address@hidden transcribed 5.1K bytes:
> > > Christian Grothoff transcribed 3.8K bytes:
> > > > On 3/7/19 4:48 PM, Schanzenbach, Martin wrote:
> > > > > Hi,
> > > > > 
> > > > >> On 7. Mar 2019, at 15:28, address@hidden wrote:
> > > > >>
> > > > >> I just learned about a couple more specific systemd settings.
> > > > >> The ones I think which could be useful to extend our systemd
> > > > >> example service with are below.
> > > > >>
> > > > >>> PrivateTmp:
> > > > >>> Use private /tmp and /var/tmp folders inside a new file system 
> > > > >>> namespace, which are discarded after the process stops.
> > > > > 
> > > > > GNUnet has lots of things that need persistance. Like cryptographic 
> > > > > keys.
> > > > 
> > > > Rifhr, but ever anything in /tmp. So this should be fine.
> > > > 
> > > > >>
> > > > >>> ProtectHome:
> > > > >>> The /home, /root, and /run/user folders can not be accessed by this 
> > > > >>> service anymore. If your Pleroma user has its home folder in one of 
> > > > >>> the restricted places, or use one of these folders as its working 
> > > > >>> directory, you have to set this to false.
> > > > >>
> > > > 
> > > > This breaks file-sharing indexing. So this should (with the current
> > > > implementation of FS) not be done for gnunet-service-fs by default.
> > > > Note that my planned (for 2030...) re-design of FS would lift this
> > > > restriction and enable setting ProtectHome.
> > > > 
> > > > > See above. /home/<user>/.config/gnunet et al.
> > > > > 
> > > > >>> ProtectSystem:
> > > > >>> Mount /usr, /boot, and /etc as read-only for processes invoked by 
> > > > >>> this service.
> > > > >>
> > > > > This might be interesting wrt hardening? Idk.
> > > > 
> > > > Yes, and GNUnet by design respects /usr, /boot and /etc being read-only.
> > > > So it would be a good thing for security to enforce this on platforms
> > > > where this is easily done.
> > > > 
> > > > 
> > > 
> > > This follow-up is not systemd, but I guess that you can help.
> > > The rc.d script I have[0] keeps failing with weird errors.
> > > Previously it was just https://bugs.gnunet.org/view.php?id=5632,
> > > but with this more recent configuration I can not get normal
> > > users in group gnunet to start their own gnunet-arm:
> > > 
> > > Mar 11 09:29:46-674528 util-service-321 WARNING `bind' failed for 
> > > `/tmp/gnunet-ng0-runtime//gnunet-service-arm.sock': address already in use
> > > Mar 11 09:29:46-674980 arm-321 ERROR `bind' failed at service.c:1847 with 
> > > error: Address already in use
> > > Mar 11 09:29:46-675072 arm-321 ERROR Could not bind to any of the ports I 
> > > was supposed to, refusing to run!
> > 
> > Magically this no longer is a problem (I changed nothing but it works!),
> > but the original problem remains.
> >  
> > > so /var/chroot/ for gnunet folder:
> > > 
> > > drwx------   6 gnunet    gnunet    1024 Mar 11 09:29 gnunet
> > > 
> > > inside gnunet:
> > > 
> > > drwxr-xr-x   3 gnunet  gnunetdns   512 Feb 28 21:34 .cache
> > > drwxr-xr-x   3 gnunet  gnunetdns   512 Mar  1 10:52 .config
> > > drwxr-xr-x   3 gnunet  gnunetdns   512 Mar  1 10:52 .local
> > > drwxr-xr-x   7 gnunet  gnunetdns   512 Mar 11 00:43 data
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-ats.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-cadet.sock
> > > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-consensus.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-core.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-datastore.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-dht.sock
> > > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-dns.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-fs.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-namecache.sock
> > > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-nat-auto.sock
> > > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-nat.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-nse.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-peerinfo.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-peerstore.sock
> > > srwxrwxrwx   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-regex.sock
> > > srwxrwxrwx   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-resolver.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-revocation.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-scalarproduct-alice.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-scalarproduct-bob.sock
> > > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-set.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-statistics.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-transport.sock
> > > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > > gnunet-service-vpn.sock
> > > 
> > > while at least .config and .local are remains from previous 
> > > configurations.
> > > When I did not set GNUNET_DATA_HOME, GNUNET_RUNTIME_DIR, and GNUNET_HOME
> > > (so against our own recommendations for distributors ;)) it worked but
> > > #5632 occured.
> > > 
> > > perms on /usr/pkg/etc/gnunet and its contained config file:
> > > 
> > > drwxr-xr-x   2 root  wheel     512 Mar 10 23:33 gnunet
> > > 
> > > -rw-r--r--   1 root  wheel  1858 Mar 10 23:33 gnunet.conf
> > > 
> > > 
> > > Is there an obvious mistake somewhere? 
> > > 
> > > 0: 
> > > https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=tree;f=gnunet;h=f36cec375236bb80d621681d4f958483848be396;hb=HEAD
> > >    in "files"
> > > 
> > > _______________________________________________
> > > GNUnet-developers mailing list
> > > address@hidden
> > > https://lists.gnu.org/mailman/listinfo/gnunet-developers
> > > 
> > 
> > _______________________________________________
> > GNUnet-developers mailing list
> > address@hidden
> > https://lists.gnu.org/mailman/listinfo/gnunet-developers
> > 
> 
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]