Bryan Kadzban wrote: > Bruce Dubbs wrote: >> I ran into a new problem today with the /run directory. As we create it >> right now, the permissions are 755. I was trying to run stunnel today >> and it wanted to write the stunnel.pid file after the program dropped >> root and was working as the stunnel user. It then failed because it >> couldn't write the pid file. > > This would have failed when it wrote the pid file to /var/run as well, > though, right? That has always been 755 -- or at least, it is on the > machine I'm looking at (running some amalgamation of LFS 6.5 and CLFS > whatever-was-current and a couple other changes).
The stunnel generic instructions discuss running in chroot (/var/lib/stunnel) and install a separate directory with the right permissions. install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run > Feels like a bug in stunnel; it should perhaps modify the pid files > before dropping privileges. :-) > >> There are a couple of ways to fix this. I can, as root: >> >> mkdir /run/stunnel >> chown stunnel /run/stunnel >> execute stunnel that writes the pid file to /run/stunnel > > ...or stunnel could maybe be changed to do this itself, if they want to > continue to manage the .pid files with no privileges; they'd just have > to ensure the directory exists before dropping them. In doing some testing, stunnel-swat needs to run as root in order to be able to do things like start and stop smbd. That automatically fixes the pid problem. It also needs to be able to read /etc/passwd and /etc/shadow for logon credentials. In this case, other security, like iptables, is probably useful. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
