Mx. ng0 paging all GNUnet hackers :) This is the last major bit which prevents a merge of gnunet into pkgsrc proper.
Anything helps. Expected environment of the arm process. access levels. pgid etc. Anything. Thanks! [email protected] transcribed 5.6K bytes: > [email protected] transcribed 5.1K bytes: > > Christian Grothoff transcribed 3.8K bytes: > > > On 3/7/19 4:48 PM, Schanzenbach, Martin wrote: > > > > Hi, > > > > > > > >> On 7. Mar 2019, at 15:28, [email protected] wrote: > > > >> > > > >> I just learned about a couple more specific systemd settings. > > > >> The ones I think which could be useful to extend our systemd > > > >> example service with are below. > > > >> > > > >>> PrivateTmp: > > > >>> Use private /tmp and /var/tmp folders inside a new file system > > > >>> namespace, which are discarded after the process stops. > > > > > > > > GNUnet has lots of things that need persistance. Like cryptographic > > > > keys. > > > > > > Rifhr, but ever anything in /tmp. So this should be fine. > > > > > > >> > > > >>> ProtectHome: > > > >>> The /home, /root, and /run/user folders can not be accessed by this > > > >>> service anymore. If your Pleroma user has its home folder in one of > > > >>> the restricted places, or use one of these folders as its working > > > >>> directory, you have to set this to false. > > > >> > > > > > > This breaks file-sharing indexing. So this should (with the current > > > implementation of FS) not be done for gnunet-service-fs by default. > > > Note that my planned (for 2030...) re-design of FS would lift this > > > restriction and enable setting ProtectHome. > > > > > > > See above. /home/<user>/.config/gnunet et al. > > > > > > > >>> ProtectSystem: > > > >>> Mount /usr, /boot, and /etc as read-only for processes invoked by > > > >>> this service. > > > >> > > > > This might be interesting wrt hardening? Idk. > > > > > > Yes, and GNUnet by design respects /usr, /boot and /etc being read-only. > > > So it would be a good thing for security to enforce this on platforms > > > where this is easily done. > > > > > > > > > > This follow-up is not systemd, but I guess that you can help. > > The rc.d script I have[0] keeps failing with weird errors. > > Previously it was just https://bugs.gnunet.org/view.php?id=5632, > > but with this more recent configuration I can not get normal > > users in group gnunet to start their own gnunet-arm: > > > > Mar 11 09:29:46-674528 util-service-321 WARNING `bind' failed for > > `/tmp/gnunet-ng0-runtime//gnunet-service-arm.sock': address already in use > > Mar 11 09:29:46-674980 arm-321 ERROR `bind' failed at service.c:1847 with > > error: Address already in use > > Mar 11 09:29:46-675072 arm-321 ERROR Could not bind to any of the ports I > > was supposed to, refusing to run! > > Magically this no longer is a problem (I changed nothing but it works!), > but the original problem remains. > > > so /var/chroot/ for gnunet folder: > > > > drwx------ 6 gnunet gnunet 1024 Mar 11 09:29 gnunet > > > > inside gnunet: > > > > drwxr-xr-x 3 gnunet gnunetdns 512 Feb 28 21:34 .cache > > drwxr-xr-x 3 gnunet gnunetdns 512 Mar 1 10:52 .config > > drwxr-xr-x 3 gnunet gnunetdns 512 Mar 1 10:52 .local > > drwxr-xr-x 7 gnunet gnunetdns 512 Mar 11 00:43 data > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-ats.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-cadet.sock > > srwx------ 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-consensus.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-core.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-datastore.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-dht.sock > > srwx------ 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-dns.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-fs.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-namecache.sock > > srwx------ 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-nat-auto.sock > > srwx------ 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-nat.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-nse.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-peerinfo.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-peerstore.sock > > srwxrwxrwx 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-regex.sock > > srwxrwxrwx 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-resolver.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-revocation.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-scalarproduct-alice.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-scalarproduct-bob.sock > > srwx------ 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-set.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-statistics.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 > > gnunet-service-transport.sock > > srwxrwx--- 1 gnunet gnunet 0 Mar 11 09:29 gnunet-service-vpn.sock > > > > while at least .config and .local are remains from previous configurations. > > When I did not set GNUNET_DATA_HOME, GNUNET_RUNTIME_DIR, and GNUNET_HOME > > (so against our own recommendations for distributors ;)) it worked but > > #5632 occured. > > > > perms on /usr/pkg/etc/gnunet and its contained config file: > > > > drwxr-xr-x 2 root wheel 512 Mar 10 23:33 gnunet > > > > -rw-r--r-- 1 root wheel 1858 Mar 10 23:33 gnunet.conf > > > > > > Is there an obvious mistake somewhere? > > > > 0: > > https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=tree;f=gnunet;h=f36cec375236bb80d621681d4f958483848be396;hb=HEAD > > in "files" > > > > _______________________________________________ > > GNUnet-developers mailing list > > [email protected] > > https://lists.gnu.org/mailman/listinfo/gnunet-developers > > > > _______________________________________________ > GNUnet-developers mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/gnunet-developers > _______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
