Package: pagekite Version: 0.5.9.3-2 Severity: wishlist Tags: patch
When trying to figure out why some of my pagekite tunnels fail to work, I had a look in /var/log/pagekite/ on my Freedombox, only to discover nothing has been logged there since april. I tried to figure out where the log went, and finally tracked it down to the content of /lib/systemd/system/pagekite.service, which simply do not specify the --logfile command line option to pagekite. Using it fail because of the hardening enabled. The following patch get the logging working again. I have no idea why the CapabilityBoundingSet value block logging, but it will as long as /var/log/pagekite/pagekit.log is owned by daemon:daemon. If the file is owned by root:root, it work. Anyway, I was able to find the log using "journalctl -f -u pagekite", but believe it is setting up for a rather bad user experience to simply stop logging to the old log files without any messages in the directory that the logging is now done elsewhere. Note, the pagekite log also seem to go into /var/log/syslog. May I suggest the logging to /var/log/pagekite/ is reenabled? diff --git a/debian/pagekite.service b/debian/pagekite.service index cbb1c18..c7cd74d 100644 --- a/debian/pagekite.service +++ b/debian/pagekite.service @@ -10,7 +10,7 @@ ConditionPathExists=/etc/pagekite.d/10_account.rc [Service] Type=simple -ExecStart=/usr/bin/pagekite --clean --runas=daemon:daemon --optdir=/etc/pagekite.d +ExecStart=/usr/bin/pagekite --clean --runas=daemon:daemon --optdir=/etc/pagekite.d --logfile=/var/log/pagekite/pagekite.log TimeoutStopSec=5 KillMode=mixed @@ -21,13 +21,15 @@ LimitNOFILE=65536 WorkingDirectory=/tmp # Hardening -CapabilityBoundingSet=CAP_SETUID CAP_SETGID +# Enabling CapabilityBoundingSet break logging +#CapabilityBoundingSet=CAP_SETUID CAP_SETGID SystemCallFilter=~@clock @debug @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectHome=yes ProtectSystem=strict +ReadWritePaths=-/var/log/pagekite ProtectKernelModules=yes ProtectKernelTunables=yes -- Happy hacking Petter Reinholdtsen
